NZ regulator releases cyber resilience guide for advice sector

Financial Markets Authority New Zealand Cyber Resilience

The Financial Markets Authority (FMA) has urged licenced advice providers to fully implement or upgrade their business continuity plans as part of the regulator’s latest guidance on cyber resilience.

The information sheet provides general advice to small and medium-sized financial advice providers (FAPs) in enhancing the security and resilience of their technology systems.

The guidance comes after the introduction in March this year of the FMA’s new regime for the regulation of financial advice, which now requires all FAP licensees to be subject to the standard conditions for a full FAP licence. Previously, many advice providers were not subject to these compliance obligations.

Additionally, the new Code of Professional Conduct for Financial Advice Services requires providers to ensure that client information is protected against loss and unauthorised access, use, modification or disclosure.

Among the standard conditions include a requirement for full FAP licensees to maintain a business continuity plan that includes procedures for responding to, and recovering from, events that impact on cybersecurity and continuity.

A New Zealand Computer Emergency Response Team (CERT NZ) quarterly data report consistently shows the financial services and insurance industries have the highest number of reported incidents out of all sectors in New Zealand.

With many financial advisers lacking any previous compliance obligations, and many appearing to underestimate the cyber threat to them, the advice sector is likely among the most cyber exposed within the wider financial services industry.

“Within this newly licensed population are many individuals and entities who have not previously been subject to compliance obligations for cybersecurity, including many small or single-adviser businesses,” said FMA Director of Supervision James Greig.

“Given the increasing sophistication and frequency of hacking and data breaches reported in New Zealand, and the sensitive nature of information that may be held by financial markets participants, it is essential that all licensees give high priority to their cyber resilience capabilities. This includes ensuring that cybersecurity processes remain robust and appropriate for the cyber-related risks faced by the licensee,” Greig said.

A 2019 industry survey report by the FMA found that just one in three New Zealand FSIs were aware of the high and increasing level of cyber-risk. This dropped to one in four for those running their own firm.

Greig notes that it is up to licensees to design their own policies, processes and controls to suit the nature and scale of their individual business.

“Cyber resilience will be a key focus of our monitoring reviews of all market participants. Licensees will need to demonstrate not only that they have policies and systems in place, but also that these are widely understood and integrated into their business,” he said.