Click here if you prefer to use the non-mobile version of GoodReturns
Good Returns - Mobile Edition

FMA sets its sights on cyber security: a new to-do list for embattled financial services providers

27 Jun, 12:40pm by Jenni McManus

The financial services sector recorded the highest number of cyberattacks of any industry group in the first quarter of this year, according to a report by CERT NZ, a government-owned cybersecurity business.

All up, the sector reported 91 attacks, mainly involving phishing and credential harvesting. The next most-attacked industry groups were healthcare and special assistance (13 attacks) and manufacturing (12).

The Financial Markets Authority (FMA) cited these figures last week as it released a new cyber security information sheet for financial services businesses, setting out in detail its expectations about how cyberattacks should be prevented, contained and reported, and how harm to customers might be mitigated.

It warns that the financial services sector is a popular target for cyber criminals and the increasing digitisation of the industry makes it more vulnerable. Attacks are increasing in frequency, sophistication and severity, it says.

The information sheet is the second piece of cyber-guidance the FMA has released to financial services providers in the past three years and is by far the most prescriptive.

The first, in 2019, was a thematic review of cyber resilience within the entities the FMA regulates. “Following the thematic, we expected entities to reflect on our findings and, where necessary, improve their cyber resilience capabilities,” it said.

That the FMA would be “enhancing” its regulatory approach to cyber and operation resilience was also flagged in its annual corporate plan for FY21/22.

So, in the wake of this latest information sheet, market participants can expect a “heightened focus” by the regulator. This will include “reviewing entity obligations, enhancing our monitoring approach and engaging with stakeholders and other regulators to raise awareness and capability”.

With the increase in cyber threats and technology-related outages, the regulator says there appear to be “shortcomings” in the cyber resilience and operating systems of entities it regulates.

These include under-investment in technology and the use of unsupported or legacy systems.

The requirements are now clear. All entitles licensed by the FMA must have effectives systems, policies, processes and controls to meet their market services obligations, and secure IT systems. Financial advice providers have specific obligations.

In addition, financial services providers must be aware of the risks that potentially impact their organisations, including supply chain risk, and must understand their own capabilities. They also need to have in place “appropriate” governance, training, incident response management and reporting and remedial structures.

All systems, controls and policies must be regularly reviewed to identify vulnerabilities specific to each business. To deal with cyber threats, businesses need have plans in place to do (at least) the following: identify, protect, detect, respond and recover.

Boards and senior management need a strong understanding of the state of their operating systems and technology, and the cyber risks facing the organisation, the FMA says. And because cyber risk exists at all levels of a business, all staff should be given cyber security training.

Businesses regulated by the FMA should notify the regulator of any cyber security event that materially disrupts or affects their ability to provide their regulated services or has a material adverse impact on customers.

The focus should be on preventing cyberattacks and mitigation. Businesses need to be able to demonstrate this by having effect controls, governance, processes, reporting and frameworks in place.

If an attack results in the disclosure of personal information, as defined by the Privacy Act 2020, businesses need to be aware of their statutory obligations. If customers are affected by a service issue or outage, “entitles should facilitate the best possible outcomes for affected customers”.

Once an incident has been contained and resolved, the business should conduct a comprehensive inquiry to understand the root cause. The FMA wants to see a post-incident report “as soon as practicable” after the event.

In its 2019 thematic review, it said firms should subscribe to CERT’s free security advisories via email on by following these alerts on Twitter.

“We do not believe there is any FMA-regulated sector in New Zealand that is safe from cyberattacks,” it said. “Financial services firms should not allow their size, or lack of it, to create a false sense of security.”

Financial Planning