Cyber resilience: Regulators take an interest

  • Publications and reports

    30 November 2023

Cyber resilience: Regulators take an interest Desktop Image Cyber resilience: Regulators take an interest Mobile Image

In March this year, New Zealand experienced its largest cyber data breach to date, when a cyber-attack on
Latitude Financial resulted in the theft of 7.9 million customers’ data in New Zealand and Australia including details of drivers’ licenses, passports and financial information.

The breach is believed to have affected around 20% of the New Zealand population. As a result, Latitude Financial is now the subject of a joint investigation by the New Zealand Office of the Privacy Commissioner and the Office of the Australian Information Commissioner, as well as a potential class action on behalf of affected customers.

The Latitude Financial attack follows in the wake of other recent high-profile cyber-attacks in Australia. A cyber-attack on Optus in September 2022 led to the release of personal information of over 10,000 customers. Of particular interest to insurers, a cyber-attack on major life and health insurer Medibank in October 2022 is reported as having led to the release of personal information of 9.7 million current and former customers. Both companies are now subject to consumer and/or shareholder class action claims.

The Financial Markets Authority (FMA) and the Reserve Bank have both identified cyber risk as one of the key threats to the New Zealand financial system and financial institutions’ customers. Unsurprisingly, they are taking a close interest in what regulated firms are doing to protect themselves and their customers and communicating their expectations. Increasingly, it appears that financial services regulators will be inquiring into firms’ capabilities to prevent and defeat cyber-attacks.

Regulation on business continuity and cyber resilience

The Reserve Bank and the FMA, which are insurers’ primary regulators, have been increasingly focusing on cyber resilience following the FMA’s thematic review of the cyber resilience of FMA-regulated operators in 2019.

In November 2020, the FMA introduced new standard conditions for fully licensed financial advice providers (FAPs) as part of the change in the financial advice regime under the Financial Services Legislation Amendment Act 2019, which came into force on 15 March 2021. Standard 5 focuses on business continuity and technology systems. For many small or medium sized financial advice providers, these conditions imposed their first compliance obligations for cyber security. The FMA subsequently released a cyber resilience information sheet in July 2021 targeted at small and medium sized FAPs – see our article on the information sheet here.

The Financial Markets (Conduct of Institutions) Amendment Act 2022 (CoFI Act) comes into force in March 2025, by which time all registered banks, licensed insurers and licensed non-bank deposit takers in the business of providing one or more relevant services (Financial Institutions) must have a financial institution licence. In July 2022, the FMA consulted on and finalised six standard conditions for Financial Institutions. Like the standard conditions for FAPs, Standard 5 focuses on business continuity and technology systems. It requires licensees to maintain a business continuity plan and the operational resilience of technology systems if their disruption would materially affect the provision of services or other licensee obligations. Licensees’ business continuity plan and technology systems must comply with their fair conduct programme. 

In addition, licensees must also notify the FMA as soon as possible and no later than 72 hours after discovering any event that materially impacts the operational resilience of their critical technology systems.

In July of this year, the Reserve Bank and the FMA issued new standards and accompanying guidance for designated Financial Market Infrastructures (FMIs) under section 31 of the Financial Market Infrastructures Act 2021. FMIs are multilateral systems that enable electronic payments and financial market transactions. The standards, which will come into effect from 1 March 2024, cover a range of areas, including cyber resilience. Our article on the standards can be accessed here.

The standard conditions and guidance on cyber resilience applying to FMIs are more detailed and onerous than the standard conditions applying to FAPs and Financial Institutions, which focus on business continuity planning and maintaining the operational resilience of technology systems. However, we think it likely that the more detailed standards and guidance applying to FMIs will in time be imposed upon other regulated financial services providers, such as insurers and insurance brokers. The regulators’ expectations of FMIs in relation to cyber resilience will therefore be of interest to insurers and brokers.

Standard 17C imposes key obligations upon FMIs on cyber resilience. It requires designated operators to maintain cyber resilience in a manner commensurate with their exposure to cyber risk, and aims to promote cyber resilience by setting expectations and raising awareness of good practice at the board and senior management level.

The standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 as falling within one or more of the following classes of designated FMIs:

  • a pure payment system;
  • a central securities depository;
  • securities settlement system; or
  • a central counterparty.

In summary, Standard 17C requires the following:

  • FMIs must have a cyber resilience strategy and cyber resilience framework that is comprehensive, adequate and credible. The strategy and framework must, amongst other things, be based on internationally and nationally recognised frameworks and guidelines, and be reviewed annually and updated when required.
  • Importantly, FMIs must ensure that their boards of directors are ultimately responsible for the FMI’s cyber resilience, and must take reasonable steps to ensure that their boards understand the relevant cyber risk environment. This means that FMIs should ensure that their directors take steps such as appointing a senior manager with the appropriate skills, knowledge, and experience to be accountable for the cyber resilience strategy and cyber resilience framework. The guidance on Standard 2 (on Governance) makes it clear that boards of directors of FMIs are viewed as ultimately responsible for managing their risks and for establishing and overseeing internal systems (including controls) and audits. While this does not appear to impose additional legal obligations upon directors personally, it suggests that there is a risk that in the event of a major cyber breach, regulators may consider whether directors may have breached their existing duties by failing to take the necessary steps to prevent a cyber resilience failure.
  • FMIs must ensure that their cyber resilience strategy and framework, and compliance with them, are assessed by an external qualified auditor in accordance with applicable auditing and assurance standards at least:
    • every two years; and 
    • whenever a cyber incident occurs that materially impacts, or could materially impact, the FMI’s continuing operations (unless it is not reasonably practicable to do so, in which case the operator must provide its reasons to the regulator as soon as possible).
  • The operator must provide any report from an external assurance engagement to the regulator upon request.

The accompanying guidance to the standards is intended to assist operators meet the requirements of the FMI Standards. While not legally binding, itprovides guidance on how the FMA and Reserve Bank expect operators to consider and apply the obligations imposed by the standards by drawing on international and national cyber security standards and guidelines. The guidance covers the following, amongst other topics:

  • What a cyber resilience strategy and framework should set out and the areas entities should focus on when implementing the strategy and framework.
  • Protective measures that should be put in place, such as security controls, monitoring and controlled access to systems and information.
  • Detection measures that should be put in place, such as establishing early warning signs and documentation of the normal baseline performance for essential services and supporting systems.
  • What response and recovery plans should incorporate.
  • What an external assurance assessment should include.
  • Board of directors and senior management responsibilities.
  • Engaging with third-party providers including the use of contracts to capture cyber security considerations, ongoing cyber risk management and relationship management.

These are detailed guidelines – the regulators’ expectation is that entities will have a specific and comprehensive strategy that is verifiable. 

New standard condition for market service licence holders

In a continuation of the roll-out of standard conditions addressing business continuity and technology systems, in July this year, the FMA proposed to introduce a new standard condition for the following financial market service licences granted under Part 6 of the Financial Markets Conduct Act 2013 (FMC Act):

  • Managers of registered schemes (but not restricted schemes);
  • Providers of discretionary investment management services;
  • Derivatives issuers; and
  • Prescribed intermediary services (peer-to-peer lending providers and crowdfunding service providers).

The proposed business continuity and technology systems standard condition is similar to the ones applying to FAPs and Financial Institutions. The FMA sought feedback on the proposed new standard condition, which concluded on 1 September 2023. We expect a decision to be released in the near future. See the consultation document here, and our article on this here.

Market services licensees should also take account of an information sheet the FMA released in June 2022 to assist all market services licensees under Part 6 of the FMC Act (excluding benchmark administrators) to enhance the resilience of their cyber and operational systems. The information sheet identifies that the FMA expects licensees to have adequate technology architecture, cyber security systems, processes and controls in place to ensure their technology risks are being managed. This includes an expectation that systems, processes and controls are tested and assessed on a regular basis. In addition, licensees should be aware of the risks that potentially impact their organisation. This means understanding their own capabilities, as well as supply chain risks and the operational resilience of third-party vendors. Entities should also have appropriate governance, training, incident response management, reporting and remediation structures in
place. Where entities hold both a FAP and another FMC Act Part 6 licence, the information sheets applying to both can be read together.

Additionally, all licensed entities (excluding financial advice providers), including licensed insurers, must meet the minimum standard for operational infrastructure as outlined in the licensing guide for each
licence type.

What these changes mean for financial entities and insurers 

The regulatory focus on cyber security reflects the increasing risks facing the financial services sector generally, which relies heavily on technology. Consistent with previous years, the 2023 Q1 and Q2 CERT NZ Data Landscape reports show that the highest number of reported cyber security incidents were from the finance and insurance services sector. In addition to reputational damage, losses from cybercrimes can be significant and includes loss and damage (from disruption in operations), liability to customers and third parties (whose data may be released or misused), and regulatory action and fines.

The cyber threat landscape is evolving and is increasingly sophisticated. The regulators will expect insurers and brokers, like other financial institutions, to invest appropriately in measures to protect against and recover from the impact of cyber incidents. Licensed insurers will need to continue with preparations for the CoFI regime to ensure they meet their obligations, including obligations relating to business continuity
planning and technology resilience.

Latest cyber security resources 

Insurers should also keep on top of the latest resources and guidance on cyber security.

They may self-evaluate their cyber resilience against the US National Institute of Standards and Technology Cybersecurity Framework. The FMA’s cyber security and BCP self-assessment tool for FAPs is another helpful resource.

See also the Reserve Bank’s Guidance on cyber resilience, CERT NZ Critical Controls 2022 and the cyber risk practice guide from the Institute of Directors New Zealand to help boards understand and approach cybersecurity in their organisations.

The FMA also recommends regulated entities subscribe to CERT NZ Alerts.

Refer to our latest podcast on other standards and frameworks available on cyber security and information security.