FMA releases information sheet on cyber resilience for financial advice providers

The Financial Markets Authority (FMA) has today released an information sheet containing principles and resources to help licensed financial advice providers develop their cyber resilience.  A link to the information sheet is available here.

Who needs to read it?  Why?

All financial service providers should read this information sheet – even though it is explicitly aimed at financial advice providers (FAPs) with full licences only.

The FMA is concerned about the exposure of financial services firms to cyber risk. Cyber risk includes the risk of loss, disruption or damage to a firm caused by failure in its information technology systems – from both internal and external threats. Cyber crime attacks are on the increase.

What does it cover?

Code of Professional Conduct for Financial Advice Services Standard 5 requires all financial advice providers to ensure that client information is protected against loss and unauthorised access, use, modification or disclosure.  This includes maintaining physical and electronic security measures so that only authorised personnel of the financial advice provider have access to client information.

In addition, the new standard conditions which will apply under full FAP licences reinforce that responsibility. Specifically, condition 5 requires full FAP license holders to have and maintain a business continuity plan that, among other things, includes procedures for responding to, and recovering from, events that impact on cyber security and continuity. Full FAP licence holders must ensure information security of technology systems which, if disrupted, would materially affect the continued provision of your financial advice service, is maintained.  And they must notify FMA within 10 working days of a breach.

For many small or medium sized financial advice providers, these conditions are the first compliance obligations for cyber security to which they are subject.

The information sheet follows a 2019 report on “Cyber-resilience in FMA-regulated financial services” by the FMA, and the new financial advice provider regime coming into force on 15 March 2021.  The information sheet covers:

  • key sources of obligations;
  • areas of concern where cyber security capabilities should be upgraded; and
  • what resources are available to assist organisations in upgrading their cyber security capabilities.

Key areas that financial advice providers must consider in meeting their compliance obligations include:

  • policies, processes and controls to foresee and manage cyber risk, and recover from cyber incidents;
  • regular testing of systems and controls;
  • cultivating a culture of awareness and commitment to cyber resilience within the financial advice provider; and
  • arrangements to notify the FMA of any material information security breach.

Our view

As FMA points out – cyber attacks on businesses in New Zealand are increasing in both sophistication and frequency.  The New Zealand Computer Emergency Response Team (CERT NZ) quarterly data reports consistently show the financial services and insurance industries have the highest number of reported incidents out of all sectors in New Zealand.

In that context, the FMA is rightly taking an increasing interest in the cyber security and resilience of all financial market participants.

The factsheet is aimed at applicants for and holders of full FAP licences, because that’s where the enforceable legal obligations are clearest.  But adequately addressing cyber security risk is an important part of maintaining customer confidence and stability for all financial service providers, and FMA will no doubt expect them to adopt similar standards even where the legal obligation is not explicit.

We also encourage financial service providers to look at the FMA’s 2019 report on Cyber-resilience in FMA-regulated financial services to see if it has addressed previously identified gaps by the regulator and where the business currently stands against the relevant frameworks.

Also, in anticipation of cultivating a culture of awareness and commitment to cyber resilience, financial service providers should actively look at how staff understand and are being trained on cyber security risk.

What next?

If you have any questions in relation to cyber resilience and financial regulation, or are considering how your business can meet its cyber security compliance obligations, please contact one of our experts.

Who can help