To print this article, all you need is to be registered or login on Mondaq.com.
It’s almost a year since New Zealand’s Financial
Market’s Authority (FMA) released its consultation paper to
introduce new financial licence conditions aimed at protecting
finance and investment firms from cyber-attacks and technology
outages.
The FMA has long been concerned about the increasing extent to
which customers are impacted by these issues at financial services
firms, which are popular targets due to the valuable data they
hold, especially sensitive personal and financial customer
details.
In response to the heightened risk, the FMA is implementing a
business continuity and technology systems licence condition for a
range market service licences1. This is part of its
staggered roll out of technology-related licensing requirements
across its regulated sector to safeguard the continuity of services
provided to consumers and investors.
The change will apply to a range of financial services licence
holders, including investment management firms, managers of
registered schemes (excluding restricted schemes), discretionary
investment management service providers, derivatives issuers and
peer-to-peer lending and/or crowdfunding service providers.
The changes will mean that licence holders will be required to
maintain a business continuity plan suitable for the size and scale
of their services and maintain the operational resilience of their
critical technology. This means licence holders will need to
understand the technology risks facing the business, keeping plans
and programmes up to date and appropriate to meet business needs.
The new condition also means licence holders must report incidents
that materially affect the operational resilience of their critical
technology systems to the FMA within 72 hours.
Licence holders are expected to comply with the new standard
condition by 1 July 2024. The standard condition is not new to the
financial services industry, but it gives licence holders just two
short months to implement what may be a major change for many.
This short window of time means that licence holders must act
quickly. Impacted licence holders should make it a priority to
review their current business continuity and technology
capabilities.This will help ensure they can meet the requirements
by the deadline and reduce the risk of non-compliance with the
licence conditions.
Affected organisations should take five steps before 1 July:
- Assess cyber security capability and maturity against a
recognised framework such as the NIST Cybersecurity Framework,
Australian Signals Directorate Essential Eight Maturity Model or
ISO 27001. - Conduct an expert independent review of your technology and
cyber security controls. - Make sure you have a business continuity plan that you review,
update, and test. - Develop and practise your incident response plans from end to
end, including regulatory reporting. - Provide expert training to senior leadership on cyber security
risks facing the organisation.
These changes are a big step in the right direction for New
Zealand’s financial services regulatory landscape, creating
better alignment to Australia’s regulatory requirements. Just
as important, it’s an equally big step forward in protecting
consumers from cyber and technology risks, and a strong reminder to
undertake expert risk assessments and make ourselves as secure as
we can.
Footnote
1FMA introduces new standard condition on business
continuity and technology systems plus new process for reporting
operational incidents | Financial Markets Authority
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from New Zealand
#Cybersecurity #Countdown #Fin #Tech
