New Zealand Financial Markets Authority releases cyber security information sheet for financial services firms
June 28, 2022 |
The New Zealand Financial Markets Authority (“FMA”) has released an information sheet to assist financial institutions with cyber security.
The press release provides:
The Financial Markets Authority (FMA) – Te Mana T?tai Hokohoko has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems, and meet any relevant licence obligations.
The information sheet notes financial services are a popular target for cyber criminals – the sector recorded the highest number of reported incidents across all other industries in New Zealand for the quarter ended March 2022.
The FMA says there appear to be shortcomings in the cyber resilience and operational systems among entities it licenses, including underinvestment in technology and the use of unsupported or legacy systems.
All entities licensed by the FMA must meet the following obligations:
-
- “to have, at all times, adequate and effective systems, policies, processes and controls that are likely to ensure you will meet your market services licensee obligations in an effective manner”.
- “IT systems used to deliver the licensed market service must be secure and reliable. Your arrangements ensure they perform efficiently and the associated risks are managed”.
Financial advice providers have specific obligations for business continuity and technology systems.
In 2019, the FMA published a thematic review of cyber resilience in FMA-regulated entities, which highlighted the regulator’s expectations around cyber and operational resilience.
The Information Sheet references and relies on the National Institute of Standards and Technology (“NIST”) framework, which I post on regularly. The self assessment exercise recommended recommends adopting the adopting the following structure:
‘Identify’:
? Developing and reviewing an organisation-wide understanding to manage cyber security risk to systems, people (including customers), assets, data, and capabilities.
? Understanding the business context and resources that support critical functions, and the associated cyber security risk to enable an entity to set its risk appetite and prioritise its activities
• ‘Protect’:
? Developing, implementing and testing safeguards to ensure delivery of critical services and support the entity’s ability to limit or contain a cyber security incident.
• ‘Detect’:
? Developing, implementing and testing activities designed to enable timely identification of the occurrence of a cyber security incident.
• ‘Respond’:
? Developing, implementing and testing activities and actions that entities can take upon discovery of a cyber security incident, and support the entity’s ability to contain the impact.
‘Recover’:
? Developing, implementing and testing activities which enable the entity to restore capabilities and/or services that were impacted by a cyber security incident.
The Information Guide is very useful in briefly dealing with every aspect of cyber security. It is however, only a start. It is necessary to use the hyperlinks.