Samantha Barrass (Financial Markets Authority)
There appear to be cyber security shortcomings in organisations licensed by the Financial Markets Authority (FMA) - Te Mana Tātai Hokohoko, the regulator said today.
"In light of such increasing cyber threats, technology-related outages and remediation programmes reported to the FMA, it appears that there are shortcomings in the cyber resilience and operational systems at the entities we regulate, including underinvestment in technology and the use of unsupported or legacy systems," the FMA said in an information sheet published today.
The sheet noted the financial services sector recorded the highest number of reported incidents, ninety-one in total, across all industries in New Zealand for the quarter ended March 2022.
The release was made to help financial services firms enhance the resilience of their technology and operational systems and to meet their licence obligations, the FMA said.
"Our expectation is that entities have adequate technology architecture, cyber security systems, processes and controls in place to ensure their technology risks are being managed and their licensed services obligations are continuing to be met."
This included an expectation that systems processes and controls were tested and assessed regularly to ensure their data and technology systems were secure and operating effectively.
“IT systems used to deliver the licensed market service must be secure and reliable," it told the sector. "Your arrangements [must] ensure they perform efficiently and the associated risks are managed."
Financial advice providers also had specific obligations for business continuity and technology systems.
"As outlined in our annual corporate plan for FY21/22, we will be enhancing our regulatory approach to cyber and operational resilience, including reviewing entity obligations, enhancing our monitoring approach, and engaging with stakeholders and other regulators to raise awareness and capability," the regulator said.
Licensed organisations should take steps to understand the maturity and state of their system architecture and technology systems and should also frequently review these to identify potential areas of weakness and to determine if they are fit for purpose, the regulator said.
Entities should also consider engaging an independent cyber security or technology specialist to conduct a review which will help them understand their maturity level and identify points of vulnerability unique to the organisation.
"This would be a particularly useful exercise for entities without in-house cyber security or technology specialists as it will provide them with a specialised and objective view."
The regulator, which appointed Samantha Barrass as its new chief executive in February, also advised that engaging a cyber security specialist to conduct penetration testing or to perform crisis management simulations may also be useful and to watch their supply chains.
"While entities may review and consider cyber security and the resilience of operational systems within their organisation, the same focus and scrutiny is often not applied to their supply chains and third-party vendors," it added.
"With bad actors more frequently targeting service providers, the risk to supply chains increases."
In 2019, the FMA published a thematic review of cyber resilience in FMA-regulated entities, which highlighted the regulator’s expectations around cyber and operational resilience.
