The Financial Markets Authority (FMA) - Te Mana Tātai Hokohoko - has today published an information sheet containing principles and resources to help licensed financial advice providers develop their cyber resilience.
Financial advice provider licensing was introduced in March 2021 as part of the new regime for regulating financial
advice under the Financial Markets Conduct Act 2013 (as amended by the Financial Services Legislation Amendment Act
2019).
The standard conditions for full financial advice providers licences include a requirement to have and maintain a business continuity plan that includes procedures for responding
to, and recovering from, events that impact on cybersecurity and continuity (condition 5).
Additionally, the new Code of Professional Conduct for Financial Advice Services requires providers to ensure that client information is protected against loss and unauthorised access, use,
modification or disclosure.
FMA Director of Supervision James Greig said: “Within this newly-licensed population are many individuals and entities
who have not previously been subject to compliance obligations for cybersecurity, including many small or single-adviser
businesses. Although the information sheet is specifically for financial advice providers, cyber resilience is of
critical importance to all licensed entities.
“Given the increasing sophistication and frequency of hacking and data-breaches reported in New Zealand, and the
sensitive nature of information that may be held by financial markets participants, it is essential that all licensees
give high priority to their cyber resilience capabilities. This includes ensuring that cyber security processes remain
robust and appropriate for the cyber-related risks faced by the licensee.”
The FMA’s guidance outlines key areas for all licensees to focus on to build and maintain the security and resilience of
their technology systems.
However, it is up to licensees to design their own policies, processes and controls to suit the nature and scale of
their individual business, Mr Greig said.
“Cyber resilience will be a key focus of our monitoring reviews of all market participants. Licensees will need to
demonstrate not only that they have policies and systems in place, but also that these are widely understood and
integrated into their business,” he said.
In 2019 the FMA conducted a thematic review of market participants’ cyber resilience. The report provided guidance for firms in areas where the FMA identified the
need for improvement.