On 22 June 2022, the Financial Markets Authority (FMA) released an information sheet to assists market services licensees (excluding benchmark administrators) licensed under Part 6 of the Financial Markets Conduct Act 2013 (FMC Act) to enhance the resilience of their cyber and operational systems. While this information sheet is designed to apply to a broad range of sectors, entities with complex cyber security and operational systems should consider the specific technology requirements and obligations that apply to their sector.
As outlined in the FMA’s annual corporate plan for FY21/22, they we will be enhancing their regulatory approach to cyber and operational resilience, including reviewing entity obligations, enhancing their monitoring approach, and engaging with stakeholders and other regulators to raise awareness and capability.
The FMA’s expectation is that entities have adequate technology architecture, cyber security systems, processes and controls in place to ensure their technology risks are being managed and their licensed services obligations are continuing to be met. This also includes an expectation that systems processes and controls are tested and assessed on a regular basis to ensure that their data and technology systems are secure and operating effectively.
Entities should have appropriate governance, training, incident response management, reporting and remediation structures in place. Entities should have established plans, with clear roles and accountabilities, to help ensure they can resume operations without undue delay. When responding to an incident, entities should immediately enact their business continuity and incident management plans. These plans should also include an approach for informing and remediating customers. Business continuity and incident management plans should be reviewed, tested and updated on a regular basis, so they are up to date and can be immediately implemented in the event of an incident.
Timelines and the progress of the remediation, including any customer remediation, should also be reported to the FMA. Entities may consider engaging a third party to conduct an independent review to ascertain the cause of the incident, especially where technology and cyber capability is not available within the organisation.
Once an incident has been contained and resolved, entities should conduct a comprehensive inquiry to understand the root cause. A post-incident report (PIR) should be provided to the FMA (separate from the initial notification) as soon as practicable after the entity has resolved the incident. The PIR should include (but not be limited to):
- a comprehensive analysis of the root cause of the incident
- how the entity has rectified or resolved the incident
- accountabilities and responsibilities relating to the incident
- impacts to the entity’s cyber security risk profile
- a full assessment of the incident’s impact on the business and customers
- key learnings and measures taken by the entity to prevent the incident occurring again.
Read the report here:
How We Can Help
We assist financial service professionals manage their cyber security risk, with a particular focus on data privacy and security. Examples of our services include: