As a Financial Service Provider, how should your firm prepare for cyber threats?
Financial Service Providers store large quantities of sensitive information and also process significant financial transactions, on behalf of their clients. To deliver financial services to clients, new technologies are being adopted including generic cloud services and specific fintech. New technologies carry new risks and Financial Service Providers are an attractive target to cyber criminals, regardless of their size. Cyber risks include privacy breaches, data loss and financial loss which leads to general disruption and damage to a providers reputation. A number of Financial Regulators have recently provided clear guidance on Cyber Resilience. We have summarised this below.
On 11 July 2019, the Financial Markets Authority (FMA) released a report on their review of cyber-resilience in New Zealand financial services. The report summarises the findings and provides guidance for firms where the need for improvement has been identified. The FMA has encouraged sector participants to comply with its expectations and best practice. “Cyber-risk encompasses all risk of loss, disruption, or damage to a firm caused by failure in its information technology systems – from both internal and external threats. The interconnectedness of the financial sector means any part of it might be an entry point for a wider cyber-incident.”
The report goes on to recommend that all market participants should assess cyber-risk as part of their wider risk-assessment and management programme. “We also strongly encourage all market participants to use a recognised cybersecurity framework to assist with planning, prioritising and managing their cyber-resilience. The National Institute of Standards and Technology (NIST) cybersecurity framework core, for example, enables firms to assess maturity across five functions: Identify, Protect, Detect, Respond, and Recover.”
The Code of Professional Conduct for Financial Advice Services was approved by the Minister of Commerce and Consumer Affairs on 7 May 2019 and the obligation to comply with the Code came into force on 15 March 2021. The Financial Advice Code is prepared in accordance with Part 4 of Schedule 5 of the Financial Markets Conduct Act 2013 (the FMC Act).
To Code specifies, amongst other requirements, the obligation to ‘Protect Client Information’. In particular, Financial Advisors must adhere to the following:
- A person who gives financial advice must take reasonable steps to protect client information against loss and unauthorised access, use, modification, or disclosure.
- Client information includes all information about the client that is collected or held by a person who gives financial advice. That includes information in work papers and records, and the financial advice given to the client.
- Client information should be retained only for as long as it is required for one or more of those reasons. When it is no longer needed, the client information should be returned to the client or disposed of securely.
- Physical and electronic security measures should be maintained so that only authorised personnel of the financial advice provider have access to client information.
- Client information is broader than personal information under the Privacy Act. To the extent that it relates to personal information, however, the standard is intended to be applied consistently with obligations under the Privacy Act.
The new financial advice regime came into force on 15 March 2021. Entities and individuals granted a full Financial Advice Providers (FAP) licence under the Financial Markets Conduct Act 2013 (FMC Act) will be subject to the standard conditions for full FAP licences. Standard condition 5 sets out requirements around business continuity and technology systems, particularly for maintaining information security of technology systems which, if disrupted, would materially affect the financial advice service.
On 22 June 2022, the Financial Markets Authority (FMA) released an information sheet to assists market services licensees (excluding benchmark administrators) licensed under Part 6 of the Financial Markets Conduct Act 2013 (FMC Act) to enhance the resilience of their cyber and operational systems. While this information sheet is designed to apply to a broad range of sectors, entities with complex cyber security and operational systems should consider the specific technology requirements and obligations that apply to their sector.
On 20 October 2020, the Reserve Bank – Te Pūtea Matua (RBNZ) released draft guidance on what regulated entities should consider when managing cyber resilience. The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading international and national cybersecurity standards and guidelines. “As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world.”
On 1 May 2021, the RBNZ finalised version of its guidance on cyber resilience for its regulated entities came into effect.
This guidance has been designed to set out the Reserve Bank of New Zealand’s expectations for its regulated entities regarding cyber resilience. It aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of entities. It applies to all entities regulated by the Reserve Bank, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures.
This guidance draws upon leading international and national cybersecurity standards and guidelines and is intended to provide high-level principle-based recommendations for entities. This guidance primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions.
Australian Council of Financial Regulators (CFR) Guidance
The Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry. The CORIE framework has been developed to aid preparation and execution of industry-wide cyber resilience exercises. A key objective of the CORIE framework is to provide data and reporting to inform relevant Australian regulators of systemic weaknesses that may present a risk to the integrity and stability of Australian financial markets. The framework also aims to identify actions to uplift the cyber resilience of financial institutions. CORIE’s exercises will mimic the tactics, techniques and procedures (TTPs) of real-life adversaries, creating and utilising tools, and using techniques that may not have been anticipated and planned for.
How We Can Help
We assist financial service professionals manage their cyber security risk, with a particular focus on data privacy and security. Examples of our services include: