FMA demanding stronger cyber reporting and tech resilience

Between the denial of service attack on the NZX in 2020 and last year’s devasting Latitude cyber attack, the financial institutions integral to modern society are prime targets of cyber criminals.

Now the Financial Markets Authority has moved to strengthen reporting on cyber incidents, introducing a new “standard condition” for market licence holders, relating to business continuity and technology systems.

The new condition will come into effect on July 1 and require a licence holder to have a business continuity plan in place suitable for the size and scope of the business.

Relevant financial institutions will also need to make sure their critical technology systems are “operationally resilient” and if they suffer a cyber incident that materially affects their supply of service, “must notify the FMA as soon as possible, or no later than 72 hours after it has determined the event is a material incident”.

A new notification system, basically an online form, has been set up to allow companies to report a significant incident to the FMA. 

“The online notification form for reporting of cyber and operational incidents is intended to aid reporting by entities and provide the FMA early notification due to the often time-sensitive nature of these incidents,” says FMA Director of Specialist Supervision and Response, Peter Taylor. 

“We have also ensured that Reserve Bank-regulated entities are not further burdened by ensuring this process remains compatible with the Reserve Bank requirements.” 

72-hour notification period

The Reserve Bank also has a cyber incident notification process, which will apply to many institutions overseen by the FMA.

While FMA licence holders were already required to report material incidents affecting their business, the addition of provisions specifically for cyber and tech-related incidents highlights the disruptive potential of cyber attacks and data breaches.

The Office of the Privacy Commissioner has a similar requirement that a breach notification be made to the Office “no later than 72 hours after agencies are aware of a notifiable privacy breach”.

The new FMA requirements explained (full details here)

Business continuity and technology systems

Standard Condition: (This standard condition will be effective from 1 July 2024) You must have and maintain a business continuity plan that is appropriate for the scale and scope of your licensed market service.

If you use any technology systems, which if disrupted would materially affect the continued provision of your market service (or any other market services licensee obligation), you must at all times ensure the operational resilience of those systems –being the preservation of confidentiality, integrity and availability of information and/or technology systems – is maintained.

You must notify us as soon as possible and, in any case, no later than 72 hours, after discovering any event that materially impacts the operational resilience of your critical technology systems, and provide details of the event and impact on your licensed market service and recipients of the service.

Explanatory note: This condition requires you to have suitable arrangements in place to be able to manage disruptions to your business. This is intended to provide recipients of your licensed market service with the security of continuity of relevant services and associated products they receive from you.

Your business continuity plan includes the documented procedures that guide you to respond, recover, resume and restore a predefined level of operation following disruption. This plan should provide for the continuity of your licensed market service generally – not just the recovery of your technology systems. It should also encompass any outsource arrangements.

Your plan should consider the loss of availability of your key resources, including staff, records, systems, suppliers and premises. The extent of your business continuity plan should reflect the size and complexity of your market service, operational arrangements and exposure to disruptive events. 

A small market services licensee with simple processes and technology may only need a relatively brief plan covering a more limited range of likely disruptive events. A larger or more complex market services licensee, relying more extensively on technology systems and possibly operating from multiple locations, will need to consider a wider range of disruptive events and reflect this in a more comprehensive business continuity plan.

Irrespective of the size or complexity of your circumstances, it is important that your business continuity plan is maintained, reviewed and regularly tested – at least annually. Your business continuity plan must also be updated immediately if there is a material change in business location, structure, or operations.

Critical technology is that which supports any activity, function, process, or service, the loss of which would materially affect the continued provision of your market service or your ability to meet your licensee obligations.

This condition requires that you maintain the operational resilience of your critical technology. This includes:

• regularly identifying and reviewing your operational risks, including cyber risk and threats; and

• implementing measures that maintain the level of operational resilience necessary for your risk profile; and

• having effective processes that monitor and detect activity that impacts your operational resilience; and

• setting out in your business continuity plan your predetermined procedures for responding to, and recovering from, events that impact on your operational resilience.

The operational resilience of your critical technology systems should be managed within the risk tolerance set through your governance processes. We recommend that you use an appropriate, recognised framework for this purpose.

You must have arrangements in place to notify us after discovering any event that materially impacts the operational resilience of your critical technology systems. This includes any technological or cyber security event that materially disrupts or affects the provision of your market service, or has a material adverse impact on recipients of the service.

You do not need to notify us of minor events, such as receiving a ‘phishing’ email that is not successful i.e. has not materially disrupted or affected the provision of your market service, and has not had a material adverse impact on recipients of the service.

You need to provide details of the event including the affected systems, and the impact on your market service and recipients of the service. This should also include projected recovery timelines and remediation activity. If some of the details are not available at the time you discover the event, you will need to provide these details to us as soon as possible.

We may also request additional information about the event. We may also specify the format or additional requirements for notifying events to the FMA.