New Zealand Enhancing Financial Sector Cyber Resilience

Recently, the Financial Markets Authority (FMA) published a consultation document outlining its proposal to implement a novel standard condition for specific holders of financial market licenses. This proposed license condition will primarily ensure business continuity and robust technology systems within the licensed entities.

Through this initiative, the FMA aims to enhance the cyber resilience and effectiveness of financial market participants in New Zealand. By emphasising business continuity and technology systems, the FMA intends to address potential risks and vulnerabilities in the financial sector, safeguarding investors’ interests and maintaining the market’s stability.

This consultation document serves as an opportunity for stakeholders to provide feedback and contribute to shaping the future regulatory framework that ensures the integrity and reliability of financial markets in New Zealand. The FMA’s proactive approach in seeking input from industry participants and stakeholders reflects its commitment to maintaining a well-regulated and secure economic environment that fosters trust and confidence among market participants and the public.

Recognising the significance of the resilience of businesses, the FMA has prioritised establishing measures to ensure that market service providers are well-prepared to tackle emerging challenges related to business continuity and cyber risks.

By actively addressing these risks, the FMA aims to support the smooth functioning of financial markets, fostering an environment of trust and confidence for consumers. Individuals and investors must have assurance that their information and investments are appropriately safeguarded.

This consultation document is specifically relevant to several types of market service licenses. It encompasses managers responsible for overseeing registered schemes, except restricted procedures. Additionally, providers offering discretionary investment management services fall within the scope of this consultation. Furthermore, derivatives issuers are included in the considerations outlined in the document.

Lastly, specified intermediary services, encompassing peer-to-peer lending and crowdfunding service providers, are also subject to consultation. The Financial Markets Authority seeks to gather input and insights from stakeholders in these specific areas to ensure the development of appropriate standards and regulations tailored to each license category.

The proposed new standard condition entails that licensees must possess and uphold a business continuity plan that suits the size and extent of their service. This plan aims to ensure the operational resilience of their critical technology systems. If a substantial disruption impacts the service provision, licensees must promptly notify the FMA, adhering to a maximum timeframe of 72 hours following the occurrence.

The 72 hours notification period considers the heavy reliance on technology by the relevant license holders and the potential risks posed to consumers and investors in the event of disruptions. It also acknowledges the critical role played by technology in maintaining robust and efficient financial markets.

By setting this timeframe, the proposal underscores the importance of timely communication and response to mitigate the adverse effects of disruptions and safeguard stakeholders’ interests.

In 2020, the FMA implemented a standard condition for Financial Advice Providers, focusing on business continuity planning (BCP) and technology resilience. This requirement is also incorporated into the Conduct of Financial Institutions regime, effective from 2025.

The FMA has highlighted deficiencies in cyber resilience and operational systems within licensed entities, including insufficient investment in technology and using unsupported or outdated systems. These observations from the FMA emphasise the need for enhanced cyber resilience and technological capabilities among licensed entities to ensure the robustness and effectiveness of their operations.

Paul Gregory, FMA Executive Director of Response and Enforcement, expressed that the financial services sector faces escalating technological risks. It underscores licensees’ importance in adhering to minimum business continuity and technology standards.

This proposal signifies the FMA’s ongoing efforts to implement this standard condition across various license types, reflecting the significance of ensuring that license holders consistently deliver their market services. By prioritising operational resilience, consumers and investors can have confidence in accessing services and products per their preferences and requirements.