The Autorité des marchés financiers reminds the sector of its cybersecurity obligations

Samantha Barrass (Financial Markets Authority)

Credit: provided

There appear to be cybersecurity gaps in organizations licensed by the Financial Markets Authority (FMA) – Te Mana Tātai Hokohoko, the regulator said today.

“In light of these growing cyber threats, technology-related outages and remediation programs reported to the FMA, it appears that there are gaps in the cyber resilience and operational systems of the entities we regulate, including including underinvestment in technology and the use of unsupported tools or legacy systems,” the FMA said in a fact sheet released today.

The sheet notes that the financial services sector had the highest number of reported incidents, ninety-one in total, across all industries in New Zealand for the quarter ending March 2022.

The release was made to help financial services firms build resilience into their technology and operational systems and meet their licensing obligations, the FMA said.

“We expect entities to have adequate technology architecture, cybersecurity systems, processes and controls in place to ensure that their technology risks are managed and their licensed services obligations continue to be met. be respected.”

This included an expectation that systems processes and controls were tested and evaluated regularly to ensure that their data and technology systems were secure and operating effectively.

“The computer systems used to provide the licensed marketplace service must be secure and reliable,” he told the industry. “Your provisions [must] ensure that they operate effectively and that the associated risks are controlled.”

Financial advice providers also had specific obligations regarding business continuity and technology systems.

“As outlined in our annual business plan for FY21/22, we will improve our regulatory approach to cyber resilience and operational resilience, including reviewing entity obligations, enhancing our oversight approach and engaging with stakeholders and other regulators to build awareness and capacity,” the regulator said.

Certified organizations should take steps to understand the maturity and status of their system architecture and technology systems and should also review them frequently to identify potential areas of weakness and determine if they are fit for purpose, a said the regulator.

Entities should also consider engaging an independent cybersecurity or technology specialist to perform a review that will help them understand their level of maturity and identify points of vulnerability unique to the organization.

“This would be a particularly useful exercise for entities without in-house cybersecurity or technology specialists, as it will provide them with a specialized and objective view.”

The regulator, which appointed Samantha Barrass as chief executive in February, also indicated that it could also be useful to hire a cybersecurity specialist to carry out penetration tests or to carry out crisis management simulations. and to monitor their supply chains.

“While entities may review and consider cybersecurity and resiliency of operational systems within their organization, the same attention and scrutiny is often not applied to their supply chains and third-party vendors,” he added.

“With malicious actors targeting service providers more frequently, the risk to supply chains increases.”

In 2019, the FMA published a thematic review on cyber resilience in FMA-regulated entities, which shed light on the regulator’s expectations for cyber resilience and operational resilience.

Join the newsletter!

Error: Please verify your email address.

Tags regulationfinancial servicesgovernmentfinancial markets authoritycybersecurity

Comments are closed.