FMA Report Shines Light on Cyber-Resilience in Financial Services Firms


The Financial Markets Authority has released a report covering its findings of a thematic review of cyber-resilience in New Zealand financial services.

The purpose of the report is to provide guidance for firms in areas where the FMA has identified the need for improvement in detecting and protecting against cyber threats.

“We do not believe that New Zealand firms face a materially lower risk of cyber-attack than firms in other countries,” the FMA stated in its report.

“CERT NZ’s 2018 summary threat landscape report shows a 205% increase in reported incidents from 2017. All licensed firms should treat the risk of cyber-attack as real, and plan accordingly.”

The regulator’s survey found that 18 percent of participants reported experiencing a material cyber-attack, with 9 percent reporting multiple attacks during the two-year period.

The top two highest reported types of cyber-attack were:

  • Phishing/spear-phishing attack (e.g. via email, txt, telephone) (78%)
  • Malware attack (44%)

Of the firms who reported they had experienced a material cyber-attack, the majority (78 percent) identified areas of their cyber-resilience that needed to change.

The area with the highest need for change as indicated by respondents (64 percent) was protection through awareness education and training.

“It is encouraging that most participants who reported experiencing a material cyber-attack did identify changes to improve their cyber-resilience – all of whom have commenced with this work,” stated the FMA.

“At a minimum, we expect all market participants to have basic response and recovery plans in place in respect of their regulated service, appropriate to their individual circumstances. More generally, we expect to see a better balance between protection and detection levels over the next two years.”

The regulator noted that all financial services firms should use the services provided by CERT NZ, which monitors cyber-incidents and provides advice and alerts, and New Zealand’s National Cyber Security Centre (NCSC).

Click here to read the report in full.