FMA Highlights Finance Sector Cyber Security Failings


The FMA has published an information sheet to help financial services firms ensure their computer systems meet licence obligations.

It says cyber attacks affecting New Zealand organisations are increasing in frequency, sophistication and severity.

According to the New Zealand National Cyber Security Centre, 404 incidents with a national impact were recorded last year, up 15% on the 352 incidents in the previous year.

The information sheet notes financial services are a popular target for cyber criminals – the sector recorded 91 incidents during the first quarter of this year alone.

The FMA says there appear to be shortcomings in the cyber resilience and operational systems among those it licenses, including under-investment in technology and the use of unsupported or legacy systems.

All entities licensed by the FMA must meet the following obligations:

  • To have, at all times, adequate and effective systems, policies, processes and controls that are likely to ensure you will meet your market services licensee obligations in an effective manner
  • IT systems used to deliver the licensed market service must be secure and reliable. Your arrangements ensure they perform efficiently and the associated risks are managed

The FMA says financial advice providers have specific obligations for business continuity and technology systems. In 2019, the regulator published a thematic review of cyber resilience in FMA-regulated entities, which highlighted its expectations around cyber and operational resilience.

It recommends companies regularly review their cyber resilience and technology capabilities to identify vulnerabilities.