KIWI regulators have published guidelines to help licensed financial advice providers develop their cyber resilience.
The Financial Markets Authority published the checklist as part of the new regime for regulating financial advice - as many newly-licensed advisers have not previously been subject to cybersecurity compliance.
FMA Director of Supervision James Greig said: “Within this newly-licensed population are many individuals and entities who have not previously been subject to compliance obligations for cybersecurity, including many small or single-adviser businesses.
“Although the information sheet is specifically for financial advice providers, cyber resilience is of critical importance to all licensed entities.
“Given the increasing sophistication and frequency of hacking and data-breaches reported in New Zealand, and the sensitive nature of information that may be held by financial markets participants, it is essential that all licensees give high priority to their cyber resilience capabilities.
“This includes ensuring that cyber security processes remain robust and appropriate for the cyber-related risks faced by the licensee.”
The FMA’s guidance outlines key areas for all licensees to focus on to build and maintain the security and resilience of their technology systems.
However, it is up to licensees to design their own policies, processes and controls to suit the nature and scale of their individual business, Mr Greig said.
“Cyber resilience will be a key focus of our monitoring reviews of all market participants,” he says.
“Licensees will need to demonstrate not only that they have policies and systems in place, but also that these are widely understood and integrated into their business.”
InFinance highlighted the threat of cyber attacks in New Zealand earlier this year following the RBNZ breach and DDOS attacks on the NZX. The Financial Markets Authority was critical of the NZX, calling on the Board to invest in improvements to IT security.
Also in late 2020, the RBNZ engaged Deloitte to undertake an independent investigation to help improve its handling of sensitive information.
This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public.
Former head of the Queensland high-tech crime unit Brendan Read told the FINSIA Podcast that financial services was facing an uphill battle against cyber crime.
And he conceded there were businesses who were found lacking in terms of what they're spending and doing on cyber security.
“It's one of those situations where the business is trying to deal and manage that cyber risk as best they can, but probably don't have a necessary enough respect for how severe that this issue can be and how crippling it can be to a business,” he said.
“Worst case scenario, some of these cyber attacks can actually take a business out of operation altogether.
“I’ve seen situations where the IT teams aren't big enough to manage the security risks, as well as the general administration of their networks and, information governance.
“There really needs to be specific skills, specific resources brought in to manage and also respond to these types of risks. That might be bringing those resources in externally, but having a plan in place to know who they need to call as quickly as possible to get them in.”
More from InFinance here