FMA have published a report summarising the findings of our thematic review of cyber-resilience in New Zealand financial services. It includes guidance for firms in areas where they identified the need for improvement. It will be useful for FMA regulated sectors, to help ensure they comply with FMA’s expectations and best practice.

 

FMA key recommendations for market participants

All firms should make use of the services provided by CERT NZ, which monitors cyber-incidents and provides advice and alerts, and New Zealand’s National Cyber Security Centre (NCSC), which helps organisations protect their systems from cyber-threats.

 

Market participants should include assessment of cyber-risk – both for their own firm and on a broader global level – as part of their wider risk-assessment and -management programme. They should also consider the types of attacks reported by survey participants and areas subsequently identified for change (see pages 3-4).

 

We also strongly encourage all market participants to use a recognised cybersecurity framework to assist with planning, prioritising and managing their cyber-resilience. The National Institute of Standards and Technology (NIST) cybersecurity framework core, for example, enables firms to assess maturity across five functions: Identify, Protect, Detect, Respond, and Recover.

 

We expect all market participants to have an appropriate balance between protection and detection measures, avoiding over-reliance on protection measures alone. Further, all market participants must have, at a minimum, basic response and recovery plans in place in respect of their regulated service, appropriate to their circumstances.

 

Firms’ governance arrangements must include board and/or senior management ownership and visibility of the cyber-resilience framework. The Institute of Directors’ Cyber-Risk Practice Guide provides principles to help boards understand cyber-risk.

 

Comments highlighted in the report:

We do not believe that New Zealand firms face a materially lower risk of cyber-attack than firms in other countries. CERT NZ’s 2018 summary threat landscape report shows a 205% increase in reported incidents from 2017. All licensed firms should treat the risk of cyber-attack as real, and plan accordingly.

Market participants should familiarise themselves with the NCSC’s annual cyber-threat reports and CERT NZ’s reports on the New Zealand cyberthreat landscape.

We do not believe that there is any FMA-regulated sector in New Zealand that is ‘safe’ from cyber-attacks. Financial services firms should not allow their size, or lack of it, to create a false sense of security.

Firms should subscribe to CERT’s free security advisories via email or follow their alerts on Twitter.

All market participants should make use of a recognised cybersecurity framework to assist them in planning, prioritising and managing their cyber-resilience. We do not require the use of any particular cybersecurity framework. However, firms not currently using a recognised framework should consider using the freely available NIST cybersecurity resources. These can be applied to firms of all sizes.