The Financial Markets Authority (FMA) has unveiled plans to improve resilience and cyber security for some parts of the finance sector.
It says this is essential for the integrity of New Zealand's financial markets.
So it is proposing to introduce a new standard condition for certain financial market license holders which will focus on business continuity and technology systems.
"The FMA wants to ensure that market service providers are prepared to respond to business continuity and cyber risks when they emerge," the organisation says.
"As well as supporting well-functioning financial markets, this will help consumers to have confidence that their information and investments are being properly looked after."
There have been years of warnings about the dangers of hackers to financial advisers. For instance, a person approaching a mortgage broker will necessarily provide sensitive financial details to that broker because a loan will not be offered without a lender being sure about income or existing debts of a would-be borrower.
That means a breach of cyber security could expose that person to sensitive personal exposure.
For that reason, proof of viable cyber security systems were written into the rules for holders of a Financial Advice Provider (FAP) licence.
The new proposed consultation document aims those conditions to a range of people including providers of discretionary investment management services, derivatives issuers and providers of services such as peer-to-peer lending and crowdfunding.
The new standard condition proposes that licensees must have and maintain a business continuity plan that is appropriate for the scale and scope of their service. They must also make sure that their critical technology systems are operationally resilient.
If the licensee suffers an event that materially affects the supply of its service, it must notify the FMA within 72 hours..
The FMA has already introduced requirements like these for FAP licence holders, and similar rules have been written into the Conduct of Financial Institutions (CoFI) regime which comes into force in 2025.
The FMA says it has previously noted shortcomings in the cyber resilience and operational systems among entities it licenses, including underinvestment in technology and the use of unsupported or legacy systems.
“The financial services sector is facing increasing technological risks that make it necessary for licensees to meet minimum business continuity and technology standards," the FMA Executive Director of Response and Enforcement Paul Gregory, says.
“This proposal continues the FMA’s roll-out of this standard condition across license types."
Consultation on the proposal runs until 1 September.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.