Yesterday, the Financial Markets Authority (FMA) released a consultation document on its proposal to introduce a new standard condition for certain financial market licence holders (Standard Condition) addressing cyber resilience. The new licence condition will focus on business continuity and technology systems.
Links are available to the media release and consultation document.
Who should read this? Why?
The proposed new Standard Condition will affect those with the following financial market licences granted under Part 6 of the Financial Markets Conduct Act 2013 (FMCA):
- managers of registered schemes (but not restricted schemes);
- providers of discretionary investment management services;
- derivatives issuers;
- peer-to-peer lending providers; and
- crowdfunding service providers
(together, Relevant Service Providers).
Those who are affected by the proposed Standard Condition should ensure they read the consultation document and consider making submissions as it will introduce significant new obligations, and also review their existing systems to ensure they will satisfy the Standard Condition when it comes into force. It is also relevant to other financial service providers to understand better the FMA’s expectations, even if the new Standard Condition will not technically apply to them.
What does it cover?
Cyber risk has been identified by both the FMA and the Reserve Bank as one of the key threats to the New Zealand financial system and its customers in recent years. Both here and overseas we have seen major hacks that have had significant impacts.
The consultation recognises that the operational resilience of critical technology (any support, function, process, or service that a loss of which would materially affect the continued provision of a Relevant Service Provider's market service or ability to meet their licensee obligations) will include:
- regularly identifying and reviewing operation risks, including cyber risks and threats;
- implementing measures that maintain the level of operational resilience necessary for your risk profile;
- having effective processes that monitor and detect activity that impacts operational resilience; and
- setting out in a business continuity plan, predetermined procedures for responding to, and recovering from, events that impact on that operational resilience.
The new Standard Condition will require that Relevant Service Providers must have a business continuity plan ensuring that the technological systems they have in place are operationally resilient. The plan must consist of documented procedures to respond, recover, resume, and restore their operations following disruption to ensure continuity of the market service and not just the systems.
This means that some Relevant Service Providers may need to invest into better systems now so that in the event of disruptions they can ensure operational resilience of the systems and maintain confidentiality, integrity and availability of information and the systems.
The Standard Condition recognises that while Relevant Service Providers may rely on third parties for service delivery, the Relevant Service Providers are still ultimately responsible for delivering the market services.
The Standard Condition also requires that, in the event of a material disruption, Relevant Service Providers must notify the FMA no later than 72 hours after the incident. Relevant Service Providers must ensure that they have arrangements in place to notify any event that materially impacts the operational resilience of their critical systems. This includes any technological or cyber security event that materially affects the market service or materially impacts recipients.
Our view
With the rise in cyber security threats and wider technological risks, for many, the proposed new Standard Condition merely turns in to an enforceable obligation, what is already good practice. We expect that most Relevant Service Providers will already have a continuity plan for technology and systems to ensure these are operationally resilient.
However, the change means that those who do not adequately address the new Standard Condition’s requirements may, in the event of a cyber attack, face not only the direct fallout of that event but also the possibility of FMA enforcement action for operating in breach of a licence condition against both the licence holder, and potentially its directors. This means it is very important that Relevant Service Providers consider the detail of what the FMA is proposing to ensure they will be able to implement it from the date the new Standard Condition takes effect, if not before.
The Standard Condition will not be new to those Relevant Service Providers that also hold a financial advice provider licence (as they will also be subject to the same Standard Condition for that licence) and will soon also apply to those who will apply for a financial institution licence under the new conduct of financial institutions (CoFI) regime under the FMCA. But it will be timely for those entities to use this as an opportunity to look again at their cyber resilience to ensure that they are in fact compliant, and consider the expectations of the FMA.
All financial service providers, including those who are not subject to the Standard Condition, should review their operational resilience to cyber threats to identify what (if any) upgrades and uplifts are required. Relevant Service Providers in particular should also ensure that their business continuity plans reflect the requirements under the Standard Condition.
What next?
The consultation on the Standard Condition runs until 1 September 2023. If you have any questions relating to the Standard Condition or want to know how it may affect your business, please contact one of our experts.
This article was co-authored by William Ma, a law clerk in our Financial Services team.