08 July 2022

'5 mins with the FMA' podcast #1: Cyber resilience

'5 mins with the FMA' podcast #1: Cyber resilience

FMA Director of Supervision James Greig discusses the FMA’s new message to financial service providers to ensure their cyber defences are robust, in an age of increasingly sophisticated and successful cyber attacks.

Here he explains why the regulator issued the “Cyber Security & Operational Systems Resilience” information sheet in June 2022, which includes details around standard FMC Act licence conditions, threat monitoring, staff training, board obligations, customer remediation and post incident reporting.

#1 Cyber resilience

See also, James Greig’s cyber resilience opinion piece: 'Is your money next on cyber attackers’ hit list?'

Host: Kia ora and welcome to “5 minutes with the FMA” – a podcast by the Financial Markets Authority of New Zealand – Te Mana Tātai Hokohoko, where we take a quick look at the latest in financial regulatory matters in our corner of the world.

For our first episode FMA Director of Supervision James Grieg is here to talk cyber resilience, having just put out an information sheet for financial service providers about building their cyber defences.

James, why has the FMA published this now?

James Greig: I’m sure we’ve probably all seen the increasing numbers of incidents that have been talked about in the media in recent times, it’s certainly come on our radar, and it’s one of these things people around the industry are talking about all the time.

Financial services are always gonna be a target because of the dollars that we’re looking after, or the information that we have about firms and their customers.

I think that firms also think about this from a risk perspective – so cyber resilience is one of biggest risks that they see in their business, if not the biggest.

If you think about the threats as well (1.05 clipped to quickly after well and/or sound drops to zero) whether it be encrypting of your files… through to phishing campaigns targeted at information that we might hold, through to… denial of service attacks where criminal actors are targeting a website trying to prevent your customers accessing your products and services. So from sophisticated through to blunt tools, we're seeing it all right now.

Host: Okay so the FMA has published the “Cyber Security & Operational Systems Resilience” information sheet. What are the main messages to industry?

James Greig: I think the first thing we’d like to get across is the fact that the FMA is going to play a more substantive role in cyber resilience. This means creating awareness, helping firms think about prevention or mitigation of losses, for both them and for their customers. (1.49 stray traffic SFX) There's that close linkage between cyber resilience and ensuring good customer outcomes.

One of key things that we talk about quite often when it comes to cyber resilience is that people play a really key part in this, so your people can be your biggest strength or they can be a huge weakness. So if I think about the strengths: people can detect, they can respond and they can create awareness, and they can be the very people you use to harness to prevent and to respond. Or unfortunately they can be the weakness, where they can be the weak link, literally clicking on a link or responding to something that they shouldn’t or giving information out that they shouldn’t have done.

This means that training and education of our people is critically important, building that awareness, thinking about roles and responsibilities, defining scenarios in terms of response, and making sure there’s good communication.

One of the other things that’s really important here is the role of the boards within the entities. Boards need to be accountable for making an ongoing commitment to the resources and budget that the entity has, and ensuring that there’s sufficient priority given to cyber resilience.

Host: What about smaller entities, like a sole adviser?

James Greig: It varies a lot, I mean at the small end of the market, we’re not expecting the same things as for a big bank or a big insurer. And it also depends on the type of business that they’re running. So for a financial advice provider, they’re collecting information and storing some of that information and giving recommendations or advice, but they’re not necessarily facilitating transactions or payments, (03.26 sound drop, mix makes so sound weird) so it’s a different proposition that they’re offering, and therefore the types of cyber resilience that they need is gonna look quite different.

Host: And if a cyber incident does occur?

James Greig: If an incident has occurred we would certainly expect that customers are returned to the situation they were in as if an incident hadn’t occurred, and that should be done in an appropriate and timely manner.

And if there is an incident they have to notify us of any issues. We want to engage with them to understand what has occurred, we want to think about and understand how they’re gonna improve for next time, and ultimately, you know, we would hate to have to step in and take regulatory action against one of our entities because they’ve failed to live up to their obligations.

Host: And so what is you hope to achieve from publishing this information sheet?

James Greig: So the key thing we would like entities to take away from this is that they have obligations under their FMCA licence, which means ensuring they have the systems controls, processes, policies in place.

We want entities to learn from the mistakes of others… where they have seen, read about in the media, you know, targets of attacks, or have been compromised, that they stop and learn from that, and that means hopefully if, you know, something happens next time or someone comes back next time and tries the same thing they’re not gonna be that weak link or soft target, and so having that awareness of what’s around them is critically important.

Prevention is better than cure, I think that probably holds true in the cyber resilience space. I’d much rather see firms or entities investing in getting it right up-front – whether that be in terms of identification of weaknesses or the design of their products or system – rather than having to come along and clean up the mess afterwards.

Host: James Greig, thanks for coming on “5 minutes with the FMA”. And for those listening, thank you, we hope it’s been a valuable use of your time.

You’ll find the full ‘Cyber Security and Operational Systems Resilience’ information sheet on our website at fma.govt.nz/guidance-library

That’s all for now. Hei kōnā mai