FMA sets out expectations over cyber risks

In June 2022 the FMA published an information sheet entitled Cyber Security & Operational Systems Resilience (Information Sheet).  A comparatively short document at seven pages, the information sheet contains important messages for holders of market services licenses under Part 6 of the Financial Markets Conduct Act 2013 (FMCA).  More specifically, the document is aimed at persons acting in the following capacities as listed under FMCA section 388:

• Manager of a registered scheme (other than a restricted scheme)
• Independent trustee of a restricted scheme
• Provider of a financial advice service
• Provider of a discretionary investment management service
• Derivatives issuer in respect of a regulated offer of derivatives that is made by the derivatives issuer

In what follows in this article, we shall single out for examination the implications of the Information Sheet for supervised entities, namely registered managed investment schemes (MISs) and their licenced managers (MIS managers).  However, the principles of the Information Sheet should also be considered by other FMCA-governed entities such as non-bank deposit takers (NBDTs) and debt issuers.  Retirement village operators should also take heed.

Background considerations

The first part of the Information Sheet provides a short summary of some prior FMA publications on cyber security, namely the information sheet Developing cyber resilience for financial advice providers (July 2021) and the thematic review Cyber-resilience in FMA-regulated financial services (July 2019).   These resources form a backgrounder to the Information Sheet, which also includes throughout links to other relevant publications by external parties and importantly the FMA’s own Annual Corporate Plan 2021/22 (July 2021), (Plan). 

The Plan lists as one of the FMA’s “priority activities”:

Cyber and other operational resilience – advancing our approach, including our expectations for the management of cyber and operational risks by regulated entities.

(Plan, p. 4).

Expanding on the priority, the Plan states that one of the “cross-sector focus areas” it intends to work on is:

Cyber and operational resilience – we will review and enhance our approach to cyber and systems resilience of regulated entities, including:

• reviewing our standard licence conditions to ensure they set clear requirements
• enhancing our monitoring approach
• working closely with other stakeholders to raise awareness and capability across the industry.

(Ibid., p. 6)

The FMA has repeated this message in its just released its Annual Corporate Plan 2022/23, which states:

Progress our approach to cyber security and operational resilience

• Cyber security and operational resilience approach – We will enhance our regulatory approach to cyber security and operational resilience, including consulting on a new FMC Act standard condition [our emphasis], enhancing our monitoring approach, and engaging with stakeholders and other regulators to raise awareness and capability

(Annual Corporate Plan 2022/23, p. 12)

The FMA has evidently been concerned for some years that the financial sector it oversees is underprepared for the contemporary environment of cyber risk.   The new Information Sheet, which refers explicitly to the “rapidly changing cyber security threat landscape” (p. 4), makes plain that cyber security and related matters of operational systems resilience form part of the regulator’s major concerns to address effectively.  Reflecting the cross-sector nature of the Information Sheet’s application to FMCA Part 6 licence holders, statements made within the document tend to be generic and need to be cashed out within the specific context of a particular type of licence holder in order to understand them more clearly.

FMA sets out licensee duties and obligations

Of special note about the Information Sheet is that it anchors the FMA’s expectations concerning cyber risk management within the context of the standards that apply to the market services licences the regulator issues.  In what follows, consistent with our focus on MISs and their licenced managers, we shall connect what the Information Sheet has to say with the Standard Conditions for managed investment scheme manager licences (Standard Conditions) and the Licencing Application Guide - Managed investment scheme (MIS) manager (Application Guide).

Under the heading “Standard conditions” (p. 2), the Information Sheet makes implicit reference in short order to the following standards as having direct bearing on its expectations for MIS managers to be able to manage cyber risks competently and effectively:

Standard Condition 6. Compliance

Standard condition: You must have, at all times, adequate and effective systems, policies, processes and controls that are likely to ensure you will meet your market services licensee obligations in an effective manner.

(Standard Conditions p. 3)

Application Guide:

Operational infrastructure - Minimum standards

1. IT systems and business continuity

Your IT systems used to deliver the licensed market service must be secure and reliable. Your arrangements ensure they perform efficiently and the associated risks are managed.

(Application Guide, p. 34)

By extension, the Application Guide’s position on IT systems and business continuity leads back to the Standard Conditions:

Standard Condition 3. Outsourcing

Standard condition: If you outsource a process/system necessary to the effective and proper running of the market service (or any other market services licensee obligation) you must be satisfied that the provider is capable of performing the service to the standard required to enable you to meet your market services licensee obligations and you must have a legally binding agreement with the provider. You must also ensure that records pertaining to the market service are available for inspection when requested by the FMA.

(Standard Conditions, p. 2)

Further reference to Standard Condition 3 emerges within the Information Sheet under the heading “Supply chain risk” (p. 5).  There is also an implication under the heading “Governance” (ibid.) that is suggestive of referral to the Application Guide, namely the minimum standard:

Governance – Final steps

1. Governance

You must have a high-level body responsible for overseeing compliance with your market services licensee obligations – and ensuring appropriate risk management

Minimum standards

1. You have a clear reporting and governance framework covering all key aspects of your business (or proposed business) including compliance obligations and key risks of the business….

(Application Guide, p. 40)

The Application Guide’s governance minimum standards section dovetails in with the Standard Conditions:

Standard Condition 7. Governance arrangements

Standard condition: Your governance and compliance arrangements must be substantially the same as, or better than, those in place, or which the FMA was advised of, at the time you applied for your licence (or any subsequent change advised to the FMA). You must notify the FMA of material changes to your governance and compliance arrangements as soon as practicable.

(Standard Conditions, p. 4)

The footnote to Standard Condition 7 refers reflexively to the Application Guide where it states:

For further information in relation to the requirements of your governance and compliance arrangements see the governance and compliance sections of the Licensing Application Guide.

(Ibid.)

The rest of the Information Sheet sets out the sorts of actions that the FMA expects from market services licensees in relation to cyber security, including by extension MIS managers, and will be briefly summarised further below. 

However, it is worth pausing here to reflect upon what the relevant passages quoted above from the Standard Conditions and the Application Guide signify as the foundations of the FMA’s expectations about cyber risk management by market services licensees.  It should be clear enough that MIS managers and other persons licenced to perform market services are staring down the barrel of breaching their licences if they prove not up to the mark on properly managing their cyber security.  Specifically, MIS managers could be caught out on breaching their Standard Conditions 3 and 6, and probably also 7, with interpretation of what these standards mean and how they apply resting upon what is further stated in relation to them within the Application Guide. 

For example, the wording of Standard Condition 7 may not on the face of it seem to have much to do with cyber security, but the quoted footnote reference to the Application Guide makes it apparent that the latter document’s sections on governance and compliance are definitive.   Looking at the Application Guide’s relevant sections, the FMA’s expectations are set out chapter and verse.   It is quite clear from the Application Guide’s governance section that MIS managers are expected to be right across and well informed on all the risks that their businesses face, which would automatically entail cyber risks. 

Breaches of MIS manager licences have consequences for the managers concerned, whether at the lower end of the scale in receiving private or public warnings from the FMA, or at the upper end in enforcement, prosecution and potential loss of licence.  The Information Sheet does not discuss these kinds of consequences for failure on the part of MIS managers to prepare and implement appropriate plans and strategies for managing cyber risks and attacks.  It should not, however, be too hard to read what lies between the lines.

Key steps for MIS managers to address in controlling cyber risks

Under the Information Sheet’s heading “Cyber resilience and operational systems risk management”, the FMA succinctly summarises its position on where licenced market services providers should already have arrived at with respect to cyber risks:

Part 6 FMC Act licensed entities (excluding benchmark administrators) should have effective cyber security and operational systems resilience controls, processes, policies and people capability in place.  This includes being aware of the risks that potentially impact their organisation including supply chain risk and understanding their own capabilities.  Entities should have appropriate governance, training, incident response management, reporting and remediation structures in place.

(Information Sheet, p. 3)

The Information Sheet uses a number of step-by-step headings to lay out what the FMA expects MIS managers to be prepared to implement before, during and after a cyber security incident:

1. Understanding cyber and technology systems resilience capabilities
2. Understanding the threat landscape and key risks
3. Supply chain risk
4. Governance
5. Training
6. Incident response and management
7. Reporting
8. Remediation
9. Post incident reporting

The FMA’s closest market services licensee touchpoints in the list above come in at items 6, 7 and 9.  For item 6 the regulator requires that, “FMC Act Part 6 licensed entities (excluding benchmark administrators) should have a key focus on preventing cyber attacks and mitigating technology incidents, and be able to demonstrate this by having effective key controls, governance, processes, reporting and frameworks in place” (ibid. p. 6).  Presumably during the course of a monitoring visit to a MIS manager, FMA officials could seek sufficient evidence to be provided as demonstration of this requirement.  With item 7, the FMA specifies that, “Entities should notify the FMA of any technological or cyber security event that materially disrupts or affects the provision of their regulated services, or has a material adverse impact on one or more customers … The notification should be provided to the FMA as soon as practicable. Where the incident is ongoing, the FMA should be kept up to date on status and recovery timelines until the incident has been resolved” (ibid.).  Regarding item 9, the FMA sets out that, “Once an incident has been contained and resolved, entities should conduct a comprehensive inquiry to understand the root cause. A post-incident report (PIR) should be provided to the FMA (separate from the initial notification) as soon as practicable after the entity has resolved the incident” (ibid., p. 7).

Particularly with respect to items 7 and 9 on the list, the FMA would be directly involved with an affected MIS manager in the aftermath of a cyber security incident and obtain detailed information via the initial and ongoing notifications and the PIR that could potentially lead to consideration of whether any licence breaches had occurred.  It is not necessarily the incidence of a cyber attack itself that would ring alarm bells at the regulator, but rather how well or otherwise prepared the affected MIS manager or other market services licensee were to react and respond appropriately and effectively.    Near enough will not be good enough for the licensee in such situations.  To be caught out unprepared or underprepared by a cyber or technological hazard will likely straight away arouse questions about compliance with licence conditions.  To cyber risk could be added regulatory risk for MIS managers and other licensees who have not met the licencing standards referred to and implied in the Information Sheet.

Conclusion

“Cyber security and operational systems resilience are now a permanent part of the business risk horizon that directors and senior management of MIS managers and other FMCA Part 6 licensed persons must keep before them,” said Matthew Band, General Manager of Corporate Trustee Services at Trustees Executors.

“MIS managers, including KiwiSaver providers, should be making sure that they are regularly reviewing their cyber security systems and policies, business continuity plans, and potential supply chain vulnerabilities from outsourced providers, and if need be undertaking ad hoc reviews as and when required.”

“Acting dutifully in the best interests of investors and meeting the good conduct expectations of the FMA must remain paramount values to protect and preserve in assessing and responding to cyber threats.”

“Nonetheless, MIS managers should be alert to other risks arising from cyber security obligations, such as regulatory risk from failure to comply with the FMA’s market services licence conditions.”

“It should be clear enough from what the Information Sheet canvases that compliance with licence conditions is the foundation upon which the FMA bases its expectations of market services licensees, including MIS managers, where cyber security is concerned.”

“As part of their duties and obligations concerning cyber risks, directors and senior managers of MISs and other market services licensees have been put on notice by the Information Sheet that matters such as cyber security policies and procedures, business continuity planning, and outsourced supplier risk management must be designed and assessed from the perspective of their compliance with licencing conditions.”

“Simply put, the yardstick of compliance with licence conditions must be applied by all MIS managers to help determine fitness for purpose of their cyber security measures.”

“Non-compliance of cyber security measures with licence conditions could expose MIS managers to breaches of their market services licences and resulting action by the regulator.”

“We expect that our supervised MIS manager clients have already read, absorbed, introduced and applied any new lessons that the Information Sheet has to teach them.”

“In respect of cyber security breach initial notifications, ongoing incident reporting, and post-incident reports (PIRs) to be provided to the FMA under its items 7 and 9 described above, we expect our supervised clients simultaneously to provide the same notifications and reports to ourselves as their Supervisor without delay or exception.”

“Due to the constant changeability of the cyber threat landscape, we will continue as before to ask our supervised clients about their cyber security situations at our regular scheduled meetings and seek evidence of cyber security compliance with market services licencing conditions.”

For comment or more information, or to be added to the free email subscriber list of “The Supervisor”, please contact Matt at [email protected].