Wednesday, 8 May 2024


By Chris Faherty, Tony Vizza and Pauline Pura

It’s almost a year since New Zealand’s Financial Market’s Authority (FMA) released its consultation paper to introduce new financial licence conditions aimed at protecting finance and investment firms from cyber-attacks and technology outages.

The FMA has long been concerned about the increasing extent to which customers are impacted by these issues at financial services firms, which are popular targets due to the valuable data they hold, especially sensitive personal and financial customer details.

In response to the heightened risk, the FMA is implementing a business continuity and technology systems licence condition for a range market service licences[1]. This is part of its staggered roll out of technology-related licensing requirements across its regulated sector to safeguard the continuity of services provided to consumers and investors. 

The change will apply to a range of financial services licence holders, including investment management firms, managers of registered schemes (excluding restricted schemes), discretionary investment management service providers, derivatives issuers and peer-to-peer lending and/or crowdfunding service providers.

The changes will mean that licence holders will be required to maintain a business continuity plan suitable for the size and scale of their services and maintain the operational resilience of their critical technology. This means licence holders will need to understand the technology risks facing the business, keeping plans and programmes up to date and appropriate to meet business needs. The new condition also means licence holders must report incidents that materially affect the operational resilience of their critical technology systems to the FMA within 72 hours.

Licence holders are expected to comply with the new standard condition by 1 July 2024. The standard condition is not new to the financial services industry, but it gives licence holders just two short months to implement what may be a major change for many.

This short window of time means that licence holders must act quickly. Impacted licence holders should make it a priority to review their current business continuity and technology capabilities.This will help ensure they can meet the requirements by the deadline and reduce the risk of non-compliance with the licence conditions.

Affected organisations should take five steps before 1 July:
  • Assess cyber security capability and maturity against a recognised framework such as the NIST Cybersecurity Framework, Australian Signals Directorate Essential Eight Maturity Model or ISO 27001.
  • Conduct an expert independent review of your technology and cyber security controls.
  • Make sure you have a business continuity plan that you review, update, and test.
  • Develop and practise your incident response plans from end to end, including regulatory reporting.
  • Provide expert training to senior leadership on cyber security risks facing the organisation.
These changes are a big step in the right direction for New Zealand’s financial services regulatory landscape, creating better alignment to Australia’s regulatory requirements. Just as important, it’s an equally big step forward in protecting consumers from cyber and technology risks, and a strong reminder to undertake expert risk assessments and make ourselves as secure as we can.