Proposed standard condition to improve cyber resilience

28 July 2023

The Financial Markets Authority (FMA) is consulting on a new standard condition to improve the operational and cyber resilience of certain licensed entities.

It would apply to the following licence holders under section 389 of the Financial Markets Conduct Act 2013:

  • Managers of registered schemes (excluding restricted schemes);
  • Providers of discretionary investment management services;
  • Derivative issuers; and
  • Prescribed intermediary services (such as peer-to-peer lending and crowdfunding service providers).

They would be required to implement and maintain a regularly tested business continuity plan (BCP) and notify the FMA of any event that materially impacts the operational resilience of critical technology systems (such as a cybersecurity incident) within 72 hours.

The 72-hour timeframe would begin from the discovery of the material event, including any adverse impacts on consumers of, or investors in, the licensee’s market services. While shorter than the 10-working-day period for licensed financial advice providers, the 72 hours aligns with the standard conditions for financial institutions and the proposed mandatory reporting requirements for material cyber incidents by the Reserve Bank of New Zealand.

Submissions close on 1 September 2023.

If you would like more information or assistance with making a submission, please get in touch with one of our experts.

Related insights

See all insights