Operational Resilience

Why is Operational Resilience important?

Market services licensees need to be prepared to respond to business continuity and operational risks (including cyber risks) when they emerge. As well as supporting well-functioning financial markets, this helps consumers to have confidence that their interests are being looked after and that there are procedures in place for market services licensees to respond to and recover from an event if disruption occurs. 

The FMA assesses most market service licensees’ critical technology systems and business continuity plans against their relevant minimum standards at the time of licensing. Once licensed, market services licensees are required to comply with their market services licensee obligations including the business continuity and technology systems standard condition that applies to their licence type. Details on the licensing process, including the standard conditions that apply to each market services licence, are available on the FMA website. 

Who is required to notify the FMA of material incidents?

Most market services licensees have a standard condition that requires them to notify us of any event that materially impacts the operational resilience of their critical technology systems and provide us details of the event including the affected systems, and the impact on your market service and recipients of the service. This includes any event that materially disrupts or affects the provision of the licensee’s market service or has a materially adverse impact on recipients of that service. 

How to report an incident relating to operational resilience of technology systems

Notify us using our secure online notification form. The form is designed to be used for initial reporting, providing updates on developments, and submitting a concluding report once the incident has been resolved. We may request additional information about the incident, for example a copy of the PIR.

For more information on the notification process, please refer to Notification of incidents relating to the operational resilience of technology systems guide.  

Notify the FMA via our online portal

Building operational resilience

In recent years, we have been looking closely at the operational resilience of our market services licensees. We have been concerned about the rapidly developing sophistication of cyber threats and the increasing volume of technology incidents and remediation activity reported to the FMA.

We work closely with the Reserve Bank of New Zealand (RBNZ when engaging with dual-regulated entities on operational issues. Specifically, when dealing with incidents we coordinate with the RBNZ to identify collaboration opportunities to streamline engagements with the entities and minimise regulatory burden.

When thinking about operational resilience, we recommend you consider the following factors, some of which are also market services licensee obligations for most licensees. 

Governance

Appropriate governance, alongside training, incident response management, reporting and remediation structures, is fundamental to ensuring the operational resilience of critical technology systems.

Boards and senior management should have a strong understanding of the state of their operational systems and technology and commit to continuously enhancing this to align with the changing risk landscape. Where improvement or remediation is required, boards and senior management should ensure there is sufficient capability and resourcing available. 

Understanding key risks

We recommend you understand the maturity of your technological systems and regularly review them to identify potential weaknesses. This can include reviewing whether technology systems and their controls are operating effectively and as intended, through adequate testing and quality assurance. 

You should frequently review your outsource providers to assess their criticality. This can involve identifying key services and assets which, if compromised, would cause significant risk or disruption to your business and its activities, or impact on your customers.  Once critical assets and services have been identified, any associated risks can also be assessed. Processes and controls to mitigate the risk of an incident, such as contingency plans, can then be built around the criticality of each asset/service.  

We recommend you also consider if the information held or processed by outsource providers is confidential or sensitive.  

Cyber resilience

Cyber risks encompass any potential risk of loss, disruption, or damage an entity may experience due to a failure in its information technology systems. Cyber resilience is an important part of wider operational resilience.  

We suggest you take steps to understand and regularly review your cyber resilience, in order to identify vulnerabilities specific to your business. Cyber security controls, processes and policies should be reviewed, tested, and updated frequently, especially in light of any changes in your licensed market service, or trends in the threat landscape. Similarly, you should monitor for any alerts that may critically impact your outsource providers. As with the self-assessment exercise in the FMA’s 2019 thematic, you can use a recognized cybersecurity framework to evaluate your cyber resilience (for example the NIST cybersecurity framework).  

Business continuity planning

To ensure you can resume operations without undue delay following a disruption, you should establish and maintain a robust business continuity plan (BCP) with well-defined roles, responsibilities, and accountabilities. This is a requirement under the standard conditions of most market services licensees.  

Your BCP should include documented procedures that are tailored to the size and/or complexity of the service and/or product you provide, and can guide how you respond, recover, resume, and restore operations to a predefined level following a disruption. Your BCP should be reviewed, tested and updated on a regular basis to align with emerging risks or changes in the threat landscape – and at least annually.

Incident response management

When responding to an incident, you should immediately enact your business continuity and incident management plans.  This will ensure clear roles and accountabilities are in place to support your response and recovery from the incident, and your operations can resume without undue delay. These plans should help manage communication with customers and other stakeholders during the incidents, as well as support you to carry out remediation activity for impacted customers.

For material operational incidents, you should also consider your reporting obligations to the FMA. 

Post incident reporting

Once an incident has been resolved, we recommend you conduct a thorough inquiry to understand the root cause and capture it through a post incident report (PIR). A recovery timeline and the progress of the remediation, including any customer remediation, may also be included in the PIR.  

Entities may consider engaging a third party to conduct an independent review to ascertain the cause of the incident, especially where technology and cyber capability is not available within the entity.