FMA ups the ante on cyber security

This article was current at the time of publication.

Accountants and their clients need to be on high alert to threats from cybercriminals. CPA Australia has a range of cyber security resources to help. 

Cyberattacks rose sharply in the first quarter of 2022, and the Financial Markets Authority (FMA) is advising financial services firms to make cybersecurity a priority.

Government cybersecurity body CERT NZ recorded 2333 incidents in the March quarter.

Of the 167 affected organisations, 91 were reported by financial and insurance services firms. 

At the CYBERUK 2022 conference in May, NZ National Cyber Security Centre (NCSC) Director Lisa Fong called a doubling of attacks by non-state actors the “top of the worry list” for New Zealand.

[These are ] “sophisticated tools in the hands of criminally motivated actors, which is a real change from earlier years,” Fong said.

In 2020-21 the NCSC recorded a 15 per cent rise in “incidents with a national impact” – broadly, those with a potentially high impact or affecting organisations of national significance such as financial institutions or those operating critical infrastructure.  

Of the incidents reported to CERT NZ, the largest category of attacks was “phishing and credential harvesting” with 1370 incidents. Scams and frauds ranked second at 565 attacks and malware third at 228. 

Phishing and new threats

Phishing tries to mimic authentic communication from a trusted source, usually through an email or short messaging service.

It’s low-cost, doesn’t require significant technical ability, and targets thousands of recipients rather than individuals. It relies on a few falling into the trap by exploiting emotional responses such as fear or urgency or using current events such as the Covid-19 pandemic to make communication seem plausible.

The FMA is reminding organisations under its regulatory umbrella that the terms of their licences require them to manage technology risks.

It says there “appear to be shortcomings in the cyber resilience and operational systems” among entities it licences, including underinvestment in technology and use of unsupported or legacy systems.

Financial Markets Conduct Act 2013 (the Act) entities licensed by the FMA must “have at all times adequate and effective systems, policies, processes and controls that are likely to ensure you will meet your market services licensee obligations in an effective manner”.

Souped-up protection for financial advisers

For financial advice providers, the FMA’s licence conditions prescribe specific obligations for business continuity and technology systems.

These include implementing information security that includes safeguarding the integrity, confidentiality, and availability of client information.

Auditors also fall under the FMA umbrella if they perform audits on the Act’s reporting entities such as NZX-listed companies, banks, insurers and credit unions.

The FMA recommends entities self-evaluate their cyber resilience against the US National Institute of Standards and Technology Cybersecurity Framework.

Also useful is the Reserve Bank of New Zealand Guidance on cyber resilience and CERT NZ Critical Controls 2022. The FMA recommends regulated entities subscribe to CERT NZ Alerts.

At a minimum, CERT NZ advises all firms to protect themselves by implementing two-factor authentication (2FA).

It says the international consensus is that nearly all account compromise attacks would be thwarted if 2FA was used.

“[0ur] data shows that in the first quarter of this year alone over 65 per cent of compromised accounts … could have been prevented if they had 2FA in place.” 

The agency is also warning businesses and individuals to ensure they use strong passwords.