New Zealand: Adopted FMA FMI Standard 17C

On 1 March 2024, the Financial Markets Authority (FMA) adopted the FMI STANDARD 17C, a Cyber Resilience Standard for Financial Market Infrastructures (FMIs). The standard mandates every operator of a designated FMI, as specified under section 29(2)(f) of the Financial Market Infrastructures Act 2021, to ensure the maintenance of cyber resilience in alignment with the FMI’s exposure to cyber risk. It encompasses operators within various classes of designated FMIs, including pure payment systems, central securities depositories, securities settlement systems, and central counterparties. The regulation, enforced by the Reserve Bank of New Zealand (RBNZ) and the Financial Markets Authority (FMA), requires these operators to adopt a comprehensive, adequate, and credible cyber resilience strategy and framework. The framework must be based on internationally and nationally recognised guidelines, align with the FMI’s business objectives, and be commensurate with the FMI’s cyber risk tolerance. Additionally, it outlines the governance of cyber risk management, mandating the board of directors ultimate responsibility for the FMI’s cyber resilience, and stipulates the review of compliance through external assurance engagements by qualified auditors.