Cyber breach illustrates need for insurance

NZILA President’s message – Myles Noble

The Reserve Bank of New Zealand – Te Pūtea Matua has been hit by a serious data breach.

The incident exemplifies the massive ramifications of data breaches. They affect organisations’ budgets through costs of forensic and IT investigations, plus staff time in indentifying and rectifying issues, and third party costs to investigate and assist in mitigating losses.

Reputation is easily lost and hard to restore. Rebuilding public confidence in any organisation that suffers a major breach is a long-term, intensive exercise.

RBNZ has now released terms of reference for an independent KPMG review of bank processes following what it describes as “the malicious illegal breach” of a third-party file-sharing software application used to share and store sensitive information.

The bank said the nature and extent of information that was illegally downloaded was still being determined, but it may include commercially and personally sensitive information.

Bank Governor Adrian Orr says the KPMG review is in addition to forensic and criminal investigations in progress and will focus on improving systems and work practices.

“The attack on the externally facing system used by RBNZ revealed some service provision shortcomings and lessons for us on how we protect and manage the information we need to do our job. We’ve asked KPMG to take a wider view of how RBNZ manages information and what improvements we can make,” he said.

Governor Orr says cyber threats need to be taken seriously by all organisations, and preparedness and responsiveness are key.

Governor Orr was on the front foot from a reputation management perspective with an apology. He said: “While a malicious third party has committed the crime, we believe RBNZ has fallen short of the standards our stakeholders set for us and we apologise for this unreservedly.”

RBNZ has told stakeholders and the NZ public it is conducting a detailed forensic cyber investigation involving domestic and international experts. The immediate focus is working with system users and those who may have had their information illegally downloaded.

It has assured New Zealand that the bank’s core functions, and the nation’s financial system remain sound. “RBNZ is open for business, including market operations and management of the cash and payments system,” its website states.

RBNZ has demonstrated maturity in its approach to the breach, which likely suggests it had a disaster management team in place, which it could mobilise immediately the breach was identified.

As Governor Orr says, preparedness and responsiveness are the keys to mitigating the losses, including reputational damage. Clear, concise communications with all stakeholders are essential.

You can view the Governor’s immediate response on YouTube here.

Read the latest updates from RBNZ here.

Cyber insurance is an option all organisations should consider. It can be an essential element of a risk management strategy to avoid the serious ramifications of a data breach and associated losses. Despite this, it remains, in the NZ market, an area where many organisations are uninsured. Only an estimated 5% of NZ businesses hold cyber cover.  
 

NZILA events program

NZILA already has plenty of events in progress for 2021.

We will deliver a new series aimed at a younger audience – 1.5 hour sessions to network and meet industry leaders over morning tea. They will be delivered in Auckland, Wellington and Christchurch, starting in April. Check out the events page on the NZILA website for further details.

NZILA will continue to deliver free webinars for members over the next six months and have recordings available afterwards.

The annual conference is confirmed for 15-17 September 2021 in Queenstown. Work is being finalised on the program to ensure the most relevant and up-to-date topics and themes are presented. More details soon.