Auditor-General John Ryan.
Credit: Supplied
The Auditor-General is among a trio of oversight and sector strategy bodies planning to target cyber security risks in the coming financial year.
"In 2022/23, we intend to carry out work looking at the governance of cybersecurity risk preparedness and response in selected public organisations," the Office of the Auditor-General wrote in its draft annual plan, which was presented to Parliament last month..
During the year, the watchdog planned to carry out a performance audit to understand how well a small number of selected public organisations govern cybersecurity risk preparedness and response within their organisations.
"'That work will include looking at the extent to which that governance relies on, and is informed by, the Protective Security Requirements, including the work of the National Cyber Security Centre and other relevant organisations," the draft said.
Information security was becoming increasingly complex as technologies continued to evolve and it could be challenging to keep up to date with the the associated risks, the Auditor-General told Parliament.
"Managing information security risk well is essential to protect the public sector’s critical information assets. Information security failures can undermine public trust and confidence in the public sector.
"It is important that government departments, Crown entities, and local authorities have an effective approach for managing this risk."
The Reserve Bank, which was itself a victim of hacking early last year, is also concerned about cyber risk to the financial system, which increasingly delivers services online.
"Cyber attacks are an emerging feature of geopolitical conflict," the bank wrote in its latest financial stability report, released this month.
"The trend towards online delivery of financial services has accelerated with the COVID-19 pandemic. Given this, and the increasing sophistication of cyberattacks, cyber risks are elevated for financial institutions and infrastructure."
This highlighted the importance of adequate investment in cyber resilience in the financial sector.
During the past six months, interagency cyber-attack response protocols had been developed through the Council of Financial Regulators to enhance coordination between relevant agencies and support industry in their own responses, the bank wrote.
In addition, a cybersecurity standard would be developed for designated financial market infrastructures under the Financial Markets Infrastructures Act. This would be principles-based and focused on governance and risk management, rather than technical aspects of cybersecurity.
"We will soon begin consultation on cyber data collection," the bank wrote. "The consultation is focused on cyber incident reporting, broader organisational cyber capabilities, and governance and risk management practices."
The Infrastructure Commission is similarly concerned about its stakeholder's readiness, according to a new strategy presented to Parliament this month.
"Our regulatory system is being outpaced by new technologies that are changing what’s traditionally thought of as ‘infrastructure’ (such as cloud storage) and the risks facing it (such as the infiltration and/or compromise of those data sets).
"The increasing complexity of and connectivity and co-dependency between different types of infrastructure (such as information technology systems for remotely managing water and electricity networks) also come with cyber security risks."
A compromise to information technology systems, therefore, could affect the ability to deliver water or electricity.
"New Zealand should adopt a best practice approach to cyber security, with clear standards for critical infrastructure assets to ensure they’re protected and resilient," the commission's 2022 - 2052 strategy document recommended.
"The management of cyber security risks needs to be a component of the Digital Strategy for Aotearoa. This could be strengthened to ensure owners of critical infrastructure put the right measures in place to protect against cyber risks to information and operational technology."
Gloss