14 DAY TRIAL // The Reserve Bank of New Zealand has announced the findings of two independent investigations into an illegal data breach and the handling of sensitive information.
Reserve Bank Governor Adrian Orr states “The Bank accepts the findings and has, and will continue to, implement the recommendations”.
“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports".
The Reserve Bank was the victim of a cyber-attack on the third-party application it uses to share and store information on December 25, 2020. Following that, KPMG was hired to conduct an independent examination of the bank's rapid response to the security breach and to find areas for improvement in the bank's systems and processes.
He also said that while they were the victim of a widespread unlawful attack on the file-sharing system, the Reserve Bank accepts full responsibility for the KPMG report's deficiencies.
“We were over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning".
According to KPMG, there are controls and practices within the bank that need to be improved and this is being done. The damage would have been less if these practices had been in place at the time of the unauthorized breach.
Background
In late 2020, the Bank commissioned Deloitte to conduct an independent investigation to help New Zeeland’s Reserve Bank improve their management of sensitive information. This followed two incidents where sensitive material was incorrectly retained in a draft internal report and disclosed to a small group of financial services organizations shortly before it was made public. Initiatives are also underway to implement the report's recommendations.
The total cost of the security breach response, including internal resources, is estimated by the Bank to be approximately $3.5 million. The Bank's base budgets covered all costs associated with the incident.
The Reserve Bank revealed a data breach of a third-party file sharing application, Accellion FTA, that was used to share and store information in January 2021. The Bank hired KPMG to conduct an independent evaluation of its systems and processes as part of the investigation into the incident.