In April, Russell McVeagh together with the Trans-Tasman Business Circle, hosted a special panel discussion in advance of New Zealand's cyber security business delegation to Israel in June. The panel discussion was led by Paul Ash (Director of New Zealand’s National Cyber Policy Office), Kendra Ross (co-founder and Director of Duo New Zealand Limited and PSDuo Limited) and David Eaton (Director of Magnum Consulting and a board member of CERT NZ), and moderated by Martyn Levy (Strategic Adviser to the Trans-Tasman Business Circle).
We took away some insights from the discussion:
- Corporate governance – Boards are still grappling with how to manage cybersecurity risks – some suggest that cyber security should not just have one line allocated to it in a wider risk matrix, but have a dedicated risk matrix dealing with its many facets.
- Sharing learnings – There were mixed views as to whether it should be made legally mandatory to report significant cyber-attacks. While it would facilitate the sharing of information and learnings, the concern was that thresholds and reporting requirements might be 'gamed' as entities see being subject to an attack as attracting significant reputational risk (we note that proposed amendments to the Privacy Act would introduce mandatory notifications of data breaches involving personal information).
- Support from Government – It was hoped that CERT NZ, newly launched by the Government in April 2017, would play a significant role in providing support to businesses in their response to cyber security threats.
The model of seeking to protect all digital assets and information with an impenetrable wall of security would be impractical, given the speed of introduction of new technology used by cyber criminals. The more practical and common approach is the National Institute of Standards and Technology's Cybersecurity Framework, namely to identify the most valuable assets, protect them with specific and targeted measures, detect attacks, respond and recover
There are significant cyber intrusion attempts against New Zealand organisations every day. The priorities for Government are not only protecting our IP, but also mitigating the corrosive effect that cyber-attacks could potentially have on confidence in the 'social contract' and the democratic system. While the Government's policies are aimed at providing security as an enabler of economic growth, the difficulties of attributing a cyber-attack to particular individuals, and of therefore understanding their motives, mean that the main focus is necessarily on defence, and increasing the costs associated with a successful attack.
Future threats and opportunities
Online identity (eg responses to stimuli/genetics), encryption, quantum computing and the prevalence of the internet of things are likely to present both risks and opportunities in the future. The challenge, both for the Government and private sectors, is that technology in the area is evolving faster than the security solutions.
Given the significance of the issue, there is shortage of people qualified in identifying and managing cyber security risks. As a country, we need to find ways to address this shortage, including by setting up training programs for school leavers and existing staff, the key being to ensure that those involved in managing that risk for a business understand the business well, including the day-to-day operations that might be vulnerable to cyber- attacks.
Business opportunities in the sector
With need comes opportunities – cyber security might present New Zealand companies with opportunities to develop and export new products and services that can help combat cyber risks.
Please contact Mei Fern Johnson (Partner), Michael Taylor (Senior Solicitor) or Varoon Kumar (Senior Solicitor) if you would like to discuss.