IoD Rules Review

Reminder for IoD members: Have your say on the proposal to change the IoD Rules. Log in for more information.

COVID-19 updates

NZX cyber attack a wake-up call for directors

Aura GM Peter Bailey says the FMA’s report on the cyber breaches at the NZX serves as both a warning and an opportunity for directors to improve their cybersecurity settings.

By Aura Security
29 Jan 2021
read time
1 min to read
Red alert buttons

Yesterday, the Financial Markets Authority (FMA) released its review of the 2020 NZX cyber attacks, concluding that the stock exchange had insufficient technological resources to meet it duties as a licenced market operator.

Aura GM, Peter Bailey:

It’s not often the wider business community gets to see a report on a cyber-security breach at a large New Zealand organisation. The report presents an opportunity for directors and management to learn from the mistakes made and what they can do to strengthen their own organisation's cybersecurity systems.

For directors, the FMA report should be a welcome wake up call.

I think many organisations would be embarrassed if placed under similar public scrutiny. But, with the recently enacted Privacy Act 2020 there is now a very real risk that a cyber breach (even a small one) might mean inadequate security practices are made public, or at the very least will need to be explained to impacted customers. 

This should make some companies very nervous, and they should be thinking long and hard about their security posture. Hopefully, the FMA report and commentary on the recent Reserve Bank cyber attack, will remind boards of their obligations and some of the simple things they need to do to stay safe.

Understand your risk level

Just as you would know where your organisation's health and safety issues lie and what you are doing about them, you should understand your cyber risk profile in much the same way. This means understanding your business, the sector you sit in, and what additional threat this carries.

Ensure you’re properly resourced

Many organisations still don’t budget for cyber security, or just lump it in with the rest of the IT budget. If you are going to achieve your desired security level, then you must fund it appropriately. If you don’t, you need to be clear what the risk is of doing nothing, or only partly resourcing it.

If a breach occurs because of an issue you knew existed, you are probably in for a difficult conversation with those whose data has been affected, or whose access has been halted.

Plan and practice

Make sure you have a plan in place if the worst should happen, and that you have practiced it. Unfortunately, it’s not “if” you deal with an attack, it’s “when” you deal with an attack. The better prepared you are, the faster you can react, protect your assets, and get back to business as usual.

Additional resources


Author: Peter Bailey, GM Aura Security

Aura logo

Related content