Adrian Orr (Reserve Bank of New Zealand)
After a major data breach in 2020, Reserve Bank governor Adrian Orr is claiming a significant improvement in the bank's cyber security posture.
Orr told Parliament's finance and expenditure committee last month the bank had achieved a "significant successful uplift" in cyber security and was pleased with the outcomes.
"We had the external report around what we should be doing, and I can tell the committee that all of that has been done; likewise from the Office of the Privacy Commissioner," he said, according to a draft transcript.
"We were given a list of improvements we needed to make, and we’ve received a sign-out to say they’re all on board."
Attackers gained access to a large number of sensitive documents after successfully targeting the bank's Accellion file sharing software over Christmas 2020. The hack was part of an international spree that saw many other organisations compromised.
More than a year before the breach, the bank had already recognised it was at "high operational risk" due to technical obsolescence and an underinvestment in security.
The bank was upgrading its Accellion software to the latest version, dubbed Kiteworks, when the breach occurred. It later scrapped the upgrade and replaced Accellion with a file transfer system from Box.
While the Box rollout appeared to be on time, the bank reported it was projected to cost around $3.7 million, nearly a million dollars more than an initial project budget of $2.8 million.
The bank was also rolling out an Azure landing zone, which provides cloud adoption teams with an environment to manage and run workloads, at a cost of $1.4 million after initially estimating a cost of $209,224.
It was, however, the cost of a website redevelopment that caught one committee member's eye.
"When you released the Monetary Policy Statement, your final message to New Zealanders was that they could have a sensibly spending Christmas," National MP Nicola Willis observed to Orr.
"Do you think the Reserve Bank has acted consistently with that message given, in the past financial year, the Reserve Bank spent $4.5 million on an office refurbishment, and it spent $5.6 million on a new web site?"
"Yes, I do believe we have spent sensibly," Orr responded. "We’ve followed all necessary procurement processes. These are investments to attract, retain, motivate, and achieve our mandates."
Willis went on to describe $5.6 million for a new website as "pretty steep".
Orr then passed the the question over to the bank's assistant governor and general manager for finance Greg Smith.
"Look, I think I’d note that we ran a robust procurement process, and when you think about our website, it is a critical stakeholder engagement tool for the organisation," Smith said.
"It is not your bulk standard website. So we have to invest, and invest properly, in doing that, particularly around security."
Smith said he was confident the bank's procurement processes were robust and it was getting value for money.
Willis then asked whether a competitive, open procurement process had been undertaken.
"There was a procurement process," Smith responded. "We ran an RFP [a tender]."
"Was it open and competitive?" Willis pressed.
"I’d have to check on that, because it was before my time," Smith said.
"I think you’ll find it wasn’t," Willis said.
Later in the proceedings, Willis played her trump card and called for a point of order.
"I just seek to table that, according to the document I have under the Official Information Act, the vendor for the website was identified via a closed tender procurement process," she told the committee.
Also during the 2022 financial year, the bank inked deals with Datacom to roll out Palo Alto Prisma Access SaaS worth $1.2 million and with NTT NZ for a Microsoft Cloud software and service agreement worth $1.5 million.
Palo Alto says Prisma Cloud SaaS protects organisations from the use of unsanctioned SaaS applications and maintains compliance while defending against threats.
