Terms of reference for independent review of data breach

Release date
29 January 2021

The Reserve Bank of New Zealand – Te PÅ«tea Matua has released the Terms of Reference for an independent KPMG review of Bank processes following the malicious illegal breach of a third-party file sharing application.

Governor Adrian Orr says the review is in addition to the forensic and criminal investigations still under way with a focus on improving systems and work practices.

“The recent attack on the externally facing system used by the Bank revealed some service provision shortcomings and lessons for us on how we protect and manage the information we need to do our job.

“We’ve asked KPMG to take a wider view of how the Bank manages information and what improvements we can make.

“Just after the breach, I apologised for falling short of the standards expected by our stakeholders, and the standards we set for ourselves. This KPMG review is just one of the ways we are working to put that right.

“As this malicious attack demonstrates, cyber threats need to be taken seriously by all organisations - and preparedness and responsiveness are key. As we respond with pace to this breach, we are being well supported by domestic and international cyber security experts, and relevant authorities and counterparts.

“We continue to work closely with the organisations whose files were illegally downloaded and I would like to reiterate my thanks for their continued support and cooperation,” Mr Orr says.

Last year, the Bank appointed Deloitte to investigate the accidental early disclosure of details of one of its new monetary policy tools. Mr Orr says while it was a different matter, it also looks at how the Bank manages information.

“The two were unrelated incidents, but there will be lessons from each and it makes sense to consider the two reports together when they are both completed,” says Mr Orr.

“A new secure file transfer system is expected to be in place next month, and the Bank expects to receive the KPMG review by the end of March. We will continue to be as transparent as possible, being mindful of privacy and issues of commercial sensitivity, as well as the ongoing criminal investigation,” says Mr Orr.

Ongoing updates on the investigation process will be provided via the Reserve Bank Data Breach Response page.

More information:

Media Contact:
Oliver Bates
Manager, External Stakeholders
DDI: +64 4 474 8627
Email: [email protected]