The UK National Centre for Cyber Security annual report is out – what does New Zealand need to know? – JD Supra

[author: Peter Kelly]*
While New Zealand has its own National Cyber Security Centre, the UK National Cyber Security Centre is also a valuable source of information about the global threat landscape. The UK NCSC has just published its annual review, which provides insights that New Zealand organisations should take into account when making decisions that relate to their organisations’ resilience, and their governance of privacy and technology.
Because of the Ukraine war, the threat landscape from the UK is dominated by Russia, with China a rising problem with activity that ‘has become ever more sophisticated’. In New Zealand, the relative risks may be the other way around. Even in the UK, the NCSC evaluates that ‘China’s technical evolution is likely to be the single biggest factor affecting the UK’s cyber security in the future’.
The UK NCSC notes that nation-state threats include information theft of both intellectual property for commercial reasons, and also theft of citizens’ personal information. Attacks on democratic institutions, such as electoral agencies, are also a concern.
The international political climate is unpredictable, and the threat level from nation-state actors may change rapidly. Organisations must maintain robust cyber defences in case the risk becomes even more acute. In 2021, the New Zealand Government noted that 30% of cyber-attacks could be linked to state-sponsored actors.
Ransomware is a pervasive and growing threat. In the year ending 31 August 2022, the UK NCSC co-ordinated the response to 63 ‘nationally significant’ ransomware incidents.
The NCSC reports that the UK’s new Information Commissioner, our own former Privacy Commissioner John Edwards, joined with the UK NCSC’s CEO in providing a ‘don’t pay ransoms’ message to the UK Law Society and Bar Council.
In New Zealand, official government policy is not to pay ransoms, and private organisations are ‘strongly encouraged’ not to pay – although there is no express statutory prohibition on doing so. Unless and until there is, our view is that when faced with a ransomware demand, New Zealand directors must make a case-by-case decision as to what is in the best interests of the company – taking into account also the risk that payment of a ransom may implicate other legal obligations (such as prohibitions on the financing of terrorism).
See our earlier article here for further commentary on the issues raised by ransomware.
New Zealand organisations should:
*Solicitor in our commercial, technology, and privacy team.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Dentons | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top