The Commerce Commission has reviewed and overhauled its supplier engagement processes after a report into the theft last year of an external provider’s computer equipment containing more than 200 meeting and interview transcripts.
The stolen computer equipment at the centre of the security incident is thought to have contained a range of documents relating to the Commission’s work, including some confidential information from businesses and individuals.
Now, the Commerce Commission has released two reviews into the October 2019 security incident, accepting all findings and recommendations.
The first report, by Richard Fowler QC, looked into the circumstances relating to the specific incident and, according to Commission Chair Anna Rawlings, found that the external provider whose computer equipment was stolen was “plainly’ in breach of certain contractual obligations.
“The report finds the external provider was clearly under contractual obligations with regard to information security and the retention and disposal of confidential material, that they understood these obligations and were plainly in breach of them,” Rawlings said.
“While this incident resulted from criminal activity and our provider failing to meet its obligations, it is our job to keep sensitive information safe and we take responsibility for that.
“There was more that the Commission could have done to ensure the contractor complied with their obligations and Mr Fowler QC has made some recommendations on how we could better mitigate the type of risk raised by the security incident,” she added.
The second report, by consulting firm KPMG, looked into the Commission’s information management and security, including information held or accessible by third-party suppliers.
“KPMG found that the Commission has a moderate overall level of maturity in security and noted that the majority of its findings are consistent with what it sees in many other public and private sector organisations,” Rawlings said.
“It found a strong information security culture and awareness among staff but also makes recommendations for improvements in a number of areas including policies, procedures and work practices and our management of external providers,” Ms Rawlings said.
“We accept the findings and recommendations from both reviews. We have already made a number of improvements in the areas identified by Mr Fowler QC as directly related to the security incident.
“We are also embarking on a broad ranging information management and security programme, to help ensure that those we interact with can continue to have confidence in our ability to protect confidential and commercially sensitive information provided to us,” she added.
The changes already implemented by the Commission include terminating its contract with the external provider and having the work done in house by Commission staff or on-site by external providers using Commission devices.
Additionally, the Commission has contacted current and past suppliers of services to seek assurances they have appropriate security processes and protocols in place and to obtain details of those processes and protocols.
It has also recruited a procurement manager to improve contract management and is reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, as well as changing the internal contract approvals process.
Moreover, the Commission is making a number of changes to improve the way information is exchanged with external providers and third parties.
The Commission has also committed to voluntarily adopting the government’s Protective Security Requirements.
“These measures, together with the information management and security programme, respond to the findings of the reviews and reflect the Commission’s commitment to continued improvement of our overall information security maturity,” Rawlings said.