The Reserve Bank of New Zealand has told Parliament that the COVID-19 pandemic led to delays to key cyber security projects, but did not have a role in December's malicious hack.
In its annual review, the bank said it had approved one of its largest investment programmes, the digital services delivery programme, to uplift technology capability and improve resilience of existing IT platforms in June 2019.
"At that time, a programme plan was established which included a number of technology and organisational capability streams to be implemented over two years," the bank told Parliament's finance and expenditure committee.
This included moving the on-premises datacentre to a private cloud and implementing cyber security improvements through a managed security operations centre.
However, during the first 18 months of the programme, changes to timelines and sequencing were made.
For example, a data management and encryption project was delayed due to the COVID-19 pandemic and "minor technical issues". This project aimed to improve the level of security protection of the bank by ensuring only authorised users could access systems and data.
The project is due to restart in February 2021.
Similarly delayed due to the pandemic was a device endpoint protection project. This aimed to ensure cyber security protections were in place for bank equipment located in Datacom managed datacentres and for devices used by staff.
This restarted in December.
A project to ensure appropriate cyber security protections were in place to reduce the risk of events such virus or malware was also delayed and is recommencing this month.
Another to automatically capture alerts from internal IT networks when the service becomes unavailable or in the case of significant network infrastructure events was also delayed and restarted in November last year.
"The changes in the programme did not affect the scope or expected benefits which are on track to be delivered within the timeframe and budget," the bank told MPs.
"They also did not affect the security of the stand-alone third party application that was subject to the recent malicious data breach."
No other bank systems had been compromised in the breach due to the stand-alone nature of that file transfer application, a legacy application from US software vendor Accellion used to share documents with businesses and other entities the bank regulates.
Accellion and the bank are at odds over how the known vulnerability and a patch to fix it was notified. This week the bank said it was not notified of the breach of the Accellion file transfer application for five days.
Regulatory initiatives were also delayed, including the development of cyber resilience guidelines for all of the bank's regulated entities.