New Zealand's competition watchdog the Commerce Commission is cracking down on third party contractors following an embarrassing security breach in October 2019.
The commission called in the police after it lost highly sensitive documents after a third party service provider was burgled and PCs were stolen.
More than 200 meeting and interview transcripts across a range of the commission’s sensitive work were contained on computer equipment stolen in the burglary.
"As an initial immediate step after the incident, the commission implemented an interim security assurance process for all third-party contractors," the commission told Parliament this month.
"We sought assurance from all contractors so that we could be confident our security expectations were being met.
We also put additional interim security obligations in all contracts, which was over and above what was present in the more generic contract templates being used."
One of two reviews into the incident, by Richard Fowler QC, pointed out that: "Lawyers think that just because it is in a contract it will happen and we are surprised and dismayed when it does not."
The risk of exactly that happening could only be properly minimised by the commission taking back more control, Fowler said concluding his report.
Some of the commission's responses do just that.
"We have taken additional steps relating to some areas of our work by requiring contractors to work on-site at the commission or with commission owned devices rather than using the vendors’ technology," the commission said.
In addition, the commission now has two staff focused on security, including information security with contractors and new information governance procedures.
KPMG also reviewed the incident.
A reconciliation of the KPMG review (which contains wider recommendations) with our ongoing
security programme demonstrates that we are in a 'good space' in terms of overall progress," the commission said.
"The recommendations from the review have been addressed via policy, process improvements, and control technology deployment.
"We have established governance oversight for security, developed and enhanced management and staff practices and employed subject matter specialists to assist with the programme."
The commission said it was reviewing policies and procedures regarding security and privacy standards for contractors; taking a further more-detailed look at contractual settings; and developing a specifically tailored assurance process to ensure all vendors and contractors were contractually obliged to meet commission information, security and privacy standards.
"The commission is confident that the security improvements that have been implemented will reduce the likelihood and consequences of incidents and breaches," it reported.
"However, no security measures can completely remove all risk."