Lisa Fong (NCSC). Credit: Supplied

CERT NZ has now joined the National Cyber Security Centre (NCSC) in a move designed to create a one-stop cyber security shop and to protect users' data.

For now, however, CERT NZ's operations would continue as normal, NCSC head Lisa Fong said.

“This initial shift has been designed to minimise disruption to customers, with the move simply transferring CERT NZ’s operations and staff from the Ministry of Business, Innovation and Employment to the NCSC,” Fong said late last week.

“We will shortly begin work to design a new integrated operating model that uses our enhanced scale and capability to provide a stronger cyber security system and improved customer service for New Zealanders."

Over time, the two organisations would move towards becoming a single integrated operational agency, similar to those operated by Australia, the UK and Canada.

In July, Minister for the Public Service Andrew Little told Parliament the Cyber Security Advisory Committee, or CSAC, had found the cyber security system was fragmented, creating what CSAC described as a "merry-go-round experience" for business victims.

It also did not present a safe experience for Māori, he said, "especially when information sharing goes unchecked".

CSAC recommended the creation of a single front door to provide authoritative advice and respond to incidents across every threat level, Little said.

"It said this would be best achieved by merging CERT NZ and the NCSC, in part because the NCSC is subject to robust legislation to protect individuals and users' data, whereas the previous government did not put the same protections around CERT NZ when they established that organisation," he said.

CSAC, which was chaired by an early leader of TradeMe, Mike O'Donnell, was established in December 2021 to advise on the role government could play in lifting cyber-security capability.

In a report dated March 2022, it found CERT NZ was very responsive but not seen as that useful, practical or proactive.

"Feedback suggests a mismatch between the generic services offered and the more specific resources desired," the report said.

"It is also unclear if MBIE – which we understand was meant to be a temporary ‘home’ for CERT back in 2016 – is in fact the right home."

NCSC was also fairly quick to respond to victims but did not rate well in terms of usefulness, practicality or proactivity, CSAC found.

The merger and the process that produced it was controversial.

Cyber security figure and entrepreneur Kendra Ross said there had been little consultation about the changes, there was a lack of strategy and it appeared to be happening because "that was how it was done in other countries".

Ross recommended keeping a neutral and independent organisation that all would trust.

"We would not recommend it sit inside an intelligence organisation which, even though it does have NCSC for Critical Infrastructure, is not truly outward facing," she said.

In a LinkedIn post she said it was time to develop a Kiwi cyber security strategy and to provide clear roadmaps, vision, goals and directions.

"Currently we are in an untested driverless car making bad decisions that will only reduce trust in the market and internationally," Ross wrote.

Both CERT NZ and the NCSC had ambitious programmes of delivery underway, and would continue that work, CERT NZ director Rob Pope said last week.



“We look forward to providing a more integrated range of products and services to New Zealanders.”

Among CSAC's other recommendations were:

Specific recognition of impact and loss across all ‘capitals’, including cultural capital.

"Any cyber frameworks should be co-designed with iwi and Māori while contemplating New Zealand’s obligations under the UN Declaration on the Rights of Indigenous Peoples. CSAC strongly recommends a separate, suitably-resourced workstream be established by DPMC to oversee this."



The implementation of minimum cyber risk management guidelines for companies, expressed as a simplified form of the widely-understood NIST cybersecurity framework.

"These guidelines would create a common language of risk control, while providing a structure for advice, capability development and support."

The introduction of mandatory reporting of cyber incidents and ransom payments for those organisations and sectors upon which society relied.

This should be expanded from organisations of national significance to include internet service providers and relevant managed ICT service providers (MSPs) along with key sectors such as food, transport, health, education and financial services.

Sustained investment into building cyber capability and capacity in the labour market.



This could include work visa changes and funding of public and private sector cyber education at academic and trade level.

A strengthened oversight regime for ISPs and MSPs with regard to their capability and their controls of cyber security risk.

"ISPs and MSPs should also be subject to mandatory cyber incident reporting requirements," CSAC wrote.

"Given these companies control many of the ‘roads and pipes’ that bad actors must pass through to commit cyber-attacks, they have a great opportunity to contribute to better outcomes for business and consumers."

A review of the operation of cyber insurance in New Zealand be conducted by the Reserve Bank as NZ's insurance oversight agency.

Cyber insurance was poorly understood and poorly utilised and premiums were increasing while coverage was decreasing.