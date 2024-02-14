The Reserve Bank of NZ has been investing heavily in its ICT foundations and cyber security since a damaging supply chain hack in late 2020.

Investigations into that breach found the bank had been underinvesting in the modernisation of its technology platforms and capability and significant investment was required.

Nine million dollars of additional funding was sought and received, including funding for an increase in technology staff from 63 to 85, the bank said in a memorandum released in November but dated the year before.

That staffing increase was not achieved, however, with funding reallocated to the increased cost of computer services and projects to address major resilience issues.

"With the funding made available, the Reserve Bank was able to migrate [its] servers out of 2 The Terrace to Datacom infrastructure as a service, addressing the risks associated with ageing server infrastructure operated in a low resilience, on-premise computer room," the memorandum said.

Annual review disclosures to Parliament's Finance and Expenditure Committee this month note the Datacom-managed shift and hosting through to October 2026 cost a shade under $6 million.

This project started on 1 July, 2019, and was completed by 30 June 2021, reducing the risk of failure to critical functions and systems, the integrity of data, the potential loss of information and its fraudulent use, the bank said in it memorandum.

"We need to continue to address underinvestment in our IT infrastructure," it said. "Whilst we have focused on preventative controls, we have been aware of the need to improve recovery controls such as backup and recovery services."

The 2020 breach was part of a global attack on a third party file transfer application called Accellion, which the bank has since replaced with Box in what appeared to be an acrimonious parting. The replacement project was initially expected to cost $2.75 million but, according to Parliamentary annual review responses, ended up costing nearly $1 million more.

Investigations into the breach and assessment of the Reserve Bank’s cyber resilience led to the establishment of a business services improvement programme to address gaps and to respond to a compliance notice from the Privacy Commissioner.

"This programme was unanticipated, but necessary, and has supported considerable uplift to mitigate cyber security threats, including server vulnerability management, certification and accreditation management, email/website filtering and firewalls." the bank said in the memorandum.

Security operations centres had been established through a partnership with a supplier and security incident and event management (SIEM) implemented.

Other cyber security and related projects noted in the bank's annual review included "disaster rightsizing and recovery", vulnerability management, monitoring and alerting, IT resilience and access management with some of these completing late last year.

"Cyber resilience within the Reserve Bank and across the financial sector is a key deliverable for us," the bank said.

"Keeping pace with developments in the cyber space is critical to maintaining our credibility across the financial sector as well as the security of our information."

No cyber security incidents were detected in 2023 compared with three in each of the prvious two years, according to answers to committee questions.

One project, dubbed Koru, experienced a significant reduction in budget and scope leading in to the 2022/23 financial year, with the budget falling from nearly $8 million to $1.3 million.

Koru was a system for managing relationships with external organisations, particularly regulated ones and was targeted to go live in October/November 2023.

Reseller News has asked the bank to explain why the project was scaled back.

Costs for software licencing at the bank continued to increase, from $5.6 million in 2019 to $15.3 million in 2023. This was due to higher licence fees, an increase in the number of licences purchased (reflecting a higher head-count) and the increase in cyber security protection.

Specific areas with increased licensing costs were a new human resource and payroll system and a new website which replaced legacy systems that were no longer fit-for-purpose.

Other partners working with the bank in recent years include NTT, Fusion 5, One NZ and, for website support and infrastructure, AKQA.