However, the regulation of cybersecurity and cyber incidents in New Zealand remains fragmented. Given the recent review and development of prescriptive cybersecurity legislation in Australia in 2021, we are willing to see if there is a transfer effect for regulation in New Zealand. provide information assurance and cybersecurity activities to a public authority, person or group of persons referred to in Article 11(1); and In January 2021, the FMA published its findings following an audit of NZX`s compliance with its obligations as a licensed market operator under the Financial Markets Conduct Act 2013 (FMCA).47 The FMA review initiated under the FMCA followed a series of cyberattacks in 2020 that forced NZX to shut down the markets. NZX is currently implementing its formal action plan, which was approved by the FMA in May 2021 and includes a number of measures that NZX should implement in relation to NZX`s agreements on IT capacity, cybersecurity and risk management.48 The GCSB provides advice, support, and protective services to authorities and others authorized to receive assistance from the Office. The NCSC is part of the GCSB and responds to threats to organizations of national significance and serious cyber incidents at the national level. In NCSC`s 2020/21 Annual Cyber Threat Report, NCSC recorded 404 incidents with a potential national impact or impact on New Zealand`s organisations of national importance (which the organisation considers to represent a small but impactful part of all cyber security incidents affecting New Zealand).44 An important trend reflected in relevant incidents is the importance of criminally motivated activities – 27% of NCSC recorded incidents for 2020-2021 featured indicators of suspected criminal or financial actors (up from 14% the previous year).45 The Privacy Act is also the most important cybersecurity legislation in New Zealand (explained in more detail in Section IX). However, the law only deals with cybersecurity with regard to personal data. The Intelligence and Security Act 2017 separately regulates government oversight and provides for the establishment of the Government Communications Security Office (GCSB), whose mission is to support the response to cyber security incidents affecting New Zealand`s organisations of national importance. Limited cybersecurity-related offences are also provided for in the Computer and Computer Systems Offences Act 1961, while firms regulated by the Financial Markets Authority (including financial service providers and advisory providers) or the Reserve Bank (including banks, , non-bank depositors and insurers) are subject to separate sectoral guidelines on cyber resilience. Under New Zealand Data Protection Act, there are no mandatory requirements to store prescribed classes or sets of personal data exclusively in New Zealand. However, there are limited industry laws that impose a data localisation requirement for certain categories of non-personal data. For example, under the Goods and Services Tax Act, 1985, GST registrants are required to keep and maintain regulated records at a location in New Zealand, unless otherwise authorized by the Commissioner of Taxation. As malicious cyber activity continues to increase in New Zealand, we look forward to seeing if more prescriptive cybersecurity laws will be introduced for New Zealand in the near future (particularly given Australia`s recent substantial reform of cybersecurity regulations).
NCSC works closely with organisations such as CERT NZ. CERT NZ assists businesses, organizations and individuals affected (or likely to be affected) by cybersecurity incidents, including triaging reported incidents and coordinating an organization`s response to a reported incident. There is also sector-specific guidance on the role of cybersecurity governance provided by New Zealand regulators (see Section IX). Data protection impact assessments (see Section V) are recommended as best practices to help companies identify and adequately manage potential cybersecurity risks from a data protection perspective, practically before introducing or adopting a new cybersecurity policy. With respect to disclosures outside New Zealand, an act of a public authority in respect of information held abroad does not violate the general rule against disclosure if the action is required by or under the law of a country other than New Zealand.28 While this exemption may facilitate the disclosure of information abroad where disclosure is required by the laws of that country, This exception does not apply to information stored in New Zealand. 20 Foreign companies and individuals, including foreign governments, individuals not ordinarily resident in New Zealand and companies and organizations not incorporated under New Zealand law or having central management in New Zealand. In March 2015, the arbitral tribunal awarded Credit Union Baywide damages totalling approximately NZ$168,000 (the highest amount ever recorded in a privacy claim).37 Credit Union Baywide forced an employee, in violation of the former employee`s privacy settings, access a photo of a cake and distribute it maliciously. which was prepared by the former employee with derogatory language at Credit Union Baywide. to third parties (including the former employee`s new employer). Second, when assessing impact, New Zealand will seek an analogy with acts that are considered the use of force when caused by means other than cybersecurity. This is also a trend (see for example France, Australia, Netherlands, United States). However, it is the one that requires a highly contextualized application.
In particular, it is sometimes not clear in national statements on the use of force in cyberspace whether the loss of functionality of the targeted cyberinfrastructure, which the Tallinn Manual 2.0 experts described as “harm”, can constitute the use of force if it is sufficiently serious and in the circumstances. Presumably, New Zealand would take this position, as it notes that a cyber operation that interferes with the “functioning of the state” could be considered an act of force. But without the intention of forcing the target state over a choice regarding the reserved domain, there is no intervention, as in purely malicious or criminal cyber operations. Thus, the other scenario cited in New Zealand`s statement – “cyber activities that intentionally cause significant damage or loss of function to a state`s critical infrastructure, including, for example, its health system, financial system, or electricity or telecommunications network” – would only be considered intervention if the state intends to reverse the target state`s decision in relation to a facet of the domain. reserved. strength. Depending on the circumstances, this may or may not be the case. As claims that cyberspace is a normative Wild West fade, the international community`s job is to identify and interpret the rules of international law that govern cyber operations. Last week, with the release of the Department of Foreign Affairs and Trade`s (MFAT) position, New Zealand joined the growing list of states that have publicly expressed their views on the application of international law in the cyber context.
