Cyber security is a constant battle. Businesses need to keep ahead of cybercriminals, who take every opportunity to exploit vulnerabilities.
Due to Covid-19, organisations suddenly had their workforce working at home with little time to set up appropriate security (if not already existing) and cybercriminals adapted their attacks to focus on the situation.
CERT NZ issued an advisory last month stating that attackers are using vulnerabilities in organisation’s remote working access systems to create ransomware attack opportunities. Our PwC threat intelligence team has reported that ransomware attacks have increased significantly since December 2019.
Apart from having good preventive cyber security measures in place, you need a cyber security incident response plan that can help you bounce back from attacks faster. Cyber incident response is not just a technical IT matter, it is an event that has implications for your entire business.
Executing a strong cyber incident response plan and communicating your actions clearly and calmly lets you control the situation and reduce the impact on your business.
The incident response plan should be scaled to the size and impact on your business. Crucial elements of a response plan include:
- Knowing what you need to operate effectively and related risks.
- Having a process for identifying the appropriate response based upon scale and impact of the incident.
- Having clarity over key roles and responsibilities.
- Being ready to respond at speed – staff know what the plan is and the escalation process.
- Being operationally ready – staff are aware of suspicious activity (phishing emails) and how to report these.
- Having a contact list for key staff and suppliers (IT support, lawyer).
- Having alternative systems/processes available if main business systems are not available (for example, phone ordering if online ordering is unavailable).
- Testing and rehearsing the plan to fine-tune it.
- Having a communications plan, including social media.
- Understanding Privacy Act implications.
A recent trend in ransomware attacks is that an organisation’s data is selectively released onto the dark web in order to escalate the payment of the ransom.
Even if organisations pay the ransom, it is no guarantee that they will recover their data.
Organisations who suffer a ransomware attack also need to consider the Privacy Act implications of the attack and whether they need to report the breach. It will be mandatory after 1 December 2020, if there is a risk of serious harm.
New Privacy Act 2020
In April 2020, the World Economic Forum reported that more than 4.1 billion records were breached in the first half of 2019.
With the introduction in recent years of new privacy regulation such as the European GDPR that places significant fines on breaches of personal data, it is timely that New Zealand’s Privacy Act has been revised. The Privacy Commissioner gains new powers and an increase in fines for breaches.
The new Privacy Act 2020 will replace the 1993 legislation and is expected to commence on 1 December 2020. The Office of the Privacy Commissioner has outlined the key changes as:
- The requirement to report serious privacy breaches. This is the most notable change. Organisations will have to notify the Privacy Commissioner and any affected individuals if there is a breach of privacy that has caused or poses a risk of causing serious harm.
- A new privacy principle has been added to regulate the way personal information is sent overseas. Personal information may only be disclosed outside of New Zealand if the receiving organisation is subject to similar safeguards to those in the Privacy Act.
- Overseas businesses that are carrying out business in New Zealand will be subject to the Act, even if they have no physical presence in this country. For example, overseas online-only retailers.
- An enhancement to Principle 1 is that an individual’s identifying information cannot be collected if it isn’t needed.
A privacy breach means:
- Unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information.
- An action that prevents the agency from accessing the information on either a temporary or permanent basis.
The Privacy Act includes guidelines for assessing the likelihood of serious harm that covers the risk, nature and sensitivity of the breach. Failure to notify the Privacy Commissioner is an offence with fines up to $10,000.
Organisations need to consider what changes to their processes are required before 1 December 2020 to meet the new requirements.
Holiday Pay – SME sector affected
Holiday pay issues first hit the headlines during 2016. Recent news articles in June 2020 have again raised issues with payroll systems that could affect the calculation of holiday pay for employees in the SME sector.
This issue has previously been largely confined to large employers in both the private and public sector with millions of dollars in arrears being paid to employees.
The focus has now shifted to the SME sector, which is likely to have greater risk, due to the nature of employment and greater reliance on payroll systems.
In the period from 2012 to December 2019, the Labour Inspectorate has completed 168 payroll audits, which have resulted in $108 million of arrears being paid to 165,000 employees (payments vary between $29 to $8,000 per employee).
This doesn’t include the millions paid to employees based upon employers addressing the issue
The types of employment arrangements that are most affected by the holiday pay issue is where employees have variable hours, and especially if those hours are unpredictable.
The Holidays Act refers to weekly increments of pay and multiple calculations for annual leave, whereas it is common for payroll systems to calculate leave using hourly rates and only use one method of calculating annual leave payments.
If you think that your business may be affected, PwC has a team of specialists that work in this area that are available to assist.
The comments in this article of a general nature and should not be relied on for specific cases. Taxpayers should seek specific advice.