Some Reserve Bank staff involved last November in preparing a report that resulted in market sensitive information being wrongly shared with their colleagues were new and hadn't been trained on what market sensitive information is.
This is disclosed in a Deloitte report commissioned by the Reserve Bank on two information breaches at the Reserve Bank last November. The Reserve Bank has released a summary report of Deloitte's investigation.
The two incidents probed by Deloitte include an internal issue, and one where market sensitive information was released externally before it was intended to be in the public domain.
The first incident occurred on November 6 last year when sensitive information was contained within a draft Reserve Bank chief executive report to the Board. The second incident was on November 11 when a letter was sent by the Reserve Bank to non-bank deposit takers (NBDTs) prior to that day's 2pm Monetary Policy Statement featuring news on the Funding for Lending Programme (FLP) set to be announced at 2pm.
In terms of the first incident Deloitte says during the preparation of the report, information was inadequately identified and marked as market sensitive when it was included in the draft report. This information was thus initially incorrectly sent to the staff member collating the report on November 3, and was then uploaded to a location which was accessible to all Reserve Bank employees on November 4.
Among the factors Deloitte cites for these two breaches occurring are the fact; "some of the individuals involved in collation and preparation of the draft report were relatively new employees and were not familiar with what comprises market sensitive information in [the] Reserve Bank’s context. These employees had not received training on what constitutes market sensitive information."
Meanwhile, the letter containing market sensitive information in relation to the FLP was emailed to 18 NBDTs on November 11 approximately 45 minutes before this information was due to be communicated by the Reserve Bank at 2:00pm in its Monetary Policy Statement announcement. The letters were addressed to a member of each NBDT’s senior leadership team, and copies were also sent to a lawyer representing several NBDTs, plus two Reserve Bank staff copied into the correspondence.
Following the sending of the emails the sender attempted unsuccessfully to recall them.
"In addition to the external breach, there was an internal breach within the [Reserve] Bank, prior to the release of the information on 11 November 2020. The internal breach occurred on 9 November 2020, when the same individual who sent the NBDT letter saved a draft version of the document that was being prepared, into Documentum. Documentum is the document management system used by the Bank. At this point, the draft document became available to 233 Bank staff who had the user access rights to view this document. While the version tracking on the underlying document records indicate that only the sender 'checked out' this document, we have been unable to ascertain whether any other Bank staff accessed the document," Deloitte says.
Among the reasons cited by Deloitte that contributed to these breaches includes that even though staff who prepared the letter were aware that it contained market sensitive information, it wasn't marked as market sensitive. Furthermore the letter was a response to earlier correspondence with the NBDT sector.
Deloitte's report notes there are few New Zealand organisations responsible for the creation, management, and handling of market sensitive information as frequently as the Reserve Bank. This, Deloitte says, results in the Reserve Bank being susceptible to unique challenges and risks.
Deloitte includes a series of recommendations on how the Reserve Bank could improve its handling of sensitive information, and reduce the potential for further breaches in the future. They are listed below. The Reserve Bank says initiatives are underway to address Deloitte's recommendations.
a. Update the RBNZ Access, Security and Classifications Policy to specifically make provision for classification categories that the Bank would have, as opposed to using the generic Protective Security Requirements (PSR) classification categories, to make it easy for users to accurately classify information.
b. Create information handling procedures for each classification category defined in the updated policy, which stipulates where information may be stored, who it may be shared with and how it should be handled throughout its lifecycle.
c. Implement a solution which would enable the easy classification of files when created or received by Bank employees. This could be a new technology solution or enabling a feature of a solution that RBNZ has already implemented.
d. Run user awareness campaigns and training once the foundational components above have been developed and implemented, to drive the rapid adoption of the new procedures related to sensitive information.
e. Undertake a tactical review of the members of Active Directory groups providing access to Documentum folders which would likely contain sensitive information, to confirm that their role within the organisation would require access to the folder. Once this tactical review is completed, a wider review of all privileges for all employees should be undertaken.
f. Perform a review of user access within the Bank, to confirm that the access provisioned for each user is commensurate with their role within the Bank. These reviews should include sign off by management of each department to confirm that appropriate levels of access are provided.
g. Expedite the initiatives related to identity governance and management which the Bank has planned for FY2022, to enable the principle of least privilege to be applied and access to be controlled and managed centrally.
h. Treat all incidents related to sensitive information as a data breach, to make sure the relevant stakeholders are informed and the right process for response, communication and investigation are executed in a timely manner.
i. Create a playbook specifically for the management of incidents that relate to information breaches, with the key activities to undertake during the response process.
*This article was first published in our email for paying subscribers. See here for more details and how to subscribe.