Cyber Law in Asia
Do they designate a lead cyber security agency within the government?
Yes. The National Cyber Security Centre (NCSC), which is part of the Government Communications Security Bureau (GCSB).
Is oversight provided on a centralized or sectoral basis?
Sectoral. The agency head endorses and is accountable for information security within their agency.
See Section 3.1.1., New Zealand Information Security Manual (NZISM).
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure?
How do they designate within these sectors?
Are there mandatory security measure requirements for CI, other than privacy/data protection laws?
Generally no. New Zealand has a voluntary framework, with guidance such as the New Zealand Information Security Manual (NZISM). See NCSC Guidance (last visited Dec. 22, 2019).
However, the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) establishes certain obligations for telecommunications network operators. For example, TICSA creates the obligation for network operators to notify the GCSB of proposals (proposed decisions, courses of action or changes) in regard to certain parts of their network. Section 48, TICSA (2013).
Does it take a risk-based approach?
Do the security measures enable the use of international standards?
Yes. The NZISM is consistent with a wide variety of risk management, governance, assurance and technical standards, including the ISO/IEC 2700x series, as well as IETF, OASIS, NIST and other recognized standards bodies. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).
Are security measures NIST CSF compatible? (Possible to comply through this approach?)
Yes. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).
Do they include prescriptive or technology-based security measures?
Are there mandatory incident reporting requirements?
Are there clear thresholds above which an incident should be reported?
How do they determine the timeline within which an incident must be reported?
Threat Information Sharing
Have they established a national threat information sharing entity?
Yes. The National Cyber Security Centre.
Does this entity share information out to industry, as well as receiving information?
Is threat information sharing mandatory for any private sector entity?
The Directors-General of the NZSIS and GCSB can only compel production of specified business records in accordance with a business records approval, granted by the Minister responsible for that agency and a Commissioner of Intelligence Warrants. An agency can only request specific information on a case-by-case basis by reference to an identified individual or thing (such as a phone number or IP address).
The regime does not permit ‘bulk’ data access. See Fact Sheet No. 13: The Intelligence and Security Act 2017: Information sharing, Department of Prime Minister and the Cabinet.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities?
Are there requirements to cede control of facilities in an emergency situation?
Are there requirements to provide source code or other decryption capabilities?
Are there requirements to establish a local presence - either officer or personnel?
Are there requirements to localize data?
Are there financial penalties outlined? If so, what for and what is the maximum penalty?
Are there criminal penalties outlined? If so, what for and what is the maximum penalty?
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?
The Intelligence and Security Act 2017, which sets out the functions, powers and duties of the GCSB, went into effect on March 28, 2017.
The Telecommunications Interception Capability and Security Act (TICSA), which establishes obligations for New Zealand's telecommunications network operators in interception capability and network security, was enacted in 2013 and later updated on November 12, 2018.