​NZ cybercrime attacks rise, yet over half of Kiwi organisations remain unprepared

“This points to a potentially worrying trend."

More than half of New Zealand organisations are still unprepared for cybercrime incidents, despite a rising tide of attacks both at home and overseas.

According to PwC’s 2016 Global Economic Crime Survey, 40 percent of New Zealand organisations report their workplaces as being victimised by economic crime in the past two years (up from 33 percent in 2014), representing higher than the global average of 36 percent, but significantly below neighbouring Australia at 52 percent.

New Zealand survey results found 42 percent of fraud detection is through a tip-off, including formal whistleblowing services.

Corporate controls only accounted for detecting 24 percent of crimes, which is significantly down from 56 percent in 2014 at the time of the last survey.

While business confidence is high, fraud is an unfortunate downside for businesses and corporate detection methods are not keeping pace, says PwC Forensic Services Partner Eric Lucas.

“This points to a potentially worrying trend,” Lucas says. “Eighteen per cent of all economic crimes detected in New Zealand were by accident and there is too much being left to chance.

“Today more than ever before, a passive approach to economic crime is a recipe for disaster.

“Understanding your vision and strategically maintaining a plan for growth as well as defence, based on your unique threat landscape and profile, will be the difference.

“In a fast-moving digital world, being prepared is a living, breathing daily exercise which needs to be constantly updated so you are ready when threats turn into reality.”

Lucas says the survey data shows that many organisations in New Zealand are still unprepared.

Despite 40 percent of New Zealand respondents saying they will likely be the victim of cybercrime over the next two years, only 45 percent have an operational incident response plan and nine percent have a digital forensic investigator on their first responder teams.

Economic crime is a business issue and not an IT or accounting issue, Lucas says, but too many New Zealand organisations are not fully preparing for these threats.

“In a fast-changing and digitally dependent market, many organisations are not well placed to avoid cybercrime attacks, or if subject to attack, respond to them,” Lucas adds.

“Only about half of boards ask for information regarding their organisation’s state of readiness to deal with cyber incidents.”

Financial services: Do some sectors offer more opportunity for economic crime than others?

Globally, Lucas says financial services organisations (48 percent) reported a higher number of economic crime incidents, followed by government and state-owned enterprises (44 percent).

In New Zealand, an anti-money laundering regime effecting financial services has been in operation for almost three years following the introduction of the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act in 2013.

“Being associated with funds that have contributed to the financing of terrorism or linked to the 'legitimisation' of criminal proceeds is a reputational and regulatory risk for financial entities,” Lucas adds.

“This is not a concern only for established companies but also for those who are hoping to establish themselves in New Zealand.”

At present in New Zealand, the Act only applies to financial institutions - banks, finance companies, brokers, remittance agents and the like - many of which are still struggling to be fully compliant.

In the coming years, Phase Two of the Act will bring in many professional services including accountants, lawyers and real estate agents.

“What we do know is that the costs and time to fully comply are far greater than anticipated and that when the scope is extended - as it has been in most other complying countries already - the costs and inconvenience to business and their customers will only grow,” Lucas adds.

The global survey results for financial services respondents showed that only half of money laundering (ML) or terrorist financing (TF) incidents were detected by system alerts.

In New Zealand, reporting entities are required to monitor transactions for suspicious activity and many of them have automated systems to do this.

“One of the biggest challenges we see during our audits of reporting entities’ AML/CFT programmes, is whether the triggers implemented are based on the risks identified, and confirming that the triggers actually work as expected,” Lucas adds.

“All industry players in New Zealand are still learning. We anticipate increased regulatory action against reporting entities in the future as expectations of compliance increase.”