Incidents

We respond to cyber threats to nationally significant organisations and high-impact cyber incidents at a national level.

On this page

Incident response

Response services we offer

Report an incident and request support

Reporting on cyber threats

Traffic Light Protocol

Incident categorisation

Incident categorisation table

Incident response

The NCSC responds 24/7 to cyber security incidents of potential national significance.

An incident can be any threat to an organisation’s network or information, even when an attack is unsuccessful or there is no confirmed compromise.

An incident may include reconnaissance and network scanning, possible attempts to exploit vulnerabilities, accidental data leaks, or suspicious events.

The response services we offer

We help nationally significant organisations respond to and recover from high-impact cyber security incidents. Our response supplements support from commercial providers, and can include:

  • On-site assistance
  • Digital forensics and technical analysis
  • Threat intelligence, including information from our international partners
  • Communications advice and guidance
  • Coordinating with New Zealand’s National Security System.

We work with other cyber security agencies including CERT NZ and New Zealand Police to triage incidents. Where an incident has high national impact, the national security system is engaged through New Zealand’s Cyber Security Emergency Response Plan.

Report an incident and request support

 Visit the page below for information about how to contact us and request incident support.

Incident response support

We report on New Zealand cyber threats

We regularly identify and publish reports on cyber security threats and incidents.

Recorded incidents may involve small businesses being targeted by financially motivated actors, or they may involve serious, persistent attempts to compromise the information systems of major New Zealand organisations. These include attempts to identify and steal valuable intellectual property.

Some threats come from well-resourced foreign sources. These sources may target significant New Zealand organisations or use New Zealand systems to target overseas entities.

The Traffic Light Protocol

We use the Traffic Light Protocol (TLP) to determine the sensitivity and handling instructions for incident-related and other information we report on.

Incident categorisation

We categorise incidents on a one to six scale, according to their potential impact.  This scale is based on processes described in the New Zealand Cyber Security Emergency Response Plan, found on the DPMC website(external link).

Minor incidents are categorised as C6, while highly significant incidents are categorised as C2 and national cyber emergencies are categorised C1.

Highly significant incidents (C2 or above) involve substantial time and resources to address. Even significant (C3) or moderate incidents (C4) can still take a number of weeks to resolve, and usually require complex responses across a number of teams.

For minor (C5) or routine incidents (C6), the NCSC might respond by providing general advice or alerts to customers.

As examples, the denial-of-service attack affecting the New Zealand Stock Exchange in 2020 and the ransomware attack affecting the Waikato District Health Board in 2021 were both categorised C2.

Incident categorisation table

 

Incident Category  Description
C1 – National Cyber Emergency An incident causing severe disruption to a core New Zealand service, and/or affecting key sensitive data, undermining the economic or democratic stability of New Zealand.
C2 – Highly Significant Incident Known or likely impact affecting key sensitive data or disruption of essential New Zealand services in organisations of national significance or the New Zealand Government.
C3 – Significant Incident Known or likely impact on a large commercial enterprise, wider government, or supply chain to core New Zealand services.
C4 – Moderate Incident Known or likely impact on a medium-sized enterprise, or lower-level impact on a larger enterprise or wider government or supply chain to core New Zealand services.
C5 – Routine Incident Known or likely impact on a small enterprise, lower-level impact on a medium-sized enterprise, or pre-cursor activity against a larger enterprise or wider government or supply chain to core New Zealand services.
C6 – Minor Incident Known or likely impact on individual(s) or pre-cursor activity against individual(s) or a small or medium enterprise.