Incident response
The NCSC responds 24/7 to cyber security incidents of potential national significance.
An incident can be any threat to an organisation’s network or information, even when an attack is unsuccessful or there is no confirmed compromise.
An incident may include reconnaissance and network scanning, possible attempts to exploit vulnerabilities, accidental data leaks, or suspicious events.
The response services we offer
We help nationally significant organisations respond to and recover from high-impact cyber security incidents. Our response supplements support from commercial providers, and can include:
- On-site assistance
- Digital forensics and technical analysis
- Threat intelligence, including information from our international partners
- Communications advice and guidance
- Coordinating with New Zealand’s National Security System.
We work with other cyber security agencies including CERT NZ and New Zealand Police to triage incidents. Where an incident has high national impact, the national security system is engaged through New Zealand’s Cyber Security Emergency Response Plan.
Report an incident and request support
Visit the page below for information about how to contact us and request incident support.
We report on New Zealand cyber threats
We regularly identify and publish reports on cyber security threats and incidents.
Recorded incidents may involve small businesses being targeted by financially motivated actors, or they may involve serious, persistent attempts to compromise the information systems of major New Zealand organisations. These include attempts to identify and steal valuable intellectual property.
Some threats come from well-resourced foreign sources. These sources may target significant New Zealand organisations or use New Zealand systems to target overseas entities.
The Traffic Light Protocol
We use the Traffic Light Protocol (TLP) to determine the sensitivity and handling instructions for incident-related and other information we report on.
Incident categorisation
We categorise incidents on a one to six scale, according to their potential impact. This scale is based on processes described in the New Zealand Cyber Security Emergency Response Plan, found on the DPMC website(external link).
Minor incidents are categorised as C6, while highly significant incidents are categorised as C2 and national cyber emergencies are categorised C1.
Highly significant incidents (C2 or above) involve substantial time and resources to address. Even significant (C3) or moderate incidents (C4) can still take a number of weeks to resolve, and usually require complex responses across a number of teams.
For minor (C5) or routine incidents (C6), the NCSC might respond by providing general advice or alerts to customers.
As examples, the denial-of-service attack affecting the New Zealand Stock Exchange in 2020 and the ransomware attack affecting the Waikato District Health Board in 2021 were both categorised C2.
Incident categorisation table
Incident Category | Description |
C1 – National Cyber Emergency | An incident causing severe disruption to a core New Zealand service, and/or affecting key sensitive data, undermining the economic or democratic stability of New Zealand. |
C2 – Highly Significant Incident | Known or likely impact affecting key sensitive data or disruption of essential New Zealand services in organisations of national significance or the New Zealand Government. |
C3 – Significant Incident | Known or likely impact on a large commercial enterprise, wider government, or supply chain to core New Zealand services. |
C4 – Moderate Incident | Known or likely impact on a medium-sized enterprise, or lower-level impact on a larger enterprise or wider government or supply chain to core New Zealand services. |
C5 – Routine Incident | Known or likely impact on a small enterprise, lower-level impact on a medium-sized enterprise, or pre-cursor activity against a larger enterprise or wider government or supply chain to core New Zealand services. |
C6 – Minor Incident | Known or likely impact on individual(s) or pre-cursor activity against individual(s) or a small or medium enterprise. |