GCSB delays cyber security disclosure as Treasury flags third-party risks

The GCSB has apologised for taking six times longer than legally required to respond to questions about cyber security concerns raised in a Treasury report, ultimately refusing to provide most details.

The report warned that government data was being handled by unvetted third parties and highlighted ongoing issues with vendor security, including weak controls, unpatched systems, and offshore data management without approval.

It also pointed to systemic risks from heavy reliance on a small number of suppliers—many linked to major US cloud providers—due to limited market competition.

Despite these concerns, the GCSB declined to identify vendors or affected agencies, citing confidentiality and commercial sensitivity.

Further reports suggested broader structural problems, including outdated procurement practices, underfunded cyber security, and barriers to modernising government IT systems.

State media sought details from the GCSB, National Cyber Security Centre and Internal Affairs about which vendors had raised cyber security concerns, but Director-General Andrew Clark declined to identify them or provide specifics, stating that “providing this information would likely have commercial implications for these vendors,” and refusing the request on the basis it could unfairly prejudice their position.

He also rejected requests to name the government agencies that had flagged the issues, saying, “I am refusing those parts of your request where you have asked for information that has been provided to the GCSB in confidence by agencies,” warning that disclosure could deter future information-sharing. As a result, neither the unvetted third parties handling government data nor the associated risks to service delivery outlined by Treasury were made public.