A team meeting in a conference room
A team meeting in a conference room

Security operations

Security is essential to safeguard our organisation and especially the information we hold about members and business customers. We need to protect our people, data, information and systems - and our brand. Our leadership team is committed to creating a culture where everyone is proactively responsible for security at work, complying with all applicable legislation, and working on best practices.

When it comes to managing and mitigating risks related to confidentiality, integrity, and availability of information and our IT systems, we plan and prepare thoroughly – not just for the expected threats, but for the leftfield risks too.

  • Glossary

    Control uplift
    Increasing the maturity and effectiveness of a security control.

    IT risk
    The possibility that an IT system has a breach or other failure that leads to data loss, data integrity issues, or is unavailable. Risk is quantified in terms of likelihood and consequence. Most organisations have a ‘risk appetite’, which is the level of risk the organisation is prepared to accept. High likelihood and high consequence risks are never accepted, while low likelihood and low consequence risks may be completely acceptable unless they are easy to address.

    IT systems
    IT services and applications that support a set of business processes, and store and manage information.

    Penetration testing
    An intensive testing process where an expert in security testing (or “hacking”) techniques attempts to breach an IT system. This helps identify vulnerabilities that can be addressed before a malicious person finds them.

    Personal Identifiable Information (PII)
    Information about an identifiable individual, such as a member, employee, provider or adviser, governed by New Zealand’s privacy laws and (where it contains health information) the Health Information Privacy Code.

    Security control
    A safeguard or measure that we’ve implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.

    Third-party provider
    An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.

Our operation

How we identify, monitor, and report security issues

Vulnerability management

Detecting potential security risks, even before they happen, is one of our Security team’s most crucial tasks. By proactively monitoring our environment to identify security threats and vulnerabilities in real-time, we can act immediately should a hacker try to break into our network and steal sensitive information.

To help us in our fight against cyber threats, we’ve deployed various scanning tools to assist with the search, identification and validation of vulnerabilities. These can effectively inform us of the potential impact to the organisation. These scans are performed at least monthly to ensure that any new weaknesses are reported as soon as possible. It also allows us to gauge the effectiveness of the countermeasures that we’ve deployed to protect our systems.

Vulnerability management provides continuous checking and verification of security risks to our business. It allows us to act fast and carry out quick fixes to any short-term issues, and focus on bigger, more critical risks to the organisation.

Event log management

IT systems within Southern Cross are configured to perform event logging. Event logging is performed to ensure we can carry out troubleshooting and trend analysis. It also helps us better understand irregular system behaviour.

By being able to view potential issues, which are correlated and entered into a central log management system, we can better understand how our systems are functioning and if they’re performing as expected. Where multiple irregular events are identified, we investigate and address this as part of the incident management process.

Our security team are supported by third-party security consultants, and together they ensure all our systems and applications have been configured appropriately to ensure that if there is any unusual behaviour on our system, we’ll likely detect it.

Incident management

Incident management helps us prepare for unexpected security threats that may impact or harm our environment. These threats can relate to hardware, software, and other services.

All our IT systems and applications have triggers enabled which alert our security team to any unusual system behaviour or known security threats. We also work with third-party service providers who support us by monitoring our network and systems. They collect logs of generic events using various scanning tools, analyse, and flag any suspicious activity to our security team for investigation.

Responding to potential threats

To help us respond to security incidents, we’ve implemented an Incident Response Plan (IRP). The IRP outlines the procedures we use to detect and respond to unauthorised access or disclosure of private information. It also defines:

  • roles and responsibilities of the teams responsible for security
  • measures to be taken to address the incident
  • tools for managing the incident
  • steps on how the incident must be investigated, communicated, resolved, and closed
  • communication among affected stakeholders


Continuous development

After a security incident is resolved, we’ll perform root cause analysis. This allows us to document complete details of the incident to prevent it from happening again.

In addition, we implement practices designed to proactively reduce the risk of a privacy or data breach. These include training our team members on compliance requirements and putting in place appropriate physical security and environmental controls for our IT infrastructure.

Change management

Implementing IT changes without any interruption to our services is crucial, so our change management process ensures all changes are logged and assessed for impact, cost, benefit and risk.

We perform pre-deployment activities, and these include developing a business justification, planning and scheduling of changes, as well as obtaining prior approval from a change manager and the change advisory board. This ensures changes are reviewed, deployed, and closed in a controlled, effective manner.

Privacy breach

A privacy breach occurs when there is unauthorised access or disclosure of private information from IT systems and applications.

We constantly monitor our environment and have security controls in place aimed at preventing privacy data breaches. However, if a breach does occur, the focus becomes on minimising the reach and impact of the breach.

Reporting vulnerabilities

At Southern Cross we take security seriously, ensuring that we keep our members information safe. If you believe you have found a vulnerability in our systems, please make a confidential disclosure to us using the information provided below.

How to report a security vulnerability

Please make all reports via email, for added security you can encrypt the message using our PGP key.

Email: [email protected]

PGP: PGP Public Key

Fingerprint: 562A312E244920BB2DA2D58AE4D691066B8D1AEB

What to include when submitting a report

Please provide as much information as possible, below are some details that will help us investigate:

  • Type of vulnerability found.
  • Affected service, URL, product.
  • Step-by-step instructions to reproduce the issue.
  • Any other details that will help us verify/reproduce the vulnerability.

What’s next

We will endeavour to acknowledge your report within a reasonable period. We will reach out if there is any further information that is required and provide updates on the expected timeline to triage and fix the vulnerability where appropriate.

Please help protect this information by

  • Handling it in accordance with local laws.
  • Not accessing, modifying or deleting any data.
  • Not publicly disclosing findings. 

Related information

Member privacy statement

Learn more > 

Security controls

Learn more > 

Security systems and information

Learn more >