GCSB Delays & Refusals: Spy Agency Slow to Respond to Cyber Security Concerns

March 21, 2026 Emma Walker – News Editor News

Wellington, New Zealand – The Government Communications Security Bureau (GCSB) took over six times longer than legally permitted to respond to questions regarding vulnerabilities in government data security, and ultimately refused to answer most inquiries, according to documents released following a request under the Official Information Act (OIA). The delay and subsequent stonewalling raise concerns about transparency and the government’s ability to address escalating cybersecurity risks.

The questions stemmed from a Treasury report last year which flagged that government data was “being managed or held by unvetted third parties.” RNZ, which initially sought the details, received a response 120 working days after its request – four times the statutory 20-day limit. GCSB Director-General Andrew Clark apologized for the delay, but then largely declined to provide substantive answers.

Clark justified the refusal to answer most of a dozen questions by stating that disclosing information about security incidents and vulnerabilities would discourage entities from sharing crucial intelligence with the GCSB. “We have to keep incidents and vulnerabilities confidential or people would not share with us, and we necessitate that information to counter threats,” he said.

The Treasury report, released publicly months after its completion, highlighted ongoing concerns within government agencies about the security practices of third-party vendors. These concerns included “poor security controls and unpatched software.” Crucially, the report noted that some vendors had moved services offshore without prior approval, resulting in government data being handled by companies that had not undergone vetting processes. RNZ reported on the findings last year.

The report suggested New Zealand’s relatively modest market size contributes to the problem. Agencies believe “poor service delivery is likely driven by lower competition and less resourcing for comparably smaller contracts in New Zealand versus larger markets.” This has led to a reliance on a limited number of vendors, creating systemic risk should one of those vendors experience a significant cybersecurity breach.

When RNZ specifically asked the GCSB, the National Cyber Security Centre, and Internal Affairs to identify the problematic vendors, Clark refused, citing potential “commercial implications.” Similarly, requests for the names of the government agencies that raised the initial alarms were denied, as providing that information could “prejudice the supply of such info in future.” Even requests for details about the specific risks to service delivery identified by Treasury were met with refusal, with the GCSB claiming it “does not hold this information in the manner or format you have requested.”

Although Clark stated that work is underway on digital investment and procurement, he offered limited specifics. He noted the National Cyber Security Centre provides advice and has recently developed “minimum cyber security standards,” but details remained scarce.

Subsequent quarterly reports following the initial Treasury report did not revisit the issue of unvetted third parties. However, other cybersecurity weaknesses were identified. The September 2025 quarterly report specifically criticized the Treasury’s own investment management system, noting it failed to adequately account for the ongoing costs of cybersecurity. “Making it demanding to upgrade old systems and move away from on-site hardware to ‘as-a-service’ tech which we know deliver better security results,” the report stated. It further found that current financing rules “are preventing agencies from modernising and improving their cyber security.”

A separate finding in the September 2025 report, six years after Treasury urged an all-of-government approach to IT upgrades, described agencies’ procurement processes as “outdated and fragmented.”

The GCSB attributed the lengthy delay in responding to the OIA request to the need for consultation and the “volume of information requested.” The bulk of Clark’s three-page response consisted of justifications for withholding information. RNZ received no reports directly addressing the identified threat.

Clark concluded his response with an apology for the delay: “Our response… did not meet the statutory deadline and I do apologise for that. Thank you for your patience while we completed our response.”

The GCSB is led by Director-General Andrew Clark, who has held the position since April 2023. More information about Clark can be found on the GCSB website.

, , , , , ,