Toka Tū Ake EQC has been supporting Kiwis in times of natural disasters since 1945. The organisation provides natural disaster insurance cover, administers the Natural Disaster Fund, and invests in research to help mitigate the risks to communities across Aotearoa.

This is an agency that works closely with risk, so after data security breaches in 2013 and 2020, the team at Toka Tū Ake EQC knew they needed to make major changes. They chose Datacom as their trusted security partner and began a significant overhaul of their systems and processes.

A complete change in their operational model

Beginning in 2020, the organisation underwent an enormous shift in its entire operational model. In the past, claimants dealt directly with EQC and claims were handled internally. Under the new model, Toka Tū Ake EQC works in partnership with eight major insurers, and claimants deal via their own insurance company. This has vastly improved the claimant experience.

“It’s seamless; you ring your insurer, they put in a claim on your behalf, and they handle everything,” explains Ashley Archibald, Acting CISO at Toka Tū Ake EQC and Senior Cybersecurity Consultant at Datacom. “You have one point of contact. It makes a lot of sense and it has saved a lot of anguish. Pulling all those insurers together was no easy feat, but having managed that has allowed us to provide a great benefit to the New Zealand people.”

Working in conjunction with eight insurers introduced fresh challenges for managing private data. To enable the new model to succeed, Datacom and Toka Tū Ake EQC worked together to implement a full suite of Microsoft security solutions, controls and processes. This included Sentinel SIEM, Defender EDR, vulnerability scanning, single sign-on, zero-trust private network solutions, patch monitoring and more.

People and process part of security solution

The new environment not only protects the organisation using security products and solutions but has also helped reduce risk by improving processes and reducing opportunities for human error – a common risk factor for security breaches.

Security is woven into every aspect of the organisation, and EQC’s Head of Information and Digital, Todd Skilton, says every team member knows they need to speak to the security team before implementing new processes or changes that could introduce risk.

Practical examples of this include having a security representative on all RFP panels to assess new products and services, ensuring all new IT projects have security input including review of the design and architecture, and security review and representation in Change Approval Board (CAB) and Technical Approval Board (TAB) meetings for business changes.

“Using a combination of data classification, data loss prevention (DLP) policies and managed access (B2B federation) for trusted partners has significantly reduced the potential for human error or accidental data leaks,” says Connor Kennedy, Datacom’s Connectivity and Security Customer Lead.

“Even small uplifts such as the external tagging of emails within Outlook has helped improve awareness and reduce data leaks and phishing. By having better controls and more secure processes, staff are using the correct and secure way to transfer data and interact with customers.”

“It’s been a lot of work to establish processing and handling systems that reduce and control the need to export data,” says Skilton. “We’ve modernised and introduced new enterprise apps, which do the processing and reduce manual handling. Minimising the human factor in processing, minimises the chance of errors that can lead to vulnerabilities.”

Datacom and EQC have also worked to upskill and educate the wider organisation about security and how everyone can help protect data against unauthorised access. One example of this has been the implementation and regular use of the Microsoft phishing campaigns.

“We have been running these campaigns for over a year now and have seen great user awareness uplifts and phishing detections at EQC.”

Office workers smiling
A big part of EQC's transformation included improving processes and providing education to reduce human error, which has helped create an organisational culture of security.

New insights into risks and responses

Improved systems have also allowed the EQC to make better use of its data, from research projects to post-disaster property information. This data can help the EQC consider how to manage contentious issues, such as managed retreat from flood-prone areas as the effects of climate change ramp up. As a more data-centric organisation, the team feels confident in using Azure Information Protection (AIP) to classify and protect sensitive documents and tagging insights across to Azure-based environments and using Power BI to secure and share those insights.

“It’s already speaking for itself,” says Skilton. “With recent flooding events, we’ve been publishing Power BI reports of damage, because we have that system in place. The Microsoft integration between insurance, CDOC monitoring, and incoming/outgoing data – we have those fundamental building blocks to make us agile so we can better manage those responses.”

Winning awards and lifting maturity

As a result of its transformation, Toka Tū Ake EQC received the IDC Best in Future of Industry of Ecosystems award in 2021 and the overall IDC Future Enterprise of the Year award for Australia and New Zealand. Maturity assessments also reflect the sea change, showing a lift from 40% to 70%, and the organisation’s reputation has been enhanced by its new, more secure operational processes.

“Having Datacom as a partner has given us the ability to provide solutions we couldn’t do on our own,” Skilton adds. “Our security team is 100% Datacom, and they’re engaged across all levels of EQC. They’re always working to enhance the value of bringing them into the organisation.”

Related industries
Public sector
Related solutions
Security Platforms & applications