Cybersecurity at Meridian Energy

Meridian Energy is committed to maintaining high standards of cybersecurity to safeguard customer and company data, ensure compliance with industry regulations, and proactively manage cyber risks. By fostering a culture of cybersecurity awareness and resilience, we maintain secure and reliable information systems and operational technology infrastructure that supports our business goals and upholds the trust of our customers, staff, and stakeholders.  

Our Cybersecurity Approach

At the core of our cyber security strategy is a comprehensive programme overseen by our Chief Information Officer (CIO) and implemented by our dedicated Security Team. It includes cyber security governance, risk management, awareness, training, and education initiatives, and cross business collaboration to ensure a consistent and effective approach to cyber security.  

Governance Structure 

Information Security Governance Board (ISGB)  

Operating under a formal charter, the Information Security Governance Board (ISGB) is chaired by our CIO and comprises senior representatives from across Meridian's business divisions. The board provides essential oversight for cyber security risk management activities, ensuring Meridian can achieve its mission and business objectives through robust cyber security governance, policy endorsement, incident response oversight, and strategic risk management planning. 

Cyber Security Committee 

Our Board-level Cybersecurity Committee, comprised entirely of independent directors, assists the Board in overseeing cyber, information, and data security risks. The Committee provides governance oversight of cybersecurity strategies, risk management frameworks, crisis response plans, and emerging technology risks. 

Cybersecurity Policies and Standards 

Meridian maintains cybersecurity policy documents to govern the protection of our information and digital assets: 

  • Information Security Policy: Defines our approach to managing information security across the organisation 
  • Cybersecurity Policy for Third Parties: Sets cybersecurity requirements for all third parties who access or manage Meridian's systems or data 
  • Information Classification and Protection Policy: Establishes our framework for protecting information based on sensitivity and business importance 
  • Cybersecurity Standard: Defines cybersecurity baselines aligned with recognised best practice frameworks,  

Cybersecurity Strategy 

Our cybersecurity strategy focuses on protecting Meridian from security incidents while supporting our strategic objectives. Our purpose is to foster a positive security culture that keeps our people and technology cyber safe and secure, with cybersecurity actively adopted and practised at all levels of the business. 

Strategic Alignment 

We have aligned our cybersecurity approach with: 

  • Australian Energy Sector Cyber Security Framework (AESCSF) 
  • New Zealand's National Cyber Security Centre Framework 
  • NIST Cybersecurity Framework 

Our methodology follows a risk-based approach: understand what we're protecting, assess the threats, evaluate the risks, and implement appropriate security measures. 

Training, Awareness and Education 

Meridian runs a comprehensive cybersecurity awareness and culture programme designed to promote cyber safe behaviours and reduce cyber security risk. This includes: 

  • Mandatory training for all employees and contractors 
  • Role-specific training for customer facing teams 
  • Support for professional development in cyber security 
  • Simulated phishing exercises 
  • Security incident response training and exercises 
  • Awareness campaigns on current cyber threats 

Standards and Frameworks 

Industry Standards Compliance: 

  • PCI DSS Certification: Meridian and Powershop NZ maintain Payment Card Industry Data Security Standard (PCI DSS) compliance for secure handling of cardholder data 
  • Information Security Management System (ISMS): Guided by NIST Cybersecurity Framework and Australian Energy Sector Cyber Security Framework (AESCSF) 
  • Regular Assessments: Annual independent cybersecurity maturity assessments using AESCSF frameworks. 

Our proactive compliance approach includes regular self-assessments and independent expert reviews to identify improvement opportunities and strengthen our cyber resilience. 

Commitment to Security 

As a critical infrastructure provider, Meridian Energy recognises our responsibility to maintain robust cybersecurity practices that protect not only our operations but also the broader energy ecosystem we serve. We continuously evolve our cybersecurity capabilities to address emerging threats while ensuring the reliable delivery of essential services to our customers and communities.