Cyber Security

At the core of our approach is a comprehensive Cyber Security Programme, overseen by our Chief Information Officer and implemented by the ICT Security Team. This involves security policies and standards, security risk management activities, effective cyber security awareness and training for our people, and a cross-business approach overseen by an Information Security Governance Board (ISGB).

This board, chaired by our Chief Information Officer, is comprised of senior staff from across the business who are responsible for oversight and direction of cyber security governance, risk management, and compliance activities. This includes:

1. championing cyber security awareness across the business at all levels;
2. overseeing Meridian's cyber security governance of people, process, and technology;
3. reviewing audit reports and ensuring management responses are developed and executed; and
4. reviewing all security reporting requirements and metrics.

The Information Security Governance Board meets every two months and submits reports to the Meridian Board of Directors.

Meridian's Cybersecurity Sub-Committee, appointed by the Board of Directors, works to identify, assess, and manage the company's cyber risks. With at least three Directors and an independent security advisor, the Committee keeps the Board informed on cyber matters. 

The Committee also oversees the entire cybersecurity program, making sure it effectively manages risks, develops policies, ensures compliance, and responds to incidents. This includes allocating resources, managing risks from vendors, and providing strategic direction for Meridian's overall cybersecurity efforts.

To achieve these goals, the Committee meets with the Chief Executive, Chief Information Officer, General Counsel and Company Secretary and Information Security Manager. Other relevant representatives from management and staff can also be invited to attend meetings.

Cyber Security Sub Committee

Board of Directors

Chief Executive

Chief Information Officer

Information Security Governance Board

Information Security Manager

ICT Security Team

Meridian’s information security policies aim to ensure that Meridian's information assets are protected from unauthorised access, use, disclosure, disruption, modification, or destruction. The company’s Information Security Policy (ISP) establishes our security governance framework, defines key security roles and responsibilities for both our employees, contractors and third parties, and clearly sets out our intent to safeguard our information assets and systems from unauthorised actions that affect their confidentiality, integrity or availability.

Information Security Policy (PDF)

In June 2023, Meridian completed the FY24-25 cybersecurity strategy, focusing on seven key objectives to protect Meridian from significant security incidents and support our strategic goals. 

Our purpose is to foster a positive security culture to keep our people and technology cyber safe and secure, with the ambition that cybersecurity is actively adopted and practised at all levels of the business, aiming for continual improvements in our cyber resilience. We aim to make cybersecurity a part of everyday business and continuously improve our defences.

Our approach is to know what we are protecting, understand the threats, assess the risks, and use the best measures to keep us safe. We have aligned our strategy with Australian Energy Sector Cyber Security Framework (AES-CSF) and New Zealand’s National Cyber Security Centre Framework.

Meridian and Powershop NZ are certified compliant with the Payment Card Industry Data Security Standard (PCI DSS), ensuring that we meet the stringent security requirements for handling cardholder data. The rest of the Meridian Group operates under an Information Security Management System (ISMS) that aligns with both the NIST Cybersecurity Framework (NIST CSF) and the Australian Energy Sector Cyber Security Framework (AESCSF).

Our commitment to the AESCSF framework ensures we maintain industry-specific best practices. We regularly conduct self-assessments to identify areas for improvement and go a step further by engaging independent experts for annual reviews. These experts evaluate our cybersecurity maturity using the AESCSF Capability and Maturity Assessment. This not only verifies our compliance but also pinpoints areas where we can strengthen our defences. This proactive approach strengthens our cyber resilience, ensuring the continued reliability and security of our critical infrastructure and operations.