It’s 2025, and cybercrime is no longer a distant threat or a “big company” problem. If you’re running a business in Aotearoa, chances are cyber risks are already knocking at your door.
A brilliant recent legal update from Simpson Grierson paints a stark picture of how the landscape is changing — fast. From skyrocketing cyber-attacks to legal actions against directors, here’s what you need to know (and do) to stay ahead of the threat.
The Numbers Don’t Lie
- Cyber-attacks up 44% globally in 2024.
- NZ’s NCSC reported $6.8M in direct losses in Q4 alone.
- 1,358 cyber incidents were recorded last quarter — 100 had potential for national harm.
- Ransomware gangs collected US$1.1B in crypto ransoms last year.
- 95% of breaches globally are caused by human error.
- If cybercrime was a country, it would be the 3rd largest economy in the world.
Still think your business is too small to be a target?
Your Board Is on the Hook
Here’s the kicker: it’s not just your IT team’s problem. Directors are increasingly being held personally liable for poor cyber governance. That includes:
- Failing to prevent a breach.
- Failing to respond properly to a breach.
- Making misleading statements about your security.
While we haven’t seen high-profile director prosecutions in NZ yet, legal action is already underway across the ditch — and it’s only a matter of time before that wave reaches our shores.
Class Actions Are Coming
Australia’s seen class actions against Optus, Latitude Financial and Medibank after major breaches. In each case, consumers and shareholders claimed the companies didn’t take adequate steps to protect sensitive data.
NZ hasn’t had a cyber class action yet — but given the trend in litigation and the rise of litigation funders, it’s just a matter of when, not if.
What Regulators Are Doing
- The Office of the Privacy Commissioner (OPC) is naming and shaming offenders, issuing compliance notices, and calling for stronger enforcement powers.
- The FMA and RBNZ are increasing their scrutiny — especially for financial services and insurance firms — with breach notification rules and big penalties.
What Directors and Business Leaders Must Do
Let’s get practical. If you’re a director, this is your wake-up call.
You must:
- Make cyber risk a regular board agenda item.
- Have a clear risk register and update it regularly.
- Ensure appropriate security controls and policies are in place.
- Respond quickly to vulnerabilities — don’t sit on known issues.
- Train your staff — because human error is your #1 threat.
- Have a breach response plan and rehearse it.
- Decide now how you’ll handle ransom demands. The NZ Govt says don’t pay, because it just put’s you on the hacker’s preferred client list.
Take a moment to review your insurance policy; most business plans need additional cyber insurance to cover cyber-attacks. Make sure you have the necessary protections in place so your claims are not denied.
Comms Can Make or Break You
If you’re breached, your internal comms strategy matters just as much as your technical response. Avoid blame, speculation, or loose language — those emails may end up in court.
Get legal involved early. Legal privilege isn’t automatic, and if you’re not careful, even your own consultants’ reports could be dragged into discovery.
Final Thoughts
Cyber risk isn’t just a tech issue. It’s a people, process, governance and legal issue too. And it’s moving faster than most boards realise.
Don’t wait until your data is on the dark web to act. Be proactive. Build your resilience now.
And if you’re not sure where to start, that’s exactly why cyber resilience partners exist. Want help getting your cyber risk house in order? Get in touch for a free cyber chat over coffee