Cyber Crime
.jpg?width=732&name=IMG_0002_1%20(1).jpg)
This article originally appeared in The Post
OPINION: In New Zealand, we tend to think of critical infrastructure resilience through the lens of natural disasters, such as the one that’s hit this weekend. But it’s important to heed another very real and growing threat to our national security: cyber-attacks on New Zealand critical infrastructure.
That’s why the Government opened consultation on this very topic earlier this year, at the same time as it launched its new Cyber Security Strategy. It’s no secret that New Zealand lags global peers in cyber readiness. Australia ranks much higher on the National Cyber Security Index than New Zealand (21st in the world, compared to New Zealand’s 62nd).
As someone who’s worked in information and cyber security on both sides of the Tasman, it’s clear to see where the opportunities are, and what to watch out for. So as New Zealand looks to bolster is preparedness for rising cyber security threats, what are the lessons we can learn from across the ditch?
How effective are penalties?
One of the topics within the consultation that has drawn the most attention is the proposed penalties for critical infrastructure organisations that suffer a breach.
Proposed ‘compliance tools’ target both critical infrastructure entities and directors. For a ‘critical breach’, entities could be fined up to the greater of 2% of turnover or $5 million, and directors liable for up to $500,000.
There are two main reasons for imposing penalties. The obvious one is to incentivise organisations to beef up their cyber security, but it can also encourage better reporting of cyber incidents – which in turn increases visibility and helps us better protect ourselves as a nation. Consider that the maximum fine for failing to report a data breach in New Zealand is currently $10,000, compared to A$50 million in Australia.
Interestingly, while no prosecutions or penalties have yet been issued in Australia, the number of Australian Cyber Security Centre (ACSC) notifications of threat activity against critical infrastructure entities rose to 190 in 2024-25, a 111% increase over 2023-24. This increased visibility into critical infrastructure cyber security – spurred in part by the hefty threat of penalties – is something New Zealand should observe and learn from.
Who should be in – and out of – scope?
We should also ask questions about which organisations are ‘in scope’ in New Zealand, and what is classed as a ‘critical infrastructure’ entity here.
For example, vendors and suppliers for traditional critical infrastructure entities (think communications, transport, energy, water, and the like) often have integrated software systems. A breach of their systems could directly impact the critical infrastructure entity – and our national security. Do these third-party software providers need to also be in scope as ‘critical infrastructure’, subject to the same oversight and penalties?
And in Australia, airlines are in scope, given their crucial role in the national tourism infrastructure. These considerations could vastly expand the number of businesses that need to ensure their cyber security is up to scratch.
In Australia, we’ve seen a ‘rising tide’ of cyber risk investment even for organisations that fall outside of scope. Likewise, increased board-level awareness of cyber security may trigger a commensurate lift in cyber preparedness across the entire cyber sector in New Zealand
What are the flow-on business effects?
As with any Government policy, it’s worth considering what the flow-on effects may be for businesses in the critical infrastructure sector.
One such flow-on effect could potentially impact directors’ and entities’ insurance broking and policies. With the proposals to create criminal offences alongside the significant financial penalties, watch out for changes to coverage, disclosure, obligations, and exclusions in future policies.
The Government’s consultation period closed on April 19. With our neighbours and other leading economies more advanced in this space, there are a lot of lessons New Zealand critical infrastructure entities can take to begin preparing for change now.
My advice: start now. We shouldn’t wait to be told what we need to do. Taking a proactive stance and understanding what’s needed now, from a resource and budgeting perspective, will help ensure your entity’s robustness and viability.
Because being prepared means everyone wins.