Cyber security in New Zealand is facing a rapidly evolving threat landscape, with cybercriminals now using advanced AI tools to launch faster, more personalised attacks. Despite growing awareness, many boards are not keeping pace, with stagnant cyber risk reporting and limited AI governance. New Zealand boards must urgently prioritise cyber security as these threats grow more sophisticated.
A review of the past year’s biggest cyber breaches has been a case study in how the cyber threat landscape is shifting. When major global brands such as Asahi and Jaguar Land Rover found themselves at the centre of highly disruptive breaches, the public saw only the immediate headlines. Those of us who work at the coalface of cyber security recognised these incidents as an indicator of something more profound.
Cyber-criminal groups now operate with unprecedented speed, aided by AI tools that generate convincing deepfakes, mimic voices, and breach systems with a level of automation that would have been unthinkable a few years ago. If global organisations with deep security budgets are struggling, the implications for New Zealand businesses should be front of mind for every board.
The 2025 Institute of Directors Director Sentiment Survey makes it clear that technology is firmly on the agenda, yet cyber assurance is not keeping pace. While 60.6 per cent of boards are now working with management to understand how AI and digital technologies can lift productivity (a sharp rise from last year) only 57.2 per cent say cyber risks are regularly discussed at the board table, down from 62.2 per cent in 2024. Likewise, only 55.2 per cent of directors say they are receiving comprehensive data breach or cyber risk reporting, a figure that has remained virtually unchanged for the past three years. This stagnation comes at a time when attacks are accelerating, becoming more personalised, and exploiting vulnerabilities across cloud platforms and supply chains.
The survey also highlights a deeper capability gap. Fewer than half of directors, just 48.4 per cent, believe their boards have the right skills to navigate increasing business complexity, including the new risks introduced by AI. Yet AI and digital disruption have now risen to become the second most significant strategic issue for boards. Shadow AI is already well established in many organisations, but only 16 per cent of boards have adopted even basic policies to govern its use. The result is a widening gap between the rate of digital adoption and the sophistication of governance surrounding it.
This mismatch is troublingly familiar to anyone advising boards from a cyber security perspective in New Zealand. In many organisations, AI tools are being enthusiastically adopted by staff, often without the IT department’s oversight, exposing sensitive information to platforms that were never designed to manage it. This sets a troubling scene for 2026.
The IoD’s research contains another telling insight: the use of external expert advice is declining. Only 59.4 per cent of directors say their boards seek independent guidance on strategy and risk, down from 64.9 per cent the previous year. This softening is occurring just as governance expectations for cyber, privacy and AI oversight are becoming more stringent internationally. It is difficult to reconcile the pace of change with a reduced appetite for specialist support. The reality is that boards cannot credibly meet their duties or protect organisational resilience on such complex topics without drawing on deep technical expertise.
New Zealand still struggles with a lingering sense of “it won’t happen to us.” Yet every organisation, regardless of size, holds something of value to an attacker, be that money, data or access to a supply chain. As larger enterprises harden their defences, smaller and mid-sized organisations become more attractive targets. And as AI lowers the barrier to entry for sophisticated attacks, the cost for criminals to strike is falling fast.
For boards, the message is straightforward. If organisations are embracing AI, automation and digital transformation, then information security must be the lens through which those initiatives are examined. Without that, innovation risks outpacing controls and decisions intended to drive productivity can create exposure that is far more costly in the long run.
As an advisor on cyber security to a wide range of organisations across New Zealand, my strongest recommendation to our clients is that boards must deepen their engagement on cyber risk. Make it a standing agenda item. Demand regular, meaningful reporting from management. Ensure the organisation has clear policies governing AI use and insist on clarity around how new technologies are being trialled or deployed. Most importantly, lean on trusted experts. Cyber risk today is too complex, too fast-moving, too consequential to navigate without specialist insight. Boards do not need to become technical authorities, but they do need to demonstrate informed, credible oversight.
The threat environment will continue to evolve, shaped by technologies that offer immense opportunity but also profound risk. Boards that recognise this, and act decisively now, will be the ones that protect their organisations, preserve trust and enable innovation to flourish safely in the years ahead.
Talk to our experts about how to strengthen your governance practices, implement AI risk controls, and build cyber resilience for the years ahead.
Cyber threats are accelerating in sophistication, particularly with the rise of AI-driven attacks. Boards must now treat cyber security as a strategic priority to safeguard their organisations from financial, reputational, and operational damage.
Boards should make cyber risk a regular agenda item, request detailed reporting, establish clear AI policies, and seek guidance from external cybersecurity experts to ensure informed oversight.