Catriona Robinson, head of New Zealand's National Cyber Security Centre, signed her name to a Five Eyes statement on Sunday that gave the AI cyber threat one of its sharpest deadlines yet. Frontier AI models are approaching a point where they will "fundamentally transform both offensive and defensive cyber capabilities." The timeline is not years - it is months.
New Zealand was a co-author of the warning, which means it speaks directly to the threat environment New Zealand organisations are operating in right now - not some distant concern for larger markets.
That environment is already under pressure. Gross reported fraud losses to New Zealand banks reached $265 million in the 12 months to October 2025, according to MBIE, with approximately $126 million involving authorised payment scams - exactly the kind of loss that deepfake-assisted business email compromise and social engineering attacks produce. Kordia's 2026 Business Cyber Security Report found that attacks exploiting AI-related vulnerabilities more than doubled year on year, and staff misuse of AI is now one of the top three cyber concerns for New Zealand organisations.
The coverage picture is complicated. Gallagher's New Zealand research, published this week, warns that AI liability is shaping up as the next silent risk - echoing the early cyber insurance experience, where exposures sat quietly within traditional policies until claims emerged. Around 87% of New Zealand organisations are already using AI in some form, but governance and coverage have not kept pace. Jeffrey Gonlin, chief underwriter at Emergence Insurance, has a way of framing what that gap means in practice: "It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything."
Casper Rogers, Senior Broker at Assured, warns insurers may revisit language akin to Chubb's previous Widespread Vulnerability Exclusion to limit aggregated exposure from mass incidents. Tim Johnson, Partner and Head of Insurance at law firm Browne Jacobson, adds a subtler concern: many cyber policies define a hacker as a person, meaning some wordings may simply not pick up an AI attacker, with unintended consequences either way.
The NCSC-NZ has issued guidance twice in the past six weeks - first on agentic AI risks in May, now on the broader AI cyber threat. The February 2026 government discussion document on critical infrastructure cyber security found that 80% of private sector experts said their organisations lacked basic cyber hygiene for operational technology. The Five Eyes statement's call to "prepare for incidents before they happen" lands harder in that context.
For New Zealand brokers, the advisory is a practical conversation starter. Patch faster. Cut unnecessary exposure. Sort out legacy systems. Tighten access controls. And check the policy wording. Ed Ventham of Assured is clear on this: "We would encourage businesses to be asking for AI to be affirmatively covered within their policy to avoid any potential knee-jerk changes from a potential upcoming and heightened risk landscape."
Johnson also points to a broader problem AI attacks will amplify: clients assuming that having a cyber policy means having cyber cover. "Cyber cover is shorthand for a whole load of different cyber-based coverages," he said. With more attacks and more victims, that gap will become harder to ignore, and harder to defend.
Help clients test their incident response plans before they need them - the Five Eyes have just said the next test may come sooner than anyone expects.
