New Zealand is losing more than $1.6 billion annually to cybercrime, 59% of large businesses experienced a cyber incident in the past year, and yet many organisations still believe they are better protected than they are. That is the uncomfortable picture painted by two papers released in February 2026 by the Department of the Prime Minister and Cabinet: New Zealand's Cyber Security Strategy 2026–2030 and Enhancing the cyber security of New Zealand's critical infrastructure system. Both documents set out a frank acknowledgement that the country is overdue for a reckoning — and that brokers will be central to delivering it.
"Our regulators are nowhere near as punitive as the likes of Australia," said Duncan Morrison (pictured), cyber practice leader at Aon New Zealand.
The numbers are hard to argue with. The critical infrastructure paper reveals New Zealand ranks 49th on the National Cyber Security Index — the lowest of all Five Eyes partners — and sits in the third tier of the Global Cybersecurity Index, while Australia, Canada, the UK and the US all occupy the first. It is the only developed economy in that tier.
That gap has direct trade consequences too.
"There's talk that our regulation could at some stage lose GDPR adequacy," Morrison warned — a scenario that would create significant friction for any New Zealand business with European clients or partners, since GDPR adequacy status allows cross-border data flows without additional legal mechanisms. The strategy is explicit: without keeping pace, that status is not guaranteed.
The threat environment makes the timing more urgent still. The critical infrastructure paper confirms that Salt Typhoon — a threat group affiliated with the People's Republic of China — has been observed targeting New Zealand entities, mirroring a campaign that compromised at least nine major US telecommunications providers.
Watch next: Inside the SME cyber risk and claims landscape
The 2021 Waikato District Health Board ransomware attack, the NZX cyber attack in 2020 and the December 2025 Manage My Health breach — which compromised up to 126,000 patient records — are cited as markers of how consequential these incidents have become.
For Morrison, the direction of both documents is clear.
"The theme across both papers is recognizing we're behind and need to build a framework and strategy to address that," he said.
The Cyber Security Strategy's four objectives — Understand, Prevent and Prepare, Respond, and Partner — outline a phased roadmap, with an immediate Action Plan for 2026–2027. The critical infrastructure paper goes further, proposing mandatory requirements for approximately 200 of New Zealand's most significant entities across seven essential services — from energy and finance to health, transport, and communications. Those entities would be required to develop and maintain a risk management program aligned with internationally recognised frameworks such as NIST CSF or ISO 27001, and to report significant cyber incidents within 72 hours. The consultation closed in April 2026, and regulatory action is expected to follow.
The cultural shift required is as significant as the regulatory one. The Cyber Security Strategy notes a troubling paradox: while more than half of New Zealanders consider their cyber security knowledge intermediate or advanced, basic practices like password hygiene continue to be ignored. Businesses are equally prone to overconfidence — a 2025 Datacom survey found a clear divide between how leadership and staff assess their organisation's actual preparedness.
Morrison has seen this play out at client level for years. The old dynamic — where a CISO or CTO would tell senior management the controls were solid and cyber insurance unnecessary — has faded but has not disappeared. The conversation has shifted from "it's never going to happen to us" to one that assumes a breach will occur; the question now is how quickly and effectively an organisation can respond.
That shift needs to flow all the way to the top. Boards can no longer afford to outsource understanding to a technical team and simply sign off on whatever they are told. The impacts of a cyber event stretch well beyond systems recovery — revenue loss, contractual liability, reputational damage and growing scrutiny from investors and shareholders all follow.
The discussion around compulsory cyber insurance for critical infrastructure entities — raised in the government's consultation — illustrates the complexity of that challenge. Morrison's instinct as a broker is that mandating coverage would be counterproductive: organisations focused only on obtaining a certificate of compliance tend to buy the cheapest possible cover, access none of the benefits, and leave themselves exposed in practice. Real value from cyber insurance, Morrison argues, comes from full engagement — embedding it into incident response plans, onboarding with the insurer, and activating the panel of specialist vendors — ransomware negotiators, forensic accountants, PR advisors — that quality policies provide. The certificate is not the point; the ecosystem behind it is.
The critical infrastructure paper explicitly frames cyber security as a fiduciary duty, proposing that directors of critical infrastructure entities be personally responsible for compliance — with criminal penalties for the most serious breaches of up to $500,000 for individual directors, and $5 million or 2% of annual turnover for entities.
For boards across all sectors, the message is the same one Morrison delivers to clients every day: "In terms of what good looks like — it's informed and regular oversight." Cyber reporting should be a standing item at every audit and risk committee, presented in language that non-technical board members can interrogate and challenge.
Read next: Jaguar Land Rover hit by cyber attack
Historically, boards deferred because they lacked the vocabulary to push back. That is no longer an acceptable position — and soon, for many entities, it will not be a legal one either.
The infrastructure paper also flags a sobering detail on supply chain vulnerability: 80% of private sector experts surveyed said their organisation lacked basic cyber hygiene for operational technology, and approximately 35% of SCADA assets — the systems controlling physical infrastructure — are at or nearing end of life.
As the CrowdStrike outage of July 2024 demonstrated, a single vendor failure cascaded into at least $5.4 billion in costs globally. The proposed regime would require supply chain vendors with operational control over critical components to support entities in meeting their obligations — a recognition that risk does not stop at the organisation's boundary. For brokers, that expanding perimeter only deepens the consultative role they are already being asked to play.
