New data from the National Cyber Security Centre (NCSC) indicates that while fewer New Zealanders report being harmed by cyber incidents, a smaller volume of high-value attacks is driving a rise in financial losses, with implications for insurers and intermediaries.
Research commissioned by the NCSC from The Research Agency (TRA) found that 27% of New Zealand adults who encountered an online threat in 2025 experienced some form of impact, down from 36% in 2024. Reported impacts included financial loss, lost productivity, and stress. Exposure to cyber threats remains widespread. The survey, conducted from Nov. 20 to 30, 2025, with a nationally representative sample of 1,011 New Zealanders aged 18 and over, found that 48% of adults had experienced some kind of online threat in the previous six months, similar to the prior year. NCSC chief operating officer Michael Jagusch said several factors may be contributing to the reduction in reported harm, including more consistent application of basic cyber security practices by individuals. “People are taking more necessary actions to keep themselves protected,” he said.
TRA’s findings show that 43% of respondents always enable two-factor authentication (2FA) on their main online accounts, up from 38% in the previous survey. The research also identified increased use of password managers. “People are exercising safer behaviours with their finances, prioritising security actions for banking accounts, followed by email and then social media accounts. The use of two-factor authentication on main accounts, ensuring passwords on accounts and devices are long, strong, and unique, and using password managers are key cyber security actions that we highly recommend,” Jagusch said.
Jagusch said these measures have been a focus of NCSC public campaigns over recent years. “Better password management and the use of 2FA have been key themes the NCSC has emphasised in campaigns over the past couple of years, so it’s pleasing to see this behaviour change but the job is never done. The increase in use of 2FA is great, but we would like to see that number increased further for New Zealanders’ online protection,” he said. One in five people who reported being impacted by an online threat said they suffered financial loss, indicating that monetary consequences remain a feature of household-level cyber incidents even as overall harm rates fall.
The research indicates that most New Zealanders recognise the importance of cyber security but do not always report incidents. TRA found 95% of respondents agree it is important to protect themselves online. However, only 56% said they reported a threat when they experienced one. Among those aged 55 and above, the reporting rate dropped to 47%, with apathy identified as a key barrier. “Reluctance to report threats or to perform key cyber security actions can come from a feeling of not knowing how to or feeling it is too complicated. We face a range of online threats, and we need people to report them so the NCSC can understand these threats and to inform our response,” Jagusch said.
Lower reporting rates may mean that the volume and pattern of cyber incidents – particularly smaller events that do not trigger claims – are not fully captured in formal data, with potential effects on exposure analysis, loss prevention services, and product design. The NCSC encourages individuals and organisations to report online security threats through its website, stating that aggregated information from reports is used to support national response planning and public guidance intended to reduce financial and emotional harm.
While the TRA survey points to a decline in the proportion of individuals suffering harm, the NCSC’s Cyber Security Insights report for the third quarter of 2025 (Q3 2025) highlights a different dimension of cyber risk. From July 1 to Sept. 30, 2025, the NCSC received 1,249 incident reports. Direct financial losses reported in the quarter totalled $12.4 million, a 118% increase on the $5.7 million recorded in the previous quarter. The centre attributed much of this rise to a small number of high-value incidents involving unauthorised or falsified transfers of funds.
The NCSC assessed 110 incidents as requiring specialist technical support because they were potentially of national significance, up 96% from 56 such incidents in the second quarter of 2025 (Q2 2025). Jagusch said increased unauthorised access to email accounts was a main factor, along with a broader lift in malicious activity attributed to financially motivated actors. Reports involving malicious software also increased. The NCSC highlighted recent developments in malware, including malware-as-a-service offerings that lower the technical barrier for cyber criminals. Scams and fraud remained the most frequently reported incident category, as they have been since the fourth quarter of 2024. The NCSC recorded a 50% increase in scams involving employment and business opportunities and has published material outlining common job-related scams and associated warning signs.
The data suggests an environment in which household-level cyber practices are improving, while organisational exposures are increasingly concentrated in fewer, higher-severity events such as business email compromise and sophisticated malware campaigns. These patterns have implications across cyber, crime, and financial lines, as well as SME policies, including how coverage responds to email compromise, unauthorised fund transfers, and system intrusion. The prominence of email-based attacks and authentication weaknesses may lead to closer attention on insureds’ payment verification procedures, uptake of 2FA on business-critical systems, and staff training around invoice changes and payment instructions.
At the same time, increased use of 2FA and password managers among consumers may inform minimum security requirements, underwriting questions, and pricing for personal and microbusiness cyber products. Persistent underreporting – especially among older age groups – indicates that client communication on when and how to report cyber incidents, both to the NCSC and to insurers, is likely to remain a focus for brokers and underwriters seeking to improve incident response, claims handling, and the quality of loss and exposure data.
