A January cyber incident at Whangārei-based electrical contractor McKay, which was later listed on a darknet leak site by a newly emerged ransomware group, has implications for cyber insurance, showing how an attack on a contractor can generate direct response costs, potential business interruption, and third‑party liabilities that fall within, or test the limits of, cyber and liability cover for organisations operating in New Zealand’s infrastructure and energy sectors.
According to Cyber Daily’s report, McKay – an electrical contractor based in Whangārei, New Zealand – confirmed that it experienced unauthorised access in January after its name appeared on the leak site of a group calling itself Mnt6 at the end of April. Mnt6 listed McKay on April 30 alongside another organisation and has so far named three alleged victims in total, with the other two based in Canada. The group’s site includes limited information about its structure or motivations. One cyber security provider has assessed that Mnt6 likely operates as a data broker, rather than relying solely on traditional ransomware tactics.
After learning of the listing, McKay obtained an injunction from the High Court at Auckland restricting disclosure of data said to be affected by the incident. The order narrows what can be reported about the nature of any compromised information while internal investigations and any regulatory processes continue. McKay said it first detected the incident in January and that it involved a single internal device. “We immediately initiated our cyber security response plan while the unauthorised access was isolated and contained. Our IT systems have continued to operate securely throughout this period. This has been independently reviewed and verified by a third-party cyber security specialist,” a McKay spokesperson said, as reported by Cyber Daily.
The spokesperson added: “All customers and relevant individuals involved were notified and received updates as our investigation continued. The incident was also reported to the appropriate authorities, including the Office of the Privacy Commissioner and the National Cyber Security Centre.” The company said it is working with external specialists to strengthen its network security and is actively monitoring for “any further suspicious activity.”
Headquartered in Whangārei, McKay operates from nine sites around New Zealand and provides design, engineering, construction, and maintenance services across infrastructure, renewable energy, and marine projects, including street lighting programmes, district-wide electrical work, and solar developments. An incident involving a contractor with this footprint may prompt closer scrutiny of supply chain exposures, contingent business interruption, and cyber coverage for project-critical vendors.
The McKay incident has emerged at the same time as research indicating that many New Zealand organisations may be placing more emphasis on detection than on formal recovery and continuity planning. In Datacom’s latest survey of 714 security leaders across New Zealand and Australia, only 30% of New Zealand organisations reported having a business continuity or cyber incident response plan in place. By contrast, survey respondents expressed comparatively high confidence in their current security posture. Among New Zealand participants, 73% said they had sufficient visibility of risks, vulnerabilities, and compliance, and 78% believed they had the internal resources required to manage a cyberattack. This pattern points to a potential gap between technical capability and structured planning that could affect the duration and cost of outages following an event.
“Organisations have invested heavily in monitoring and detection, but they are falling short when it comes to recovery, posing significant risk to operations. The priority now is not another dashboard but engineered resilience – from containment to stabilisation to rapid recovery,” said Mark Hile, managing director, infrastructure products, Datacom, as reported by Security Brief. Hile said resilience depends on rehearsed continuity plans, clear decision rights, and metrics that measure how quickly operations return to normal, not only how fast incidents are detected. “When an organisation can't operate for days or weeks, the fallout is significant – customers lose access to essential services, supply chains stall, and trust in the brand erodes. Responding quickly enough to protect the people who rely on you is the part that needs far more attention,” he said.
Four in 10 respondents across New Zealand and Australia said they expected to recover from a major cyber incident within days. Datacom contrasted those expectations with examples where production stopped for weeks and full recovery took months. “The gap between how quickly leaders believe they can recover and how long recovery actually takes is not a technology problem; it’s a preparedness problem,” said Collin Penman, Datacom’s chief information security officer, as reported by Security Brief.
For New Zealand respondents, employee culture and training ranked as the top cyber priority at 16%, followed by data protection, threat detection and monitoring, and cyber strategy and governance, each at 14%. AI-enabled attacks, including phishing using deepfakes and synthetic identities, were cited as leading concerns, with automation compressing response windows and adding pressure on internal security teams.
Data from the National Cyber Security Centre (NCSC) indicates that reported cyber incidents in New Zealand are resulting in higher aggregate financial losses, driven in part by a small number of large cases. In its Cyber Security Insights report for the third quarter of 2025, covering July 1 to Sept. 3, 2025, the NCSC recorded 1,249 incident reports. Direct financial losses reported for that quarter totalled $12.4 million, compared with $5.7 million in the previous quarter, an increase of 118%. The NCSC attributed much of the rise to several high-value cases involving unauthorised or falsified transfers of funds.
Of the total incidents, 110 were triaged for specialist technical support because they were of potential national significance, up from 56 in the previous quarter, a 96% increase. Reports involving malicious software also grew over the quarter. Scams and fraud remained the most reported incident category, with 446 reports, while phishing and credential harvesting accounted for 355 reports. The NCSC also observed a 50% increase in scams involving employment and business opportunities.
The McKay incident, Datacom’s survey results, and the NCSC statistics together point to several themes: exposure concentrated around email and identity compromise, recovery timelines that may exceed internal expectations, and rising loss severity driven by a smaller number of high-value incidents. These developments may influence underwriting criteria, pricing structures, coverage conditions, and risk management expectations for New Zealand policyholders, particularly in sectors that rely on complex contractor networks and uninterrupted access to essential infrastructure and services.
