Privacy and cybersecurity|Rick Shera
23.3.26

When, Not If: Preparing Your NZ Business for a Cyber Attack

Back to Insights page
When, Not If: Preparing Your NZ Business for a Cyber Attack

In today's digital landscape, the question for New Zealand businesses isn't if you'll be targeted by a cyber attack, but when. Despite robust preventative measures, the reality is that sophisticated threats are constantly evolving, and a breach can happen to anyone.

However, the difference between that breach being an absolute business destroying disaster and not, is not necessarily the breach itself but, rather, how you deal with it.

Recent examples in New Zealand have shown just how bad it can appear if a business is not prepared and its public position is confused.

The following are just a few issues to consider.

1. The Blueprint for Chaos: Incident Response Planning (IRP)

This is your foundation. An Incident Response Plan (IRP) is a detailed roadmap outlining what your organisation will do before, during, and after a cyber attack.

Key elements of a robust NZ-centric IRP:

  • Identification: How will you detect an attack? What are the alarm bells?
  • Containment: How will you stop the spread of the attack and isolate affected systems?
  • Eradication: How will you remove the threat from your environment?
  • Recovery: How will you restore systems and data to normal operations?
  • Post-Incident Review: What lessons will be learned to prevent future incidents?

Official Guidance:

  • NCSC NZ: The National Cyber Security Centre offers NZ-specific playbooks and incident management advice.
  • NIST Framework: Internationally, the NIST Cybersecurity Framework provides the gold standard for incident response stages.

2. Practice Makes Perfect: Desktop Exercises

Having a plan is one thing; knowing it works under pressure is another. Desktop exercises involve walking through hypothetical attack scenarios with your leadership team and IT providers.

Why these are vital:

  • Identify Gaps: They expose weaknesses in roles and communication before a real crisis hits.  Simple things like testing alternative means of communication where the threat actor is in control of your usual channels.
  • Build Muscle Memory: Your team learns to react instinctively rather than panicking.
  • Test Communication: Who calls the CEO at 2:00 AM? Who talks to the bank, customers/clients, regulators, the media etc? What do they say and when?
  • Ransomware:  There are varying views on paying a ransom to unlock systems.  Various considerations around types of data being released, operational chaos in having systems locked to users, remediation options, and reputational issues all come into play.  Board members and senior leaders in your organisation may well have differing views.  You don’t want to delay while trying to work this out just as a threat actor is threatening to release ex-filtrated data to the dark web.
  • Remediation:  Can we actually get our systems back and running quickly and securely?  Have we tested that?  How would we function in the meantime?

3. Financial Shield: Cyber Insurance

Cyber insurance is rapidly becoming a non-negotiable for Kiwi businesses although can be difficult to obtain and needs careful review to make sure of coverage (e.g.,, with overseas cloud storage and processing). It can provide financial protection against the costs of a breach, which can easily spiral into the hundreds of thousands.

What it can cover:

  • Forensics & Legal: The cost of finding out what happened and your legal obligations.
  • Business Interruption: Lost income while your systems are down.
  • Privacy Act Fines: Assistance with regulatory issues under the Privacy Act 2020 and with other industry specific regulation.
  • Ransom: Navigating the minefield of paying/not paying a ransom.

4. Navigating the Legal Maze: The Privacy Act & Legal Counsel

New Zealand’s Privacy Act 2020 mandates that if you have a "notifiable privacy breach" (one that causes or is likely to cause serious harm), you must report it to the Office of the Privacy Commissioner (OPC) and generally (with some exceptions) to affected individuals.

Your preparatory steps:

  • Legal Counsel on Retainer: Have a firm with cyber expertise ready to go. You don't want to be "shopping" for a lawyer while your data is being leaked.
  • Breach Thresholds: Ensure your team knows what constitutes "serious harm" under NZ law.
  • Ransom:  Understand the legality and processes in paying a ransom.
  • PR review:  Cases in Australia have shown that ill advised PR that has not been looked at with a legal lens can cause liability issues. Having a lawyer who your PR team trusts is invaluable.

5. Managing the Narrative: Public Relations (PR)

A cyber attack is a reputation crisis as much as a technical one. How you communicate to your customers, staff, and the public will define your brand's future and can also impact your legal position with regulators.

Key PR preparations:

  • Crisis Comms Plan: Draft templates for emails to customers and media statements.
  • Single Source of Truth: Designate one spokesperson so the message remains consistent.
  • Transparency: Being honest about what you know (and what you don't) builds more trust than silence.

In Conclusion: Be Resilient, Not Just Reactive

The digital threat landscape is unforgiving, but preparation is a powerful tool. By investing in planning, insurance, and practice now, you ensure that a "hack" is a manageable business disruption rather than a terminal event.

Authors

Read bio
Rick Shera
+64 9 309 1938rjs@lojo.co.nz

Related articles

Privacy and cybersecurity
11.3.20

Privacy Act 2020 - A whistle stop tour

Read more
Rick Shera
Privacy and cybersecurity
1.10.17

Cybersecurity law is not just about privacy

Read more
Rick Shera
Privacy and cybersecurity

Privacy Implications of Westpac's Release of Nicky Hager's Personal Information

Read more
Rick Shera
See all