In today’s digital landscape cyber security is a critical concern for businesses of all sizes. However, Small and Medium Enterprises (SMEs) in New Zealand are particularly vulnerable to cyber threats. Despite their smaller size, SMEs often handle sensitive data and maintain connections with larger organisations making them attractive targets for cyber criminals. Recent research also underscores significant gaps in the cyber security measures of New Zealand SMEs, meaning they are often viewed as low hanging fruit for cyber attackers.
A report from the National Cyber Security Centre (NCSC) highlights that many SMEs are struggling to keep up with evolving cyber threats. In fact, one third of New Zealand SMEs have experienced at least one cyber attack in the past six months. While 55% of SMEs acknowledge cyber security as a priority, only 48% feel adequately prepared to handle a potential incident.
The vulnerability of SMEs is further underscored by their often reactive approach to security – only acting when targeted by a cyber attack. This is a recipe for disaster, especially when many fail to execute basic practices like keeping software updated and regularly backing up their data.
This article outlines practical steps SMEs can take across operational, leadership, legal, and technical levels to address these challenges, creating a more secure environment while driving effective risk reduction.
Cyber attacks and data breaches are no longer rare or limited to large overseas organisations, such as financial institutions and multinational technology companies. Two recent New Zealand examples demonstrate that cyber security issues are well and truly impacting New Zealand organisations and their users.
Mercury IT ransomware attack
Mercury IT is a New Zealand based private data services company. In late 2022 it suffered a ransomware attack during which cyber attackers illegally obtained confidential data stored on behalf of Te Whatu Ora Health New Zealand and the Ministry of Justice. The unidentified attackers threatened to publish the confidential data on the dark web unless their ransom demands were met.
The ransomware attack received extensive media attention and there was a significant risk that the confidential data would be used and published by parties other than the attackers. Therefore, the plaintiffs sought an urgent, without notice, injunction against “unknown defendants”.
The High Court made interim orders restraining the unknown defendants from accessing and using the illegally obtained data, and requiring the defendants to delete any copies of the data in their possession. The Court also directed service of the orders on the Office of the Privacy Commissioner and various news media organisations.
This case highlights the ability of the New Zealand courts to intervene at short notice even where the defendants are unknown.
Latitude Financial
In March 2023, New Zealand’s largest cyber breach occurred when personal customer records held by Latitude Financial were exposed, including drivers’ licenses, passports, and sensitive financial data. Up to 14 million customers in New Zealand and Australia were affected, and the breach is reported to have cost the company at least $95 million.
The Latitude Financial data breach resulted in the first joint investigation by the New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC). In addition, a 73,000-person class action is ongoing in Australia, among other legal challenges.
The risks of cyber breaches are many and varied. We highlight some of the key risks here.
Litigation arising from cyber breaches
Unsurprisingly, a rise in cyber attacks has been accompanied by a rise in litigation.
In addition to the Mercury IT and Latitude Financial cases, the Australian Securities & Investments Commission (ASIC) has brought proceedings against RI Advice Group, an Australian Financial Services Licence holder. Nine cybersecurity incidents occurred at RI Advice, which compromised the personal information of thousands of clients, some of whom reported unauthorised use of their personal information. The Federal Court of Australia ordered RI Advice to pay $750,000 towards ASIC’s costs and, at its own expense, engage a cybersecurity expert to identify any further measures for RI Advice to implement. This decision also has potential impacts for directors’ and officers’ cybersecurity obligations.
Class action litigation is becoming more common in the cyber breach space. Recently, in Australia, two significant class actions have commenced arising from cyber attacks at Optus and Medibank. The Optus data breach affected up to 10 million current or previous customers, while the Medibank breach involved 9.7 million current and former customers. These proceedings involve breach of contract and negligence claims.
The international rise in class actions involving cyber breaches is likely to be seen in New Zealand in the not too distant future. This is particularly so given the New Zealand Supreme Court’s confirmation that class actions can proceed on an opt-out basis so that all eligible claimants are part of the class by default. The growth of third party litigation funding in New Zealand may also encourage class actions.
Regulatory compliance and investigations
In New Zealand, the OPC has broad powers to conduct compliance investigations and complaint investigations under the Privacy Act 2020. The OPC issued the first compliance notice under the new Act in 2021 after a cyber attack breached one of the Reserve Bank of New Zealand’s security systems.
As discussed above, investigations in Australia by the OAIC and ASIC are also becoming more common.
In the European Union, the Network and Information Systems Directive (commonly known as NIS2) entered into force last year and imposes cyber security obligations on EU entities. NIS2 is relevant to New Zealand companies trading with the EU or that are part of an EU entity’s supply chain. New Zealand’s Free Trade Agreement with the EU, which came into force this year, is likely to heighten the need for New Zealand traders to comply with EU requirements.
Third party exposure
There are risks associated with any agreement where your data is shared with another party. The latest Kordia New Zealand Business Cyber Security Report states that, in 2023, 28% of businesses impacted by a cyber attack in the past 12 months involved a third party.
Last year ASIC Chair, Joe Longo, gave a speech emphasising the importance of evaluating third-party supplier risks. He observed that third-party suppliers are a clear vulnerability in many organisations’ cyber preparedness, particularly given the lack of control you have over the security of third-party providers.
Director and officer liability
The Chair of ASIC also recently said:
For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
There are differing views internationally about the extent of liability directors and officers may face following a cyber breach. The US is leading the way in this area. Recently, successful criminal charges were brought in the US against Uber’s former chief security officer for failing to report a cyber breach to the authorities. The US Federal Trade Commission also took a successful action against the Chief Executive of an online drinks delivery business over a cyber breach exposing the personal information of around 2.5 million customers.
In the United Kingdom legal commentators suggest the risk to directors and officers is overstated.
Regardless, it would be wise for directors and officers of New Zealand companies to pay close attention to cyber security issues. In that respect, the Institute of Directors in New Zealand recently published a ‘practical guide’ for managing cyber risks.
With the scale and technicalities involved in cyber security it might be easy to think the risks are too big to tackle and to adopt the classic Kiwi “she’ll be right” attitude. But there are many steps New Zealand organisations can take to reduce the risks of cyber attacks in the first place, and to mitigate damage and liability if there is a cyber breach.
Both technical IT experts and legal experts can help you navigate the turbulent waters of the ever-changing cyber risk environment, both globally and domestically.
Fundamentals like utilising endpoint and perimeter protection, applying least privilege access, keeping software up to date, and backing up data remain essential. But the rise in user targeted attacks and profile compromise also requires new cyber security techniques and strategies. In 2025, businesses should consider road mapping the following tactics to stay ahead of the current threat landscape:
It's crucial to raise these topics with your IT partner and leverage their expertise to improve your cyber resilience and governance. Through collaboration, you can effectively align priorities with organisational goals, manage supply chain risks, and ensure robust oversight. Together, creating a proactive security strategy that supports long-term business success and protects against evolving threats.
To ensure you have the right legal protections and plans in place, consider the following.
Reviewing your key contracts and terms of trade
Supply agreements should be reviewed from a cyber security perspective, whether you are the party engaging a supplier or the third party service provider itself. Your lawyers should also review any other agreements involving access to, or the sharing of, data with another party. It is worthwhile compiling a register of your third-party suppliers and vendors, as well as identifying who will have access to what data, both electronically and physically. Your legal advisers can also review your terms of trade for cyber security purposes.
Reviewing your insurance cover
Consider the appropriateness of relevant insurance policies, such as specific cyber breach cover and your Directors and Officers liability insurance. Look out for gaps in your cover and where you might have unnecessary double insurance. While the cost of insurance may be a perceived barrier, the increasing frequency and costs of cyber breaches make appropriate insurance an important consideration for businesses, and their directors and executives.
Assessing your compliance with regulatory requirements
Your legal advisers can assist with regulatory compliance, for example under the Privacy Act 2020. In addition to issuing fines, the Privacy Commissioner can issue a compliance notice setting continued compliance obligations for businesses, including improvements to privacy policies and procedures, and ongoing reporting to the Privacy Commissioner. Not only can this be operationally disruptive, it has the potential to severely damage a business’ reputation.
Including your lawyers in your cyber security action plan
An incident response team should be formed, and your cyber breach plan tested, before an incident occurs. In addition to technical IT experts, your legal advisers should also be on the team. Your lawyers can advise on your notification obligations, for example to the Privacy Commissioner, under your insurance policies, and to the Financial Markets Authority (for certain regulated entities). Involving your legal advisers early, and in a formal capacity, is also relevant to privilege claims over investigation reports and other documents created in the wake of a cyber attack.
With cyber attacks and related litigation on the rise, there’s no time like the present to make sure your cyber policies and practices are in order. Contact our team of experts if you’d like to discuss any aspect of your organisation’s cyber security.
Consider comprehensive cyber security as a point of difference from your competitors. As cyber attacks increase so too will the importance your customers and clients place on working with a trusted organisation. NCSC recently reported that many businesses are wisely making basic cyber security actions a normal part of their operations. Don’t be left behind.
