Cyber security changes flagged for New Zealand

The Government’s recently released Cyber Security Strategy 2026-2030 (Strategy) and Cyber Security Action Plan 2026-2027 (Plan) outline a renewed effort to strengthen New Zealand’s resilience against digital threats.

While the Plan and Strategy do not provide detailed legislative or regulatory proposals, the documents signal potential changes that may be made to New Zealand’s privacy and cyber regime. With this in mind, organisations should be thinking about whether the cyber security measures they have in place are sufficient.  

Why is change needed?

New Zealand society is undergoing radical technological change. Government and business are increasingly using automated technologies, and individuals are expected to use more digital tools to go about their everyday lives. However, the prevalence of technology provides an opportunity for malicious actors to target New Zealanders. We continue to see successful malware attacks resulting in significant cost to organisations.

There is a risk that New Zealand is falling behind other comparable economies in not having dedicated cyber security legislation. New Zealand is the only developed country listed in the third tier (of five tiers) in the International Telecommunication Union’s (ITU) Global Cybersecurity Index 2024 – this places us alongside countries like Libya and Papua New Guinea. Tier 3 represents countries that only show a “basic cyber security commitment” and are “establishing or implementing certain generally accepted cyber security measures”. In comparison, countries that we regularly compare ourselves to, like Australia and the United Kingdom, are ranked in tier 1 because they are considered by the ITU to have implemented “coordinated…government-driven actions” that commit to strong cyber security protocols.

The Government recognises there is work to be done to improve New Zealand’s position – not taking actions risks a reduction in investment from overseas companies and the willingness of other countries to share intelligence or cooperate with the Government.

Overview of the Strategy and Plan

Strategy

The Strategy sets out four key high-level objectives for the Government:

• Understand

The Government acknowledges that current cyber incident reporting is fragmented – this makes it difficult to have a clear understanding of the current threats faced. The Government proposes that the National Cyber Security Centre will establish a single cyber security reporting service to receive, respond to, and manage incidents.

• Prevent and prepare

The Government wants departments and agencies to effectively coordinate and be empowered to respond to cyber risks. This includes strengthening the mandate of the Government Chief Digital Officer to “entrench a culture of security”. The Government will also consult business and the public on a new regulatory framework to manage cyber risk for critical infrastructure (as discussed below).

• Respond

The Strategy refers to “modernising…legislative frameworks” to deal with the global nature of cyber threats – however, it does not go into detail on what this will involve. The Government also intends to work with other countries to “address jurisdictional barriers” so that law enforcement can effectively investigate incidents of cybercrime.

• Partner

The Strategy notes that coordination between government and business to understand and disrupt cyber threats must be improved. Further, New Zealand intends to continue working with international partners to defend digital networks from harm.

Plan

The Plan sets out the Government’s proposed actions in the next two years. In the main, the Plan is largely aspirational and relatively non-committal, but there some specific ideas that may be regulated for – these include:

• Introducing a civil pecuniary penalty regime to the Privacy Act 2020 to incentivise the protection of personal information from cyber threats.

Currently the Privacy Act 2020 only allows the Office of the Privacy Commissioner (OPC) to issue fines of up to $10,000 for certain privacy breaches or refer matters to the Human Rights Review Tribunal for consideration. While there is no detail on a new financial penalty, if introduced this change could significantly alter New Zealand’s privacy regime and bring us into line with like-minded jurisdictions (something the OPC has regularly lobbied for).  

• Ensuring that Government insists on stringent security standards for digital procurement.

Businesses that bid for Government-related work can likely expect to have to be able to demonstrate strong cyber security protocols (e.g., being ISO 27001 certified).

• Introducing a new offence that targets people “who view, possess, or disseminate personal information when they are aware it has been illegally obtained”.

Critical Infrastructure Framework

In addition to the Strategy and Plan, the Government has released a consultation paper on how to enhance the cyber security of critical infrastructure systems (Framework). “Critical infrastructure” will encompass systems that are essential to everyday life – including the electricity grid, telco networks and financial payment systems.

The Framework notes that New Zealand is falling behind other countries in not having dedicated legislative mechanisms to protect critical infrastructure. The Framework proposes several measures to deal with this, including:

• Allowing the Government to request specific information from critical infrastructure entities. This information could include a description of an entity’s operations and key dependencies / interdependencies. A failure to provide the information would be an offence.

• Requiring critical infrastructure entities to share certain information with another critical infrastructure provider (for example, information on an entity’s projected restoration times).

• Requiring critical infrastructure entities to report cyber incidents to the Cyber Security Centre as soon as practicable (but no later than 24 hours after the incident is detected).

• Requiring critical infrastructure entities to develop, implement and maintain a risk management programme aligned with internationally recognised cyber security best practice (e.g., ISO 27001).

• Granting the (as yet undefined) responsible Minister the power to direct a critical infrastructure entity to do anything necessary to manage a cyber threat for national security reasons.

The Framework includes a range of tools that the Government could use to deal with breaches by critical infrastructure entities – these range from targeted education and a $50,000 administrative fine for “minor” breaches (such as late or incomplete provision of information) up to a criminal penalty of the greater of $5 million or 2% of annual turnover and $500,000 for directors for “major” breaches (like negligently, recklessly or knowingly failing to meet cyber security requirements).

Operators of critical infrastructure entities or affected individuals, businesses or communities have until 19 April to make a submission to the Government on the Framework.

Next steps

While it is good to see the Government engage with these issues, the announcements so far are lacking in specifics. The Government alone cannot ensure a safer cyber security environment, however, it can provide leadership on the guardrails that should be put in place to limit risk. Organisations should see the Strategy and Plan as an opportunity to consider what actions they should be taking to mitigate the threat of malicious actors. At a high-level, organisations should:

• Get the basics right – this means:

o keeping all systems and devices up to date (with automatic updates being made by default);

o deploying reputable malware protection on all servers and devices;

o enabling multi-factor authentication for all email or other business accounts that require a log-in; and

o only contracting with reputable suppliers that agree to robust security and privacy obligations.

• Protect data – this means:

o making sure data (including personal information) is kept confidential and only accessed by those employees that have genuine need to see it;

o deleting personal information when it is no longer necessary for the purpose for which it was collected (in line with the Privacy Act 2020); and

o ensuring data is regularly backed-up and stored in a separate location.

• Plan for the worst – this means:

o having an incident response plan covering what to do if a cyber security incident occurs or is suspected;

o knowing who to contact for assistance (e.g., your lawyers and insurers); and 

o knowing whether to notify the Office of the Privacy Commissioner and affected individuals if there is a breach of personal information.

We will continue to follow the progress of any new cyber security proposals put forward by the Government and provide updates if proposed legislation is introduced to Parliament.

Please get in touch with our team if you have any questions or need advice on anything discussed in this article.

‍