Why New Zealand’s Lenient Approach to Cybersecurity May Be Risking Businesses

Cyber threats are more prevalent and sophisticated than ever before. Yet, New Zealand’s approach to cybersecurity, which emphasizes education and remediation over strict enforcement, may be leaving many businesses vulnerable. While the intention is to foster compliance, this lenient stance, especially compared to countries like Australia and those under the European Union’s GDPR, could inadvertently result in complacency among New Zealand businesses.

A Reactive Cybersecurity Culture

New Zealand’s Privacy Act 2020 takes an education-first approach, encouraging organizations to adopt best practices rather than relying on heavy punitive measures. This philosophy contrasts with the General Data Protection Regulation (GDPR) in the European Union and Australia’s Privacy Act, which impose substantial fines that can reach millions of dollars for non-compliance  .

With New Zealand’s maximum fines capped at NZD 10,000, the financial deterrent for failing to secure customer data is relatively low . In contrast, GDPR fines can be as high as €20 million or 4% of global turnover, which prompts organizations to prioritize cybersecurity at the boardroom level . Australia, too, has upped the ante, with fines of up to AUD 50 million for breaches like those suffered by Optus and Medibank  .

This softer approach may explain why many businesses in New Zealand tend to act only after they’ve experienced a cyber-attack. Without significant financial penalties, there is less urgency to invest in preventative measures, leading to a reactive culture where businesses only scramble to improve security once they’ve been compromised.

The Cost of Complacency

This complacency can be costly. Recent data breaches, such as the Latitude Financial breach affecting over 14 million records across New Zealand and Australia, underscore how damaging cyber-attacks can be . Yet, for many smaller organizations, the mindset remains: “It won’t happen to us”.

The reality, however, is that cybercriminals target businesses of all sizes. In fact, small and medium-sized enterprises (SMEs) are often more vulnerable due to limited resources and a lack of comprehensive cybersecurity infrastructure. Without the looming threat of substantial fines, many SMEs opt to delay investments in cybersecurity, leaving them exposed to attacks that could lead to operational disruptions, financial losses, and brand damage.

Is It Time for a Change?

As cyber threats evolve and increase in both scale and severity, New Zealand may need to reconsider its approach to cybersecurity regulation. Increasing penalties for breaches, similar to Australia or GDPR, could drive businesses to adopt proactive cybersecurity strategies rather than waiting until they have been compromised.

Trust is everything. Businesses that fail to protect customer data risk losing not just money, but also customer trust—a much harder asset to regain. It’s time for New Zealand businesses to recognize that compliance is more than just ticking boxes; it’s about safeguarding the future of their operations and ensuring they can thrive in an increasingly volatile cyber landscape.

Conclusion

New Zealand’s current approach, while well-intentioned, may be too lenient in a world where cyber threats are growing at an unprecedented pace. By increasing penalties and focusing on proactive cybersecurity measures, New Zealand can better protect its businesses and citizens from the growing risks of cyber-attacks.

Is it time for New Zealand to toughen its stance on cyber penalties? Let’s start the conversation.