Cyber trends and insights with DUAL and Atmos

Escalating Cyber Risks in New Zealand

New Zealand has faced a surge in significant cyber incidents, with the National Cyber Security Centre handling incidents daily that carry national harm potential. The late 2025 breach of Manage My Health, a widely used patient portal, stands out as one of the country's largest privacy violations. Hackers accessed and threatened to leak over 400,000 files containing highly sensitive personal health information from approximately 120,000 to 126,000 individuals, demanding a US$60,000 ransom with a January 2026 deadline. This incident exposed everyday Kiwis to risks of identity theft, blackmail, and discrimination based on medical histories.

Broader trends show cybercrime industrialising through ransomware-as-a-service models, lowering barriers for attackers and enabling scaled operations. State-sponsored actors target New Zealand entities beyond critical infrastructure, motivated by espionage or disruption. Financial losses from reported incidents reached $26.9 million in the year covered by the 2025 Cyber Threat Report, though actual costs including downtime and reputational damage likely far exceed this.

The cyber insurance market has shifted to more competitive conditions in 2025, with Pacific pricing declining around 10% and abundant capacity allowing better terms for buyers. However, signs of tightening emerged late 2025, driven by increased loss frequency, poor claims development in some areas, and emerging threats from AI adoption. Insurers scrutinise controls more closely, particularly around supply chains, third-party vendors, and basic hygiene like patching and multi-factor authentication.

Regulatory pressures add complexity. The Privacy Amendment Act 2025, with key provisions starting May 2026, mandates notifications for indirect collection of personal information under new Information Privacy Principle 3A, with exceptions but heightened accountability. This aligns with global trends toward stricter data rules, raising stakes for non-compliance through fines and litigation. Organisations face trade-offs: investing in resilience diverts resources from growth, while underinsurance risks catastrophic uncovered losses from ransomware or data breaches.

Non-obvious tensions include cybersecurity fatigue among leaders—despite nearly half of businesses reporting attacks in recent periods, fewer view it as a top 2026 threat—potentially leading to complacency just as AI accelerates attack sophistication and regulatory deadlines loom.