Australia already does it. New Zealand’s about to follow. In a few months, company directors here will be personally liable for cyber security failures – even if they’ve never written a line of code in their lives.
The Government dropped the clues in February when it released its critical infrastructure cyber security framework. Buried in the regulatory proposal is this: directors are personally responsible for meeting minimum cyber security standards. Not the IT team. Not your provider. You.
The proposed penalties are sharp. Up to NZ$5 million (or 2% of turnover) for the business. Up to NZ$500,000 for an individual director. For context, the current maximum fine in New Zealand for failing to report a breach is $10,000. Australia already goes up to A$50 million. We’re closing that gap fast, and we’re using their playbook.
Right now, this applies to critical infrastructure – energy, health, finance, water, telco, defence, and communications. But the direction is unmistakable. Cyber security is becoming a board responsibility, just like health and safety did a decade ago.
“We left it to IT” won’t cut it anymore.
What’s Actually Required?
The specifics are still being worked out (we’re in the consultation phase), but the framework points to some sensible basics:
- Know what data you actually hold and where it lives
- Lock down access – use identity controls that actually work
- Encrypt the important stuff
- Back it up – properly, with testing
- Have a plan for when something goes wrong (and it will)
These aren’t radical ideas. They’re the foundations that separate organisations that recover from breaches versus organisations that get buried by them.
The Good News?
Getting ahead of this is straightforward. You don’t need to spend millions or hire security ninjas. You need visibility into your data, basic access controls, working backups, and a tested incident response plan. Most organisations we work with can get these sorted in weeks, not months.
The real value isn’t just avoiding a $500k fine. It’s protecting your business, your customers’ data, and your reputation. The fine is just the consequence of getting it wrong.
What Happens Next?
This is still in consultation, so there’s time to prepare. If you’re a business owner or director in Auckland and want to know where you actually stand – what you’re already doing right and where the gaps are – get in touch. We can walk you through it without the jargon and give you a clear roadmap.
Because “we didn’t know” won’t be an excuse when this lands.
Credit to Bell Gully for bringing this to our attention: https://www.bellgully.com/insights/privacy-penalties-and-personal-liability-a-new-world-for-nz-cyber-laws/
