Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Commissioner's speech to the National Cyber Security Summit 2026

Privacy Commissioner Michael Webster spoke on Tuesday 17 March at Takina in Wellington

It’s great to be here today to:

  • share some observations, from my perspective as Privacy Commissioner, about the place of cyber security in the minds of decision-makers, organisations, and the everyday person in the street, and
  • talk about the linkages between privacy, stewardship of personal information, and cyber security.

But, before I get into that – a pop quiz …

Who said, less than a month ago, “It’s a reason why I have been advocating very strongly that we need to strengthen our cyber security laws here in NZ and also make sure that we are not laid back … I think in 2026 sometimes our New Zealand business environment has been way too laid back, and not taking the risks and the threats seriously enough.”

Yes, that was Prime Minister Chris Luxon.

And who said, again less than a month ago, “digital threats are growing and New Zealand must strengthen its defences … Every New Zealander who provides data to a government agency, or to a company contracted by one, is entitled to the same standard of care. When that data is breached, it is a violation of trust … We could improve incentives for entities holding New Zealanders' data. We could increase penalties for hackers and scammers. We should also question whether it is even reasonable to demand New Zealanders provide sensitive information or digital identification for everyday activities."

Yes, that was Deputy Prime Minister, David Seymour.


Now, like a lot of organisations, at my work we subscribe to a media alerts service, for media and other stories about privacy and related matters – including cyber. I arrived at work a week ago, the morning email from the service had just popped into my in-box … no privacy breach stories this time … but every story was a cyber one … every story!

'NZ cyber strategy criticised as least bold in Five Eyes' … 'Kordia releases latest cyber report' … 'Expanding ransomware reach intensifies sector-wide cyber exposure' … 'Rising sophisticated cyber-attacks aimed at advisors' … and 'Increased DoS and brute force activity.'  

One morning’s worth of media stories on one day!

It seems that the public policy and media spotlights have swung their beams of light on to you.

You have to wonder, given this sort of political, public, and media interest, if we are on the cusp of cyber security leaving the wings, and coming to centre stage.

The question is, are we ready – and if we are, what are we going to do next?

Surveys and attitudes to cyber security

It’s always instructive to take ourselves out of our busy day to day context, and see how other organisations, and even other countries, are seeing cyber-security, and cyber threats.

Each year the Institute of Directors conducts a Directors’ Sentiment Survey and publishes the results with some commentary.  

In the 2025 report, the IoD noted, and I quote, that:

“Technology epitomises this shift from curiosity to commitment. Six in ten boards are now working with management on how AI and automation can lift productivity – the second-highest result since records began. Digital oversight has re-entered the mainstream, no longer the preserve of tech committees or early adopters. But the enthusiasm is tempered by uneven assurance: cyber vigilance has plateaued, with the proportion of boards discussing risk or receiving breach reporting barely moving in three years. In effect, boards are accelerating innovation without upgrading the brakes.”

While 57.2% of directors said their board discusses cyber risks, this figure has softened slightly from 2024, which was 62.2%. 

Likewise, 55.2% of boards report receiving comprehensive data breach or cyber-risk reporting, largely unchanged for three years after a sharp rise in 2023. 

Privacy and data protection show similar stagnation; 57.2% of directors said their board regularly reviews privacy risks, a figure largely unchanged from 2024.

Internet NZ’s recent survey results show New Zealanders continue to have concerns in the data space.

65% of those surveyed were extremely concerned or very concerned about the security of personal data.

Kordia have just released their 2026 NZ Business Cyber Security Report.

Some key take outs from that:

  • 44% of large businesses were subjected to a cyber attack or incident in the past 12 months
  • 17% of cyber incidents resulted in personal information being accessed or stolen
  • 61% of businesses impacted by a cyber incident suffered a serious business disruption
  • 30% of businesses surveyed said they lacked confidence that they could recover from a major cyber-attack.
  • 25% said they had no cyber security awareness or training programme for their employees, and
  • Around half had not practiced their incident response plans.

That’s not a brilliant picture.

Hence, the International Telecommunication Union’s global cybersecurity index last year ranked New Zealand in the third of five tiers, as an ‘establishing’ nation along side the likes of Kiribati and Myanmar.

The heightened cyber security risk environment has seen countries like Australia and Singapore among others, implement new cyber security legislation.

New regulatory frameworks are also increasingly being backed up with tools and manuals to support businesses to aim for and stay on the right side of the regulatory line.

And that is something the New Zealand Office of the Privacy Commissioner is also focused on.

Privacy and cyber security

It’s clear that there are many linkages between privacy and cyber security – and I want to begin by acknowledging that while my focus is on the stewardship of personal information, those working in cyber security are concerned about keeping all information – personal, financial, commercial, legal, marketing, the list goes on - safe and secure from harm. 

Some of you here today will of course be working in or managing the IT/IS/cyber teams in organisations, ensuring systems are hardened against cyber-attack, and that your work colleagues engage in cyber smart practices.

Some of you will be advisors, providing organisations with advice on the latest developments in cyber threats and defences. 

Some of you will be involved in research and development, seeking to get ahead of the cyber criminals and threat actors in the never-ending cyber war we all seem to be engaged in these days.

And some – like my Office – are focused on the risks to personal information.

My focus is making privacy a core focus for your agencies – in order to protect New Zealanders from harm, to enable organisations to achieve their own objectives, and to safeguard our free and democratic society.  

And when things go wrong – when there’s a serious privacy breach which might see personal information exfiltrated, or deliberately corrupted – we ask questions about what happened and why, and  - if it’s needed – we can hold agencies to account. 

Security of information and IT infrastructure is a critical component of a robust privacy programme. 

Both security and privacy staff must work together to identify external and internal risks, and to ensure that security is prioritised and resourced accordingly.

The Privacy Act 2020 is built around 13 privacy principles that govern how agencies (organisations and businesses) can collect, store, use and share personal information. 

The Privacy Act makes sure that:

  • you know when your information is being collected
  • your information is used and shared appropriately
  • your information is kept safe and secure
  • you can get access to your information.

As many of you will know, Principle 5 is concerned with storage and security of information.

It states that organisations must ensure there are safeguards in place, that are reasonable in the circumstances, to prevent loss, misuse or disclosure of personal information.

There are a number of different aspects to consider, including physical security, electronic security, operational security, security during transmission and during destruction.

What steps are appropriate will depend entirely on the circumstances, including:

  • How sensitive is the personal information involved?
  • What are you using the personal information for?
  • What security measures are available, and how will using these measures impact on your agency’s functions?
  • What might the consequences be for the individual if the information is not kept secure?

I thought you might be interested to get a sense of the state of play with privacy breaches in New Zealand.

So, this morning, I have the latest breaking stats and news for you.

  • In the most recent quarter, 61% of serious privacy breaches were due to intentional or malicious activity, and 36% were due to human error … the days of most breaches being due to an email whoopsie seem to be long gone.
  • For the reporting year to date, 21% were unauthorised access breaches (including ransomware), and 28% were unauthorised sharing or employee browsing.  

Employee browsing

Can I take the opportunity to touch on an increasingly serious privacy risk: that is, employee browsing.

The greatest threat to your workplace information security could be sitting in the office next to you at work.

Employee browsing or the unauthorised access and misuse of personal information is becoming one of the most common privacy breaches.

NZ is a small place, and there’s a good chance a familiar name will crop up in a database or on a file at work, and it can prove very tempting for some to have a look.

In some circumstances employees look up information and then pass it on for the explicit purpose of causing harm of some sort.

If your business or organisation holds sensitive personal information that your customers or clients would really, really not want to be revealed to someone else, like a violent former partner, or revealed to the public if someone happens to be a bit of a celebrity – then your organisation’s employees will, one day, come under pressure from others to access and hand over that information.

Attempts will be made to coerce, bribe, blackmail or threaten employees to access and misuse the personal information the organisation holds.  

So, my question for you is, has your organisation invested in the systems, regular database audit checks, employee induction processes, and so on, to deter and, if it happens, identify unauthorised access and misuse of personal information? 

Poupou Matatapu 

See our free online privacy toolkit.

Of course, my Office doesn’t always want to occupy the space of the privacy “ambulance at the bottom of the cliff”; increasingly, our focus is on working with people like you to “build the fence at the top”.

As I think I mentioned at last year’s conference, Poupou Matatapu is guidance on our website to help New Zealand agencies do privacy well – you can find it at privacy.org.nz.

It sets our expectations about what good privacy practice looks like and then helps organisations toward achieving that.

One of the components of this guidance focuses on security and internal access controls.  

The obligation to keep information safe and secure applies to information that is held by the organisation (for example, in on-premises servers) and information that is held on the organisation’s behalf by a service provider (for example, a cloud-based data storage provider). 

Remember, organisations are liable under the Privacy Act for the personal information stored and processed on their behalf.

The most effective strategy is having a well-thought-out security plan for all personal information you hold.

At a high level, this component of Poupou Matatapu describes key security controls across three areas – physical, technical, and organisational.

These controls are not exhaustive and are continually evolving. 

Organisations need to ensure that they update their knowledge on security risks, including seeking advice from external experts where necessary, and implement all reasonable security safeguards in a timely way.

I don’t need to tell this audience that there’s a world of cyber security guidance and standards out there. 

Providing security and IT advice is not a core function of my Office, so, in our guidance, we have provided links to advice and resources from other authoritative sources, such as NCSC, and others.

But, of course, like you, I have seen commentary around how to assess whether an organisation had reasonable security safeguards in place at the time of a security or privacy incident.

Reasonable security safeguards are those that are proportionate to an organisation’s role, scale, and risk exposure.

They reflect recognised national expectations at the time the safeguards were implemented and operating prior to the breach. 

This approach does not require best-in-class or exhaustive controls, instead focusing on intent, decision-making, and proportionality.

It anchors reasonableness in nationally recognised frameworks, uses well-understood national standards like the NCSC Minimum Cyber Security Standards as a defensible baseline, and applies sectoral-specific standards – such as those applying to the health sector – as contextual overlays.

This approach provides a clear basis for determining whether reasonable security safeguards were in place at a given point in time.

The other day I was reminded of a comment from Misti Landtroop, the NZ country manager for cybersecurity company Palo Alto Networks.

She said that many cyber breaches were preventable, with things like security culture, level of knowledge, and willingness to invest, all factors that left organisations vulnerable to cyber-attack.
Organisations also make mistakes because they either don’t understand the value of privacy, or don’t care. 

Sometimes privacy is as easy as just ensuring your IT systems are up to scratch and making sure you’ve thought about access, have got the permissions set correctly, and have tested them.

For example, a while back the UK Information Commissioner issued a 4.4million pound fine to a company which, in the Commissioner’s view, failed to follow up on the original alert about some suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments – all of which ultimately left them vulnerable to a cyber-attack.

The Commissioner commented at the time: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.  If your business doesn’t regularly monitor for suspicious activity in its systems, and fails to act on warnings, or doesn’t update software, and fails to provide training to staff, you can expect a similar fine from my Office.”

From my perspective, and reflecting on all this commentary, since taking up my role I have made it clear that agencies need to keep front of mind that, in the case of a cyber security incident resulting in a data privacy breach, one of the first questions I will ask is “has the agency undertaken all reasonable security safeguards” to protect the personal information under their care.  

Health sector

Turning to the cyber elephant in the room, recent events in NZ would suggest that one sector which is well and truly facing some cyber security challenges, is the health sector.

Just a reminder: on 22 February, MediMap — a private portal used by aged-care homes, hospices, disability services and community health providers to coordinate prescriptions and record medication histories — was taken offline after it was discovered that some patient records had been tampered with by an unauthorized actor. 

MediMap's early investigations identified changes to fields including names, birthdates, assigned prescriber, and location of care and resident status, with some living patients incorrectly marked as "deceased."

This event was unsettling not only because of the direct impact on individuals and clinical operations, but also because it followed another high-profile breach —the Manage My Health breach in late 2025, which involved the exfiltration of hundreds of thousands of medical documents. 

One of New Zealand’s leading privacy commentators, Daimhin Warner, commented at the time:

“Taken together, these events suggest a broader pattern of cyber risk in health tech that goes beyond isolated vendor errors.”

“Several key themes are starting to emerge. First is the need for clarity of expectations. What baseline technical and organizational safeguards should be required for systems handling highly sensitive health information? Mandatory controls — for example, multifactor authentication, encryption at rest and in transit, regular independent security audits and incident response obligations — could help raise the floor of protection.”

“Second is making sure the health sector understands who is really accountable for ensuring these baseline safeguards are in place. It is alarmingly clear from these recent breaches that many organizations in the health sector do not fully understand their accountabilities and responsibilities.”

Daimhin Warner notes that the recent publication of the National Cyber Security Strategy has occurred at a time when some of the government agencies tasked with cyber security are making it clear that New Zealand has a long way to go before we can say our standards and approach meet international good practice.

And by the same token, then, we have a long way to go before we can assure New Zealanders, whoever they are … customers, clients, citizens … that their privacy is being protected and respected.

GCSB Director-General Andrew Clark said recently that “unfortunately, there are … pockets, including in our critical infrastructure, where cybersecurity is barely meeting that foundational level that we would expect.”

AI

And of course, AI is only making the challenge facing the cyber security industry even harder.

Reports show increasingly that AI agents are supercharging cyber-attacks by industrialising the scale of them.  

In the Internet NZ survey I referred to earlier, 59% of those surveyed were very or extremely concerned about the use of AI to violate privacy.

And the Kordia survey found that a quarter of medium to large businesses now rank staff misuse of AI among their biggest cyber challenges, and that attacks involving AI-related vulnerabilities have more than doubled year on year.

Director-General Clark also noted that while smaller organisations might not meet the critical infrastructure description, many still hold a lot of sensitive personal information that needs protection.

So, no matter the sector, and no matter the size, there are questions we all need to be asking, and expectations that need to be met, in today’s increasingly super-charged threat environment: 

From where I sit, those expectations include:

  • Security controls are specific to the type and sensitivity of information held across the organisation, rather than a ‘one size fits all’ approach.
    Regular auditing of systems is undertaken to ensure appropriate access.
  • An organisation follows industry guidelines and security standards relevant to its business context.
  • There is a remediation plan for managing and/or replacing legacy systems (where necessary).
  • Identified risks are proactively managed - for example, by incorporating them into the organisation’s risk and assurance reporting processes to ensure visibility, and
    Organisational controls - policies, procedures, and decisions - are regularly reviewed and fit for purpose.

Conclusion

People of cyber … at this time in New Zealand’s history you face your greatest challenge, and your greatest opportunity.

It’s your time to shine!

Back to top