The majority of New Zealanders think that the existing penalty for a cybersecurity breach is
insufficient.
A study[1] of more than 1000 New Zealanders has revealed opinions on the accountability of
companies and organisations for cyber-attacks, shedding light on the public’s perception of
fines, responsibility, and communication in the face of an increasingly sophisticated cyber
threat landscape.
The study, commissioned by integrated communications and marketing agency Anthem and undertaken by Talbot Mills Research, asked for the public’s views on cybersecurity breaches and accountability. The findings show a strong consensus among New Zealanders regarding the need for more robust measures to address cyber-attacks and ensure accountability.
60% of respondents expressed dissatisfaction with New Zealand’s current maximum fine of $10,000 for cyber breaches, indicating a widespread belief that this penalty is insufficient.
Fines for cyber breaches resulting in the loss of a customer’s personal data vary widely globally. The current maximum fine in New Zealand is $10,000, whereas in Europe, the maximum penalty is $20 million (EU to NZD)2, and in Australia the penalty is $50 million (AUD to NZD)3. When asked what a reasonable fine would be, 40% of respondents said upwards of $100,000. 23% said a reasonable fine for a large New Zealand organisation which has had a cyber breach is $500,000 or more.
According to Misti Landtroop, Managing Director at Palo Alto Networks – the world’s cybersecurity leader, New Zealanders should be looking to reward organisations for great cybersecurity best practices rather than only considering an increase in the monetary punishment.
“When considering higher fines for cyber-attacks, it’s crucial to question where the money goes and is it being used to help protect Kiwis from future attacks? Instead of relying solely on punitive measures, there’s value in exploring more nuanced reward systems. Transparency regarding cybersecurity breaches and investments is increasingly recognised as a strategic and competitive advantage in today’s landscape.”
In line with this sentiment, the majority (92%) of respondents believe quick and effective communication to customers about a cyber breach is imperative to maintain a company’s reputation. Most (91%) believe that all New Zealand companies should be required to declare past cybersecurity breaches and outline the remedial steps taken, with an emphasis on transparency.
Hilary Walton, Technology Strategist at Microsoft New Zealand and an author and podcaster on security culture emphasises the critical role of communication during challenging situations like cyber breaches.
“Organisations must be transparent with their customers about the steps they are taking to remedy cyberattacks, providing clear timelines for when updates will be released. Scenario planning and pre-prepared communications will help expedite this process and get customers informed quicker, reinforcing the vital connection between communication, customer trust, and respect.”
Furthermore, the majority (65%) of respondents believe that a business’s Board of Directors should be responsible for covering the costs of cyber breaches occurring under their watch.
“Cybersecurity is a priority for boards globally because no-one – individuals and organisations – can afford to be complacent about cyber risks. But it continues to be one of the few crimes where, at times, victims are held responsible – and that’s not always appropriate,” says Institute of Directors Chief Executive Kirsten Patterson.
She says no systems can ever be said to be 100 per cent safe from cyberattacks but if board negligence can be proven then director liability might be justified.
“Everyone has a role to play in managing risk, from boards and directors to senior leaders and the wider workforce. That’s the only way to build a strong and effective culture, where everyone plays their part in keeping systems safer from cyberattacks.”
“Cyber experts agree we face an ongoing battle to keep ahead of bad actors intent on cybercrimes. As with any complex issue, apportioning blame is not always as straightforward as it might seem,” she says.
Hilary Walton compares protecting a company’s cybersecurity to caring for a communal garden.
“It’s a shared responsibility across all levels of an organisation to recognise the significance of their respective roles and how they contribute to the overall security framework,” she says.
“Everyone must ‘water’ the garden to maintain it, and work together to ‘weed’ the garden of threats or potential issues. The essence of security lies in acknowledging it as a dynamic entity that demands continuous maintenance and attention, with your personnel serving as the primary defence against cyberattacks.”
The majority (71%) of respondents expressed they would consider changing their business affiliations as a result of a cyber breach.
“Companies should take notice of the number of New Zealanders who will take their business elsewhere if they aren’t satisfied with their response to a cyberattack. It’s not just a fine at stake, but their reputation and the trust of their customers,” says Jane Sweeney, Co-founder and Executive Chair of Anthem.
“These results underscore the growing recognition among New Zealanders of the critical importance of cybersecurity measures and accountability mechanisms in today’s digital landscape.”
“It is imperative for companies and organisations to prioritise transparent and customer centric communications in the event of a cyber breach, and to ensure their supply chain and wider circle of stakeholders are kept regularly updated. This is vital to maintaining trust and confidence in the company and its leadership.”
Talbot Mills Research Managing Director, David Talbot, shares that he was most surprised by how strongly New Zealanders felt about fines for breaches, and is interested to see how the future of cybersecurity unfolds in New Zealand.
“As cybercriminals become increasingly sophisticated, experts say attacks are likely to increase, and our research shows New Zealanders are looking for accountability and clear communication, otherwise they will vote with their feet.”
The research is part of a regular research series, Fair Enough?, examining topical issues and reputation through a fairness lens. The series aims to examine key reputational risks at play and how stakeholders are responding.
[1]The survey was conducted by Talbot Mills Research using a nationwide online nationally representative sample of n=1059 between the 5th and 15th February 2024. The maximum margin of error for a 50 per cent figure at the 95 per cent confidence level is +/- 3.1 per cent.
[2] GDPR Penalties & Fines (itgovernance.co.uk)
[3] Tougher penalties for serious data breaches (ag.gov.au