Directors’ duties and escalating risk: lessons from ASIC v Bekier
An Australian court ruling highlights directors’ obligations when serious risks emerge, with important implications for New Zealand boards
DENTONS
Boardroom Premium
The results are in: Cyber resilience must be a boardroom issue
Nearly half of New Zealand businesses faced a cyberattack last year, but too many boards still underestimate the risk.
Directors across New Zealand have watched anxiously as 2026 began with a flurry of high-profile, deeply impactful cyber incidents.
Almost on the stroke of midnight on New Year’s Eve, Manage My Health confirmed it had been the subject of a cyberattack, the fallout from which continues to dominate discussion. Hours later, Neighbourly was breached.
And just when things were starting to quieten down, MediMap fell victim to a bizarre cyber breach, thrusting the local health sector – and its vulnerabilities in cyberspace – once again under scrutiny.
Three major cyber breaches on New Zealand shores in two months. I can’t recall a start to a year quite like this.
And while it’s tempting for boards to consign cyber security to CISOs and technical teams, these incidents are a sobering reminder that it should concern the highest levels of any organisation. As more people are learning, the operational, reputational and financial costs of a cyber incident can be immense, and often insurmountable.
This month, Kordia released its annual New Zealand Business Cyber Security Report – the 10th year of this exclusive research. This year, we surveyed nearly 250 business leaders in New Zealand, of whom 8% sit at the director or executive director level.
In addition to the revelation that nearly half (44%) of local businesses were subjected to a cyberattack in the past 12 months, our findings deliver a stark wake-up call for directors and boards in all sectors.
Are boards taking cyber risks seriously?
A poorly handled cyberattack can pose a huge threat to a business’s very survival. Our survey found a staggering 61% of businesses that were impacted by a cyber incident said they suffered serious business disruption, such as being unable to access key systems. One in five faced financial extortion.
Worryingly, businesses are expressing low levels of resilience. A third of cyber incidents took more than two months to resolve, and a third said they lack confidence to recover from a major attack.
Despite all this, cyber security is still not a priority for many boards. Our research found that:
-
- One in five (19%) businesses said cyber security is not perceived as an important risk area by their board
- More than a quarter (27%) said their board doesn’t see AI, and the use of AI within the organisation, as an important risk area. This is despite the improper use of AI within the business being the second highest ranked challenge to improving cyber security
- Only half (50%) of boards receive independent assurance over cyber resilience and recovery readiness at least once a year
- More than a quarter (28%) of boards are still treating cyber risks from AI as an operational IT matter, with ad hoc reporting
So where is a good place to start for boards wanting to take a more active role in cyber resilience?
One way is to take a more proactive approach to increasing their understanding of cyber risks, whether this is done continuously, on a scheduled basis, or prompted by a milestone such as service adoption or a business change. Cyber risks should also be integrated into enterprise risk and assurance – again, it must not be treated as solely an IT issue.
Cyberattacks don’t have to be massive or high-profile to cripple an organisation – they need to be treated as very real business threats.
The Government’s new cyber strategy: What it means for directors
Just days after the MediMap breach, the New Zealand Government published its 2026 – 2030 Cyber Security Strategy, something that was long overdue. The strategy is a good starting point. It is a bit lengthy and aimed at multiple audiences, so its two-year action plan provides something sharper for boards to focus on.
Two actions within the plan should stand out to directors: consultation on critical infrastructure (which was announced on the same day as the strategy), and potential changes to penalties for failing to protect personal information.
The current penalty regime – where penalties largely apply only to non-reporting, capped at $10,000 – has been widely criticised as insufficient and does little to incentivise robust data protection.
Read alongside the critical infrastructure consultation, the direction of travel is clear: significantly tougher enforcement, including potential criminal liability for directors (up to $500,000) and major corporate penalties (up to the greater of 2% of turnover or $5 million), as well as powers for Government to mandate security controls at a company’s expense.
This mirrors regimes in Australia and the UK and signals a shift towards treating cyber resilience and privacy like health and safety – squarely within directors’ accountability. With many organisations still unprepared, boards should treat this as a two-year runway to establish mature risk management and oversight, starting now.
The bottom line
I wrote in an IoD Boardroom piece last year that cyber security now sits squarely in the boardroom. The first two months of 2026 have demonstrated just how relevant this will continue to be.
I encourage all directors to take cybersecurity seriously and make it a priority risk area for your organisation. Be hands-on with cyber resilience planning and preparation, and engage with the experts both inside and outside your organisation.
In 2026 and beyond, the smallest gaps in cyber defences will be ruthlessly exploited and exposed. Good leadership grounded in solid understanding of cyber resilience best practice is the best long-term strategy for keeping your organisation safe.
Related content
