KPMG
How to swim: Governance lessons for new water boards
As water reforms roll out, new CCO boards face immediate pressure to govern funding, compliance and infrastructure risks.
Act before attackers do
Cybersecurity is the new frontline, and legislating for a more cyber resilient New Zealand will require bold action from both government and governance.
During the First World War, the first military unit to cross the channel was the British Expeditionary Force. This well-trained professional army – including an aristocratic cavalry armed with lances, sabres and rifles – was the last gasp of the medieval knights. They were quickly brought low by machine guns, barbed wire and trenches. By the end of the war (and a mere 13 years after the invention of flight), the skies were filled with fighter planes.
Conflict and instability quickly separate the obsolete from the effective. In 2025, as global instability deepens, conflict has evolved beyond recognition and into the depths of cyber space.
What we are witnessing now is a form of digital guerrilla war. Decentralised cybercriminal mercenaries are often being funded by shadowy nation states.
Hidden attackers “live off the land” – using legitimate tools and software to linger in systems, waiting for an imperative to strike. The threat landscape is asymmetrical and rapidly changing, with defenders forced into a never- ending conflict where the front line is everywhere.
This might sound excessive and overdramatic, but this is the environment all businesses are operating in. Managing the risks associated with this is a key responsibility for boards in the modern world.
The organisations you are responsible for may have a big target on their back, especially if they store large amounts of important data or operate in sectors crucial to New Zealand’s resilience.
The risks of cybersecurity are prominent but difficult to quantify, and the investment to prevent harm should be in proportion to the needs of the business. For many organisations, simple technology choices supported by people and processes are enough to mitigate most threats.
However, critical infrastructure is a different story. Last year, the Cybersecurity and Infrastructure Security Agency (CISA) in the US discovered evidence that nation state-backed cyber adversaries, Volt Typhoon, have been infiltrating critical infrastructure providers across the Western world with the intention to disrupt it at a critical juncture.
In a similar time frame, another branch of the same nation state, Salt Typhoon, compromised nine major US telcos.
They were able to gain call telemetry information, SMS text messages and some recordings for prominent national leaders.
That’s not amateurs sending phishing emails or script-kiddies defacing websites; that is preparation for something much bigger. It’s not targeted at one business; it’s targeted at all of us. One weak link can disrupt everything.
All New Zealanders have a vested interest in knowing our government and critical infrastructure is receiving the right investment and protection against cybersecurity threats.
Critical infrastructure providers take security very seriously and I am not suggesting there is deficiency in those industries. However, their attackers are supremely capable, and they will not stop until they find that weakest link in aging infrastructure or supply chains.
In late 2024, Australia passed a new legislative package to lift the nation’s understanding of cybersecurity threats, improve the security maturity for industry and government, and give the government powers to act in the case of a serious breach.
“New Zealand has an opportunity to follow suit, developing legislation that prompts businesses to consistently exceed the minimum standard when it comes to cybersecurity.”
All of this is to be achieved without re- victimising those hit by cybercrime. For example, Australia’s new law doesn’t ban payment of ransoms but requires large and critical organisations to report on payment. This will give the country much better information about the scale of the issue, so they can combat a common threat together.
These new laws were developed in response to a series of devastating security incidents that impacted millions of Australians. These included major data breaches in 2022 and 2023, involving Medibank, Optus and Latitude Finance.
The Latitude Finance data breach was the second largest in Australian history, and the largest impacting Australian citizens. It was also the largest data breach in New Zealand history, impacting 20% of New Zealanders.
Australia has put serious effort into building its cyber posture at a national level, with a vision of being a global leader in cybersecurity by 2030. In a world reliant on digital infrastructure, this will be a key competitive advantage.
New Zealand has an opportunity to follow suit, developing legislation that prompts businesses to consistently exceed the minimum standard when it comes to cybersecurity. Developing legislation is not trivial, but the template has been created in Australia and it is in everyone’s interest to reflect that over here.
This will require some businesses to invest more to become compliant, but that’s the point – that we all incur comparable costs to achieve a common standard that makes New Zealand less of a target.
These costs should be seen as strategic investments by boards, not just compliance. And there is nothing stopping you from getting started early, making sure the organisations you are responsible for are at the forefront of managing this risk.
Cybersecurity is complex to understand. Humans evolved to recognise a charging adversary – not a remote network of industrialised guerrilla fighters armed with keyboards.
But this threat is very real. For New Zealand to truly thrive in the digital world, we need to stand together against cyber threats and mount a nationally unified and credible defence.
Related content
