
Cyber risk: a practical guide 2025

Cyber risk is a critical governance issue that demands board-level attention. The increasing reliance on digital connectivity has brought new vulnerabilities, and the scale of cybercrime continues to grow. In New Zealand, cyber incidents have resulted in significant financial and reputational harm, making it essential for boards to take a proactive approach.
Boards are under increasing scrutiny to ensure they have the right oversight and response capabilities in place. Regulatory expectations are evolving, with stricter privacy laws, mandatory breach reporting and rising penalties for poor governance. Meanwhile, emerging threats such as AI-driven phishing scams, deepfake impersonation and supply chain vulnerabilities mean organisations need to stay ahead of evolving risks.
The 2025 edition of Cyber Risk: A Practical Guide retains the five core principles that help boards understand and oversee cybersecurity risks effectively. This update includes guidance on managing quantum computing risks, improving resilience against AI-driven threats and strengthening governance over third-party security. It also presents new questions for directors to ask management about cyber risk frameworks, workforce readiness and incident response planning.
Core principles
There are five core principles for boards in their oversight of cyber risks.
-
Take a complete approach
Cybersecurity is not just an IT issue. Boards must view it as an organisation-wide risk that affects strategy, resilience and business continuity.
-
Establish an enterprise-wide cyber risk management framework
A strong risk management framework ensures cybersecurity is embedded across the organisation, with clear accountability and reporting structures.
-
Give cybersecurity regular attention on the agenda
Boards must prioritise cyber risk, build their own cyber literacy and ensure they have access to the right expertise.
-
Understand the legal environment
Directors need to be aware of evolving privacy laws, regulatory obligations and the legal consequences of cyber incidents.
-
Categorise and address the risks
Boards should work with management to identify which cyber risks to mitigate, accept, transfer, or avoid, ensuring the organisation is prepared for potential attacks.
Boards that take a structured, informed approach to cybersecurity will be better positioned to protect their organisations and maintain stakeholder trust.
Download the practice guide
For further understanding on why boards need to prioritise cybersecurity and the risks of holding on to private data.
Additional resources
-
- Reporting cybersecurity to boards (IoD/Kordia 2018)
- Suppliers may be a cyber weak point (IoD, 2024)
- Five things boards can do to help combat cyber crime (Aura Information, 2024)
- Cyber resilience guidance (National Cyber Security Centre)
- Cyber-resilience in FMA-regulated financial services (Financial Markets Authority 2019)
- Improving cyber resilience for regulated entities (Reserve Bank)
- ISO/IEC 27000 series of information standards (International Organization for Standardization and the International Electrotechnical Commission)
- Principles for board governance of cyber risk (World Economic Forum 2021)
- The National Institute of Standards and Technology framework (NIST)
- The Payment Card Industry Data Security Standards (PCI)
- Haters gonna hate – dealing with cyberhate for directors (IoD, 2020)
- The new Privacy Act – key resources for directors (IoD, 2020)
- Legacy Systems (CERT NZ)
- Australia’s Cyber Security Act (Aura, 2024)
- The Digital Series: Understanding cyber-attacks as a service (IoD 2024)