A recent study commissioned by the National Cyber Security Centre (NCSC) and conducted by The Research Agency (TRA) has found that more than half of New Zealand’s small and medium-sized enterprises (SMEs) have encountered a cyber threat within the last six months.
The findings highlight the persistent and evolving risks facing businesses, with implications for insurers and risk managers across the sector.
Several notable incidents have recently impacted organisations in New Zealand and beyond.
In August, TAS NZ Bay Limited, an accounting firm operating nationwide, was listed on the leak site of the PEAR ransomware group. The group claimed responsibility for extracting approximately 365 gigabytes of data, including financial records, contracts, and personal identification documents.
July saw Qantas, the international airline, confirm that a cyberattack compromised a third-party customer service platform, potentially exposing the personal data of six million customers. The information accessed included names, contact details, birth dates, and frequent flyer numbers.
During the same month, the New World Clubcard loyalty programme experienced an incident where external actors attempted to access member accounts by testing common passwords. The supermarket chain responded by advising customers to update their credentials.
The NCSC’s survey indicated a notable rise in reported cyber threats, with 53% of SMEs affected in the past half-year, compared to 36% in the previous period.
“With cyber threats increasing in frequency and sophistication globally, New Zealand’s businesses need to anticipate a cyber security attack and plan accordingly to lessen the threat and be ready to respond,” said Mike Jagusch, director mission enablement at NCSC.
Despite widespread recognition of cyber security’s importance – 94% of SMEs acknowledge its significance – many businesses believe their current measures are adequate.
This perception, according to Jagusch, can lead to underutilisation of effective security practices such as two-factor authentication (2FA) and routine data backups.
“2FA is a simple and effective way of adding an extra layer of protection to online accounts that can often prevent the majority of online attacks,” Jagusch said.
More than half of SMEs that experienced an incident reported tangible impacts, including financial loss, operational disruption, reputational harm, and unauthorised access to sensitive information.
The issue of delayed or neglected software updates continues to expose SMEs to cyber risk.
Mark Gorrie, managing director APAC for Gen Digital, noted that while operating systems are often updated, third-party applications – such as business software, browsers, and conferencing tools – are frequently overlooked.
“Neglecting software updates is leaving the doors of small and medium businesses wide open,” he said.
Research from the Ponemon Institute attributes 57% of data breaches to inadequate patch management.
For many SMEs, the absence of dedicated IT staff means patching is a manual and often delayed process.
Automated patch management solutions are being promoted as a way to streamline updates and reduce business disruption, with cloud-based platforms offering centralised control and scheduling.
According to Beazley’s 2025 Risk & Resilience report, 29% of global executives now rank cyber risk as their primary concern, an increase from the previous year.
The growing frequency and complexity of cyber incidents are expected to influence demand for cyber insurance and related services.
Insurers will need to assess evolving risks and support clients with both preventative strategies and incident response planning.
