Organisations throughout New Zealand encounter cyber threats at rates substantially higher than what public records reflect, with evidence suggesting that the majority of security breaches escape public notice entirely. This reporting gap has consequences across the insurance and business sectors, affecting how organisations prioritise security investments and understand their true risk exposure.
The discrepancy between documented cyber incidents and those occurring in practice represents a fundamental challenge for the New Zealand market. According to NSP, the incidents that receive media coverage constitute only a small percentage of total attacks affecting businesses nationwide.
Geordie Stewart, chief information security officer at NSP, explained the scope of this gap. “For every cyber incident that makes the news, we believe at least 10 more occur quietly. Some are handled internally, some resolved with external incident responders, and others are settled through ransom payments that never see daylight. Which means business leaders are making decisions about their security posture based on about 10% of the actual data,” he said, as reported by IT Brief.
Many organisations choose to manage incidents through internal containment efforts or private remediation with external specialists, avoiding external notification or regulatory reporting. This approach, while preserving corporate reputation, prevents accurate assessment of sector-wide threat levels.
The decision to handle incidents privately reflects multiple organisational pressures rooted in measurable business consequences. Emerging research demonstrates that cyber incidents generate substantial financial and reputational penalties for affected organisations, creating powerful incentives for private remediation rather than public disclosure.
Beazley’s Risk & Resilience report documented that 29% of executives worldwide now rank cyber risk as their leading concern – a notable movement from the 26% figure recorded in 2024 and marking the first upward trajectory in such concern measurements since 2021. This heightened awareness correlates with substantial financial consequences. According to Aon’s 2025 Cyber Risk Report, organisations impacted by significant cyber events witnessed an average decline of 27% in shareholder value. This represents a meaningful acceleration compared to findings from Aon’s 2023 analysis, which indicated an average 9% shareholder value reduction following major incidents.
Given these financial realities, organisations face acute reputational damage, potential regulatory penalties, and customer confidence concerns when breaches become public. Incident response professionals and insurance claims handlers are regularly engaged to manage situations outside official channels, creating an invisible ecosystem of remediation activity designed to limit exposure to these documented consequences.
Stewart observed that incomplete reporting to CERT NZ further obscures the comprehensive threat picture at the national level. “We routinely see critical events that never appear in any public dataset. That invisibility creates a false sense of security across the market,” he said.
This underreporting problem extends directly to ransomware incidents, where financial transactions occur quietly between organisations and threat actors. Evidence gathered through incident response work indicates that New Zealand organisations regularly transfer substantial sums to remediate attacks, but these payments rarely enter public awareness. According to Stewart, “We’re aware of multiple New Zealand organisations that have paid six or seven-figure ransoms. They’re often paid under extreme pressure when business-critical systems are offline and continuity is at stake.”
Organisations affected by such incidents operate across multiple industries, including professional services, manufacturing, and retail. Arctic Wolf’s commissioned research revealed that approximately three-quarters of Australian and New Zealand organisations have paid ransom demands. Among those making payments, 91% engaged professional negotiators, although fewer than half succeeded in reducing the final amount requested.
The absence of public disclosure regarding these payments means organisations cannot learn from others’ experiences or benchmark their own exposure against industry patterns.
The consequences of underreporting fall particularly heavily on small and medium-sized enterprises, which often lack sophisticated threat intelligence capabilities. Findings from the National Cyber Security Centre (NCSC) and The Research Agency (TRA) demonstrated elevated exposure among smaller businesses, with more than half of New Zealand’s SMEs encountering cyber threats within a six-month period.
The NCSC data indicated a trajectory of increasing incidents, with 53% of SMEs affected in the most recent six-month period compared to 36% during the previous equivalent timeframe. This acceleration occurs partly because SMEs lack visibility into attacks affecting peer organisations – information that would normally inform security decisions.
According to Stewart, analysis of actual breach data often reveals that a limited set of vulnerabilities creates disproportionate risk across an organisation. Recognition of genuine exposure patterns, as opposed to theoretical concerns, enables more effective allocation of remediation resources.
