A Datacom survey has found that many New Zealand organisations are confident in their cyber capabilities but have not formalised how they would recover from a significant disruption. The research, covering 714 security leaders in New Zealand and Australia, showed that only 30% of New Zealand organisations had a business continuity or cyber incident response plan in place. By contrast, 73% of New Zealand respondents said they had sufficient visibility of risks, vulnerabilities, and compliance, and 78% said they had the internal resources to manage a cyberattack.
Datacom said this mix of responses reflects a difference between investment in monitoring and detection and preparation for extended outages and recovery. “Organisations have invested heavily in monitoring and detection, but they are falling short when it comes to recovery, posing significant risk to operations. The priority now is not another dashboard but engineered resilience – from containment to stabilisation to rapid recovery,” said Mark Hile, managing director, infrastructure products, Datacom, as reported by SecurityBrief.
Hile said effective recovery depends on more than technical tooling and requires rehearsed continuity plans, clear decision-making authority, and metrics tied to restoring services, not just detecting incidents. “When an organisation can't operate for days or weeks, the fallout is significant – customers lose access to essential services, supply chains stall, and trust in the brand erodes. Responding quickly enough to protect the people who rely on you is the part that needs far more attention,” he said. The findings highlight potential gaps between clients’ expectations of cyber resilience and their documented, tested recovery arrangements, with implications for cyber and business interruption covers.
Across New Zealand and Australia, four in 10 survey respondents expected their organisation to recover from a major cyber incident within days. Datacom contrasted these expectations with incidents that took considerably longer to resolve. The company cited cases where production was halted for five weeks and full recovery took nearly five months, and other events where organisations took about three weeks to contain the attack and return to standard operations. “The gap between how quickly leaders believe they can recover and how long recovery actually takes is not a technology problem; it’s a preparedness problem,” said Collin Penman, chief information security officer, Datacom.
Penman referred to a recent incident in the automotive sector to illustrate the risk of untested planning. “An example of this is the 2025 ransomware attack at Jaguar Land Rover in the UK, which halted production for five weeks, with full recovery taking nearly five months. A plan that’s never been tested isn’t a plan – it’s a document. Resilience is built through realistic practice that creates muscle memory, so response becomes automatic, coordinated, and fast,” he said. For cyber and contingency underwriters, such incident timelines may inform views on scenario design, aggregation of business interruption losses, and the role of tested response plans in risk assessment.
The survey found similar themes in Australia. There, 77% of security leaders reported confidence in their visibility of cyber risks, and 70% said they had the resources to respond to incidents, but only 32% reported having a continuity plan. In New Zealand, respondents identified employee culture and training as the top cybersecurity priority, cited by 16%. Data protection, threat detection and monitoring, and cyber strategy and governance each followed at 14%. The responses indicate that many organisations are directing attention to prevention and detection, while recovery planning remains less developed.
AI-enabled attacks, including phishing, were identified as the leading concern for security leaders in both countries. The survey reported that automation, deepfakes, and synthetic identities are compressing attack timelines from weeks to hours, reducing the time available for detection and response. Human factors continue to feature prominently. According to Datacom, 60% of organisations run mandated employee training and awareness programmes, and 56% issue regular cybersecurity communications.
The Datacom findings sit alongside recent statistics from the National Cyber Security Centre (NCSC), which reported higher financial losses and incident volumes in the third quarter of 2025. In Q3 2025, direct financial losses reported to the NCSC totalled $12.4 million, up from $5.7 million in the previous quarter, an increase of 118%. The agency attributed the rise to a small number of high-value incidents involving unauthorised or falsified transfers of money. The NCSC recorded 1,249 incident reports in Q3 2025. Of these, 110 incidents were triaged for specialist technical support because they were assessed as having potential national significance, almost double the 56 such cases in Q2 2025. The remaining 1,139 incidents, largely reported by individuals and businesses, went through the agency’s general triage process.
The NCSC also reported more incidents involving malicious software. Scams and fraud remained the most frequently reported incident category in Q3 2025, with 446 reports. Phishing and credential harvesting ranked second, with 355 reports. The NCSC also observed a 50% increase in scams associated with employment and business opportunities.
Datacom’s survey also pointed to broader structural questions in cyber risk management. Among New Zealand respondents, 51% expressed concern about data sovereignty and the long-term viability of local compute, and 48% said these issues were influencing their cybersecurity practices. The research noted that progress on sovereignty and architecture questions has been limited in sectors such as government, health, and critical infrastructure. Responsibility for cybersecurity continues to sit mainly with IT and security teams, with 43% of New Zealand leaders reporting signs of cybersecurity burnout within their teams. These sovereignty and workforce issues add further context for insurers and intermediaries evaluating operational resilience, third-party dependencies, and the sustainability of security operations among New Zealand clients.
