Improper use of artificial intelligence tools by employees has become one of the main cyber security concerns for New Zealand organisations, according to Kordia’s latest New Zealand Business Cyber Security Report. The 2026 edition of the annual study found that 24% of medium-to-large businesses now rank staff misuse of AI among their biggest cyber challenges, and that attacks involving AI-related vulnerabilities more than doubled year-on-year.
Kordia’s 10th annual survey drew responses from nearly 250 organisations with more than 50 employees across New Zealand. The research indicates that attacks exploiting AI-related weaknesses rose from 6% of reported incidents in 2024 to 14% in 2025, with AI systems playing a growing role in how attacks are carried out. The report also shows an increase in concern about internal behaviour around AI. One in four businesses now list improper AI use as one of their three biggest obstacles to improving cyber security, up from 16% the previous year.
Patrick Sharp, general manager of Kordia-owned Aura Information Security, linked this shift to how AI is being adopted in day-to-day operations. “Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches. But shadow AI – the unauthorised use of AI tools by employees – is growing into a massive problem. Individual staff members are copying confidential data into AI systems – information they would never put into Google – without understanding the risks and without guidance from their organisation. Business leaders are telling us it’s keeping them up at night. Nearly half (43%) said employees accidentally exposing data or AI-driven processes is the biggest cyber risk to their business, making it the top concern by quite a margin. In addition, many New Zealand and international organisations are implementing sanctioned AI tools without sufficient security governance and practices,” Sharp said. The findings may prompt a reassessment of how AI-related behaviour, data handling, and internal controls are addressed in cyber underwriting, proposal forms, and risk assessments.
While concern about AI is rising, the Kordia report indicates that the overall proportion of organisations reporting a cyberattack has fallen. In 2025, 44% of surveyed businesses said they had been subjected to an attack in the past 12 months, down from 59% the year before. This aligns with the National Cyber Security Centre’s (NCSC) latest Cyber Threat Report, which recorded 5,995 incidents in 2024/25, compared with 7,122 in 2023/24. Over the same period, the direct financial impact increased. The NCSC reported losses of $12.4 million in the third quarter of 2025, up 118% on the previous quarter.
Kordia’s data highlights several trends that are directly relevant to cyber cover and claims:
Sharp said incident readiness remains a central gap. “Organisations need to work out a response strategy long before they’ve suffered an incident, and they need to spend time practising it,” he said. That includes assigning roles, defining decision-making thresholds, and setting communication plans for staff, customers, and regulators.
The report indicates that personal information remains a key focus for both attackers and regulators. One in five businesses reported that personally identifiable information was accessed or stolen. A similar proportion expressed concern that stolen data could later be used for blackmail or extortion. One in three businesses said they would be willing to pay a ransom to a cybercriminal under some circumstances, a position with direct implications for policy wording, sanctions clauses and board-level guidance.
Sharp said: “Nobody wants to be faced with a ransom demand, but they can appear to make the immediate problem go away. However, once a ransom is paid, there’s no guarantee a cybercriminal will honour the deal. For instance, they might still re-sell any data they’ve stolen. Paying ransoms ensures extortion remains a reliable form of revenue for cybercriminals, and as long as it works, they will keep doing it. The best strategy is to work with the experts to build your cyber resilience, so you can continue operating and recover from an incident without having to give into criminal demands.” The findings raise issues around ransom payment clauses, expectations for backup and recovery arrangements, and how policies respond when personal data is compromised and regulatory engagement follows.
Kordia’s research comes alongside a joint advisory from the Australian Cyber Security Centre (ACSC), New Zealand’s NCSC, and CERT Tonga describing the operations of ransomware group INC Ransom and its affiliate network across Australia, New Zealand, and Pacific island states. INC Ransom is described as a financially motivated Russian-based cybercriminal group operating a ransomware-as-a-service model. Affiliates have been observed gaining initial access through spear-phishing, exploiting unpatched internet-facing systems, or using valid credentials obtained from initial access brokers.
Once inside a network, affiliates use legitimate tools to compress and exfiltrate data before deploying ransomware. After encryption, INC Ransom leaves a ransom note with demands and contact details. If targets do not pay, the group employs double extortion tactics by publishing victim names and stolen data on a dedicated leak site. Authorities note that INC Ransom and its affiliates have targeted organisations globally since 2023 and, since early 2025, have been observed more frequently in Australia, New Zealand, and the Pacific. Activity indicates a focus on entities handling sensitive information, including health care providers. In New Zealand, the NCSC reported a May 2025 incident in which a health sector organisation had many servers and endpoints encrypted and a large volume of data stolen. INC Ransom claimed responsibility and later published the dataset on its leak site.
Kordia’s report presents cyber resilience as both a business and national issue, with increasing scrutiny on directors and officers. The research indicates that:
“Engaging with government entities like the NCSC and the Privacy Commissioner isn’t just about being transparent. It also helps the New Zealand government and businesses understand the scale and impact of this criminal activity,” Sharp said. The combination of rising AI-related exposure, active ransomware campaigns such as INC Ransom, and possible moves toward stricter reporting and ransom rules is likely to influence cyber appetite, pricing, coverage design, and risk engineering priorities through 2026.
