Cybersecurity Incident Response Plan (New Zealand)

Under the Privacy Act 2020, organisations (referred to as 'agencies') must notify the Privacy Commissioner and affected individuals as soon as practicable when a privacy breach has occurred or is reasonably believed to have occurred that poses a risk of 'serious harm' to affected individuals. A privacy breach includes any unauthorised or accidental access to, disclosure of, or loss of personal information. The 'serious harm' threshold is assessed by considering factors including: the nature of the information involved (particularly sensitive categories such as health information, financial details, or identity information); the potential harm to individuals (financial loss, physical harm, emotional distress, discrimination); the likelihood that the breach will be used for harmful purposes; and the number of individuals affected. There is no specific timeframe in the Privacy Act 2020 for notification — the requirement is 'as soon as practicable'. In practice, the Privacy Commissioner expects notification within a matter of days for serious breaches. Organisations should have a documented incident response procedure that enables rapid assessment and notification. Failure to notify can result in complaints to the Privacy Commissioner and enforcement action, including compliance notices.

CERT NZ (the Computer Emergency Response Team New Zealand) is a government agency established under the CERT NZ Act 2018 to support New Zealand businesses, organisations, and individuals affected by cybersecurity incidents. CERT NZ provides free advice, technical assistance, and coordination support for cyber incident response. Reporting to CERT NZ is voluntary (not mandatory), but is strongly encouraged for: ransomware attacks; data breaches involving significant amounts of personal information; phishing campaigns targeting New Zealand organisations; business email compromise (BEC); denial-of-service attacks; and malware or supply chain compromises. CERT NZ uses reported incidents to identify trends, issue public warnings, and coordinate national responses to large-scale attacks. Reporting to CERT NZ does not replace the Privacy Act 2020 obligation to notify the Privacy Commissioner of notifiable privacy breaches. CERT NZ can be reached online at cert.govt.nz or by phone. The National Cyber Security Centre (NCSC), operated by the Government Communications Security Bureau (GCSB), also provides support for incidents affecting nationally significant organisations and critical infrastructure.

A New Zealand cybersecurity incident response should follow a structured process: Preparation — having a documented incident response plan, trained response team, and tested backups in place before an incident occurs; Identification — detecting and confirming that a cybersecurity incident has occurred, determining its scope (which systems and data are affected), and activating the incident response team; Containment — isolating affected systems to prevent further spread, preserving evidence for forensic analysis, and implementing short-term fixes; Eradication — removing the threat (malware, compromised accounts, backdoors) from affected systems and identifying root causes; Recovery — restoring systems from clean backups, monitoring for re-infection, and verifying data integrity; Notification — assessing whether the incident triggers Privacy Act 2020 notification obligations (notifiable breach), notifying the Privacy Commissioner and affected individuals as required, and optionally reporting to CERT NZ; and Post-Incident Review — analysing what happened, what worked well and what didn't, and implementing improvements to prevent recurrence. The plan should designate a lead incident coordinator, identify escalation paths, and include contact details for all relevant parties including legal counsel, cyber insurance providers, forensic investigators, and CERT NZ.

New Zealand does not have laws requiring businesses to hold cyber insurance, but cyber liability insurance has become a recommended risk management measure for organisations handling significant amounts of personal data or relying heavily on IT systems. Cyber insurance policies typically cover: costs of responding to a data breach (forensic investigation, legal advice, notification costs); regulatory fines (subject to policy terms — fines for Privacy Act 2020 breaches are currently limited but may increase); business interruption losses from a cyberattack; ransomware payments (where legally permissible); public relations and crisis management costs; and claims from affected individuals or third parties. The New Zealand insurance market offers cyber insurance through major insurers, and premiums are influenced by the organisation's cybersecurity posture, size, industry, and claims history. Insurers increasingly require organisations to demonstrate basic cybersecurity controls (multi-factor authentication, regular backups, staff training, incident response plans) before offering coverage. CERT NZ and the NCSC provide guidance on baseline cybersecurity controls for New Zealand businesses, including the NZ Cybersecurity Framework and the NCSC's Malware Free Networks programme.

A Cybersecurity Incident Response Plan (New Zealand) does not legally require a lawyer in New Zealand, and individuals and businesses may draft and execute the document independently. The Companies Act 1993 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified New Zealand lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of New Zealand has jurisdiction over disputes arising from this type of document, and Companies Office may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.