SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Dwayne
#
Firewalls
#
Data Protection
#
Ransomware

Cyber breaches need communications planning, data warns

Thu, 23rd Apr 2026 (Today)
By Dwayne Alexander, Alexander PR

Last month I was invited by IT Live to join a two-day Microsoft-sponsored roadshow - Navigate. Fortify. Prevent. - bringing together some of Australasia's leading voices on cybersecurity and crisis communications in front of business leaders who, in many cases, had not yet thought seriously about either. Wanaka was first: a crisp, clear autumn morning, the kind of day that makes the threat of a ransomware attack feel entirely abstract. Auckland was second: dark skies, wind off the harbour, and horizontal rain that made the conversation feel considerably more urgent. Same data. Very different weather.

My session focused on crisis communications - specifically the 10-point playbook that sits at the core of how I prepare organisations to respond when a cyber incident arrives. The data that anchored the room came from a separate session presented by Miro Dordevich, QBE's Head of Portfolio - Cyber. Miro's presentation on a dataset from partner Atmos did what good data always does: it put precise dollar figures on decisions that most organisations are quietly not making. It is his data that runs through this article, and it deserves to be read carefully.

The number no one is talking about

There is a number that does not appear in most cyber insurance conversations. It sits inside the claims data, largely unremarked upon, and it has nothing to do with the sophistication of the attack or the scale of the organisation affected. It is simply what a ransomware incident costs the average business before anyone has measured what it does to the business's reputation.

That number is NZD $173,000. That figure covers legal costs, forensic investigation, and the mechanics of notifying affected stakeholders. It does not include what happens next: the clients who quietly leave, the contracts that stall, the referrals that stop coming, the brand that spends the following 12 months rebuilding.

Business Email Compromise is the more common incident type - a convincing email, a misdirected payment, NZD $35,000 gone. It rarely makes headlines. But for a law firm, an accounting practice, or an NFP protecting donor funds, it does not need to. A prepared organisation can reduce that cost significantly. An unprepared one simply absorbs it.

Who gets hit

The assumption that sector or size provides protection is one of the more expensive beliefs in the New Zealand business landscape. The QBE & Atmos data does not support it.

Financial services accounts for 18.8% of all cyber incidents in the dataset. Professional services - the law firms, accountants, consultants, and advisory practices that hold some of the most sensitive commercial and personal information in the economy - accounts for a further 17.5%. Together, those two sectors represent more than a third of all claims.

Importantly, many of these are also highly sophisticated organisations, with strong governance, mature cyber controls and a more advanced risk posture than most. The volume of claims is not a reflection of neglect, but of exposure. When you hold critical data, the impact - and the attractiveness to threat actors - increases, even when strong controls are in place.

The professional services figure is the more striking of the two. These are businesses whose primary asset is not technology infrastructure but intellectual capital and client trust. The irony is sharp: a breach compromises exactly what the business has spent years building. A law firm's reputation for confidentiality. An accounting practice's standing as the guardian of financial information. A fund manager's credibility as a trusted steward of client wealth.

Not-for-profit organisations occupy a distinct position in this risk landscape. They do not feature as a named category in the QBE dataset, but their exposure is real and, in some respects, more acute than their commercial counterparts. NFPs are typically underinsured, carry minimal internal crisis response capability, and hold a trust relationship with donors, beneficiaries, and the public that is harder to rebuild than a commercial client relationship. A cyber incident that would bruise a listed company can be terminal for a community organisation. That is not alarmism. It is a practical observation about where the sector sits when a crisis arrives.

The human problem at the centre of every breach

Social engineering accounts for 35.7% of all root causes in the QBE & Atmos dataset. That is the single most important number in this article, and it is not a cybersecurity statistic. It is a communications statistic.

Every breach that begins with social engineering began because a person was persuaded - by a message, a voice, or an interaction - to do something they would not otherwise have done. The message looked legitimate. The request seemed reasonable. The sender appeared to be someone they trusted. No firewall stops that. No IT upgrade prevents it. The vulnerability was human, and the exploit was communicative.

You cannot patch a person. But you can prepare them, and you can prepare what you say when the preparation fails.

This is the argument that crisis communications professionals have been making to boards and leadership teams for years, with limited success. The data from QBE & Atmos makes it more plainly than any case study can. More than a third of breaches began not with a technical failure but with a conversation. With a click. With a response to what looked, entirely reasonably, like a legitimate request.

The communications function is not the last line of defence in a cyber incident. It is present at every stage: in the culture that either does or does not take a suspicious email seriously; in the response that either does or does not notify affected stakeholders promptly; in the public statement that either does or does not hold stakeholder confidence through recovery. Communications is not the clean-up crew. It is the infrastructure.

35.7% of breaches start with social engineering. That is not a technology failure. It is a communications failure - and it requires a communications response.

The 20% most organisations are leaving on the table

Pre-incident preparation reduces the total cost of a cyber incident by approximately 20%. That is the most commercially actionable finding in the QBE & Atmos dataset, and it is also the least-discussed.

On an NZD $173,000 ransomware event, 20% is NZD $34,600 saved. On a $173,000 claim, that is the difference between an incident that damages the business and one that the business does not fully recover from. That gap is not closed by a better firewall. It is closed by preparation: by the decisions made before the incident happens, not during it.

Organisations that invest in documented response protocols, tested communication chains, pre-approved holding statements, and nominated spokespeople with media training recover faster, spend less, and retain more client and stakeholder trust than those who respond in real time without a plan. The data supports this. The case studies confirm it. And the organisations that have lived through a breach without preparation know it, often at considerable cost.

The 20% figure applies before reputational damage is counted. Once the downstream effects of poor stakeholder communication are factored in - client attrition, contract delays, coverage that frames the organisation as unprepared rather than unfortunate - the real cost of unpreparedness is considerably higher.

A 20% cost reduction is available to any organisation willing to prepare before the incident, not after it. On an average ransomware claim, that is NZD $34,600.

What good preparation actually looks like

The following is not an exhaustive checklist. It is a deliberately brief account of the five things that most organisations do not have in place, and that make the greatest difference when a crisis arrives.

1.  A written crisis communications plan that has been tested in the last 12 months, not filed and forgotten. Most organisations have a document. Far fewer have a plan that has been stress-tested against a realistic scenario and confirmed to work with the people who are currently in the relevant roles.

2.  Pre-approved holding statements for the three most likely incident types: a data breach, a ransomware attack, and executive-level misconduct. These do not need to be long. They need to exist, to be legally reviewed, and to be accessible at 11pm on a Sunday when the incident is not waiting for business hours.

3.  A clear internal notification chain. Who knows first. Who decides what to say. Who says it, and to whom, and in what order. Stakeholder communication that reaches the media before it reaches the affected clients is a predictable and avoidable failure. The sequence matters as much as the message.

4.  A designated external communications adviser who has been briefed in advance and holds a relationship with the organisation before hour three of an active incident. An adviser engaged for the first time mid-crisis is working with incomplete context while the situation is moving. That is an expensive way to commission communications support.

5.  A commitment to 24-hour response for affected stakeholders. The QBE & Atmos data on Business Email Compromise demonstrates clearly that trust erosion accelerates with every hour of silence. The organisations that communicate early, even when the information is incomplete, consistently outperform those that wait for certainty that never fully arrives.

None of these requires a significant budget. They require a decision to prepare. The cost of making that decision is, on average, 20% of what it costs not to.

These are the foundations. What follows is how you use them.

The crisis communicator's 10-point playbook

Presented at engagements in Wanaka and Auckland, and drawn from more than 20 years advising organisations through high-stakes incidents, the following 10 points represent the operational core of effective cyber crisis communications. They are sequenced to match the way a real incident unfolds, not the way a policy document describes one.

1.  Contain first, communicate second - but not by much

Your first 20 minutes must be technical containment. Your first two hours must include stakeholder communication. These are not sequential decisions. They run in parallel. The organisation that goes silent for 12 hours while the technical team works is already in a communications crisis.

2.  Segment your stakeholders before you send a single message

Not everyone needs the same message at the same time. High-value clients get a personal call before any public statement. High-risk individuals - those whose data creates specific personal or legal exposure - get targeted guidance before the general announcement. The general audience gets a consistent, coordinated communication. Media gets a holding statement. These are four different messages, not one.

3.  Fill the information vacuum before others do

Silence does not reduce anxiety. It increases speculation. The bad actor in a breach is frequently more media-savvy and more available to journalists than the organisation being attacked. If you are not providing a narrative, someone else will. That someone else does not have your interests in mind.

4.  Lead with process, not conclusions

When you do not yet have complete information - and in the first 48 hours you almost certainly do not - communicate the process, not the findings. 'Here is what we are doing, here is what we expect to know, and here is when we will update you again' is more useful than silence and more credible than speculation.

5.  Pre-approved holding statements are not optional

The organisation that spends three hours drafting a first statement in the middle of an active incident is making every subsequent decision from a position of delay and distraction. Holding statements exist for exactly this reason. They need to be written, legally reviewed, and accessible before they are needed - not commissioned when they are urgently required.

6.  Legal compliance and stakeholder satisfaction are not the same thing

Meeting the 72-hour regulatory notification requirement is the floor, not the ceiling. Organisations that satisfy their legal obligations while failing to communicate with the people affected by the incident will find that the regulator is the least of their problems. Clients, media, and the public hold their own timeline, and it is shorter than the Privacy Act's.

7.  Avoid the 'closed barn door' mistake

When you fix the vulnerability that was exploited, do not claim comprehensive security improvement. Closing a specific vulnerability is a technical achievement. It is not a security overhaul. Stakeholders and independent security commentators will test that claim, and if it does not hold, you have compounded the original incident with a credibility failure.

8.  The spokesperson is a decision, not an afterthought

Who speaks for the organisation in a crisis is one of the most consequential decisions leadership makes. That decision needs to be made in advance, the spokesperson needs to be trained, and they need to know what they are authorised to say and what sits outside their mandate. A spokesperson who does not know the boundaries of their brief will find those boundaries tested publicly.

9.  Update even when there is nothing new to report

Stakeholders who have been promised regular updates and do not receive them will assume the worst. 'Our investigation is continuing, no adverse developments to report, next update at 3pm tomorrow' is not a non-communication. It is a reassurance. It confirms that the organisation is still in control of the situation and has not forgotten the people waiting for information.

10.  Recovery is measured in months, not days

The first statement is not the end of crisis communications. It is the beginning of a recovery period that, for a significant breach, typically runs for six to 12 months. The organisation's credibility during that period is built or lost in the quality of its ongoing communications - the updates, the accountability, the evidence of actual improvement, and the willingness to acknowledge what went wrong and demonstrate what has changed.

The closing argument

Ransomware accounts for 27.5% of all cyber incident types in the QBE & Atmos dataset. It is not the most common incident type - that distinction belongs to business email compromise - but it is the most expensive and the most visible. Every ransomware incident produces a moment at which an organisation must decide what it says to its clients, its staff, its regulators, and the media. That moment arrives whether the organisation is prepared for it or not.

Organisations that have made that decision in advance - that have a plan, a spokesperson, a set of pre-approved statements, and an adviser already briefed on their business - spend less money, recover faster, and retain more of the goodwill they have spent years building. The data quantifies the difference at approximately 20%. The case studies demonstrate what that 20% looks like in practice: clients who stay rather than leave, coverage that frames the organisation as accountable rather than negligent, regulatory interactions that are cooperative rather than adversarial.

The question is not whether your organisation will face a crisis. The data QBE & Atmos shared suggests it almost certainly will. The question is whether, when it does, you will already know what you are going to say.

The organisations that recover well from a cyber incident are not lucky. They are prepared. The data knows the difference.

About the author

Dwayne Alexander is Director and Co-founder of Alexander PR, companycrisis.co.nz, and legalpr.co.nz, with a growing cybersecurity communications practice.

About the Navigate. Fortify. Prevent. events

At Navigate. Fortify. Prevent., attendees heard from some of Australasia's leading experts on the critical technology and cybersecurity challenges every organisation - and in particular every not-for-profit - needs to be across right now.

With the IT landscape evolving at pace, sessions like these are designed to cut through the noise, equipping organisations with practical insights, emerging risks, and clear next steps, all in one focused event. What distinguished these sessions from a standard awareness event was the coherence of the disciplines in the room: Microsoft, IT infrastructure, cybersecurity, insurance, and communications working from the same evidence base, towards the same outcome.

A huge thank you to the outstanding speakers and partners who made these events possible.

  • Adam Smith - Microsoft Modern Work, Security and AI Lead, Dicker Data NZ

  • Chris Curran - Director, IT Live Wanaka and Trustee, RAD Community Trust

  • Dwayne Alexander - Co-Founder and Global Practise Leader, Alexander PR

  • Ian Bennett - Teams, SharePoint and the Power Platform, CEO and Digital Workplace Guru, Custom365

  • Luke Irwin - ISSMP, CISSP, CISM, GCERT - Founder and Cybersecurity Strategist, Aegis Cyber Security

  • Miro Dordevich - Head of Portfolio for Cyber, QBE Insurance

The QBE & Atmos claims data referenced throughout this article were presented by Miro Dordevich at the Auckland session. The figures are in NZD as sourced from the Atmos dataset. All analysis and commentary are the author's own.

Dwayne Alexander, Alexander PR
Related stories
Exabeam widens AI agent monitoring for Google tools
Check Point teams with Google Cloud on AI agent security
Girls shaping the future of AI: Why inclusivity matters now
Western Digital details sustainability gains amid AI demand
Claroty appoints John Ryan to lead global partner push

Top stories

Why local secure access is becoming critical for New Zealand organisations
One-third of FIFA World Cup partners lack email protection
CrowdStrike expands Google Cloud security & wins award
Claude Code can leak secrets in public npm packages
Saviynt names Tim Wedande APJ Field Chief Technology Officer