New Zealand cyber losses rise as C2 incidents return

New Zealand's National Cyber Security Centre recorded three highly significant cyber incidents in the first quarter, the first C2 incidents reported since the 2021/22 financial year.

The agency responded to 1,164 incidents between January and March, while direct financial losses reached NZD $5.6 million, up 76 per cent from the previous quarter.

The figures have prompted renewed warnings that cyber attacks can inflict lasting reputational damage as well as operational and financial harm. Communications advisers say many organisations have technical response plans but are less prepared for the public fallout that can follow a breach.

A C2 incident is classified as highly significant and involves sensitive data and/or disruption to organisations of national significance in New Zealand. The return of incidents at that level marks a shift from recent quarters, when no events of that classification were recorded.

Jacky James, Managing Director of First Response, linked the latest figures to broader concerns about crisis preparedness beyond IT and legal teams.

"Incidents like these can negatively impact hundreds of thousands of New Zealanders, cost businesses significant amounts of money, and cause immense damage to trust and reputation," James said.

Many organisations remain better equipped to contain the technical side of a cyber incident than to explain events to customers, communities and stakeholders once disruption becomes public, she said.

"Most organisations have security defences and a technical plan in place to respond to a cyber incident. Far fewer are equipped to communicate with customers and deal with the reputation fallout, which can last far longer than the initial incident," James said.

That gap can become more acute when incidents spread quickly across social media and other digital channels. In those circumstances, organisations can face pressure to provide updates while avoiding disclosures that could complicate technical recovery efforts.

"You can have the best technical response in the world, but if your community, customers, and stakeholders don't hear from you at the right time, with the right information, speculation and uncertainty will fill the silence, and trust is impacted almost instantly," James said.

Communication risk

The latest quarterly data also underlines the growing visibility of cyber incidents to the wider public. Attacks that interrupt services, expose personal information or affect major institutions can quickly become customer-facing crises, especially when users are left without clear information.

James said the speed of modern digital communications had changed the nature of incident response.

"Misinformation can spread quickly - especially if there is an information vacuum - and confusion quickly follows.

"As security experts will tell you, there is risk to providing too much information publicly, as it can compromise the technical recovery. But that doesn't mean you should stop talking altogether - you can always say something to reassure those who matter," James said.

Her comments reflect a wider debate in cyber security over how much information companies should disclose during an active incident. Technical teams often seek to limit detail while systems are being investigated, but customers, regulators and business partners may still expect timely updates.

Planning ahead

James argued that organisations should treat communications planning as a core part of cyber readiness rather than an afterthought once an attack is under way. That includes having a simple communications plan that can be accessed even if internal systems are disrupted.

"Regardless of the cyber situation, the key communication principles will always be the same - be consistent, clear, credible and human.

"If you have email, rely on IT systems to support your business, and/or manage a database, your organisation is at risk. When a cyber crisis hits, how you communicate with your community matters as much as the breach itself.

"Cyber security and AI-related crises are no longer a question of if, but when. The time to build the reputational firewall is now, not in the middle of an incident," James said.

First Response is a specialist cyber communications business developed and delivered by The Shine Collective, a crisis and issues management consultancy. Its work focuses on helping organisations handle public messaging and stakeholder communications during cyber incidents.

The quarterly report's combination of more than 1,100 incidents, three highly significant events and sharply higher losses offers a stark measure of the cyber pressure facing New Zealand organisations and individuals. Direct financial losses totalled NZD $5.6 million in the quarter.