SecurityPolicy.com.au
Home/ New Zealand/ Human Factors/ Management and governance attention to cyber security
New Zealand Human Factors Fundamentals Reviewed 2026-07-13

Management and governance attention to cyber security

5
functions in the NCSC Cyber Security Framework
10
current NCSC Critical Controls
4
core elements of effective privacy governance identified by OPC
53%
of surveyed New Zealand SMEs experienced a cyber threat in the preceding six months
Why this guide exists

Questions are ordered from the case for leadership attention through directors' general duties, board and owner oversight, risk-based resourcing, management questions, leadership reporting, supplier governance, incident leadership and the governance failures that allow cyber risk to receive attention only after harm occurs.

Why is cyber security a management and governance issue rather than just an IT issue?

Cyber incidents can interrupt operations, expose personal information, divert payments, damage customer trust, create legal and contractual consequences and require difficult decisions about money, safety, communications and recovery. Those are business risks, not merely technical faults. IT and security specialists advise on threats and operate controls, but they cannot independently decide the organisation's risk appetite, strategic priorities, acceptable disruption, investment level or obligations to customers and affected people. NCSC says boards and senior executives play a critical role in creating cyber-resilient organisations through governance. Its Cyber Security Framework places Guide and Govern at the centre of the security lifecycle and calls for security to support organisational outcomes, investment to focus on real threats and assurance that security efforts remain effective. OPC similarly says governance members need clear understanding and effective oversight of privacy risk, senior accountability and deliberate prioritisation. In a small business, the owner may perform both governance and management roles, but the strategic decisions still need to be made consciously rather than delegated by default to an IT provider.

How this differs by situation
  • board or business owner — Owns strategic direction, risk appetite, major priorities, assurance and accountability for unresolved material risk.
  • senior management — Converts governance direction into plans, budgets, policies, responsibilities and operating controls.
  • security and IT specialists — Provide technical advice, evidence and implementation without independently owning business-risk acceptance.
  • enterprise risk — Connect cyber security to strategy, continuity, privacy, finance, customers, suppliers, reputation and legal obligations.
COPY THIS, EXACTLY

Cyber security is an organisation-wide business risk, not solely an IT responsibility. Governance owns the organisation's risk appetite, priorities and oversight. Management provides the resources and implements the strategy. Technical specialists advise on threats and controls, but material cyber-risk acceptance remains a leadership decision.

What directors' and senior leaders' duties are relevant to cyber risk?

The Companies Act 1993 does not create a standalone cyber-security duty for every director. It does impose general duties relevant to how directors oversee material business risks. Section 131 requires a director exercising powers or performing duties to act in good faith and in what the director believes to be the company's best interests. Section 137 requires the care, diligence and skill that a reasonable director would exercise in the same circumstances, taking account of the nature of the company, the decision and the director's position and responsibilities. Where cyber dependency or exposure is material, informed oversight of that risk can form part of discharging those broader duties. That does not mean directors must configure systems or guarantee that no incident will occur. It means they should remain informed, ask appropriate questions, consider credible advice, make proper inquiry when circumstances indicate it and ensure material risks are governed. Senior leaders who are not directors may have different legal duties, but they still carry the authority and accountability assigned by their role, policies and contracts.

How this differs by situation
  • section 131 — Act in good faith and in what the director believes to be the company's best interests when exercising powers or performing duties.
  • section 137 — Exercise the care, diligence and skill expected of a reasonable director in the same circumstances.
  • cyber-risk application — Treat material cyber dependency and exposure as part of broader company-risk oversight rather than as a separate statutory code.
  • senior leader — Operate within delegated authority, keep governance informed and escalate material risks, incidents and resource constraints.
COPY THIS, EXACTLY

The Companies Act does not create a universal cyber-specific director duty. Directors remain subject to their general duties, including acting in good faith and in the company's best interests and exercising reasonable care, diligence and skill. Where cyber risk is material to the company, directors should ensure it receives informed and proportionate oversight.

What should a board or business owner actually oversee?

Governance should set direction and boundaries rather than manage every technical task. It should understand which information, services and systems are most important; the credible threats and dependencies affecting them; the organisation's appetite for balancing risk against opportunity; and which risks will be mitigated, accepted, transferred or avoided. It should approve the cyber strategy, major policies, accountability model, critical investment and material exceptions. It should require assurance that important controls operate, suppliers are governed, incidents can be detected and contained, critical services can be recovered and legal duties can be met. Management should make operational decisions and bring well-documented recommendations, risk information and resourcing requests to governance. The board or owner should challenge and decide without becoming the incident handler, system administrator or control operator.

How this differs by situation
  • risk appetite and priorities — Define tolerances for disruption, information exposure, fraud, recovery time, supplier dependency and unresolved risk.
  • strategy and accountability — Approve direction, assign owners and ensure management has authority and resources to implement it.
  • assurance and challenge — Receive evidence that controls, suppliers, plans and corrective actions remain effective.
  • governance boundary — Oversee outcomes and management performance without taking over routine technical operations.
COPY THIS, EXACTLY

Governance will define cyber-risk appetite, approve strategy and major priorities, assign accountability and seek assurance that material risks are being managed. Management will make and implement operational decisions. Governance will challenge, decide and monitor outcomes without taking over day-to-day technical work.

How much should the business resource and prioritise cyber security?

There is no universal New Zealand percentage of revenue, IT spend or headcount that every business must devote to cyber security. Resourcing should follow risk: the value and sensitivity of information, dependence on digital services, exposure to fraud and disruption, contractual and regulatory obligations, threat environment, current control weaknesses and cost of recovery. NCSC says investment should focus on real threats to important systems and that organisations should improve incrementally rather than wait for perfect security. OPC expects privacy-function resourcing to be appropriate for the organisation's privacy-risk profile and regularly reviewed. Leadership should therefore approve a prioritised programme with clear outcomes, owners and sustainable operating costs, not just one-off purchases after an incident. When resources are constrained, protect the most important identities, systems, information, backups and supplier dependencies first, and record what risk remains outside tolerance.

How this differs by situation
  • risk-based resourcing — Link spending and staff effort to critical assets, credible threats, obligations, control gaps and potential harm.
  • priority sequence — Address the highest-consequence and most exposed risks before lower-value enhancements.
  • sustainable capability — Fund implementation, operation, maintenance, testing, training and incident response rather than acquisition alone.
  • residual risk — Show governance what cannot currently be treated, why, and whether it remains within the approved appetite.
COPY THIS, EXACTLY

Cyber-security resources will be based on material risk and required outcomes, not an arbitrary spending percentage. We will prioritise the identities, information, systems, suppliers and services whose compromise would cause the greatest harm. Investment decisions must include ongoing people, maintenance, assurance and recovery costs, and material untreated risks must be reported to governance.

What questions should management ask, and what should leadership be told?

Management should be able to explain what the organisation most depends on, how those assets could be targeted, which risks exceed appetite, who owns them and what treatment is planned. Leadership should ask whether critical accounts use MFA, important systems are supported and patched, backups are protected and tested, privileged and former-user access is controlled, material suppliers are understood and incident and recovery plans have been exercised. It should also ask whether the organisation knows what personal information it holds, whether privacy and security responsibilities are clear and whether specialists can escalate concerns without obstruction. Governance should be told promptly about material incidents, significant control failures, risks outside appetite, overdue corrective work, critical supplier changes, emerging obligations, resource constraints and decisions requiring risk acceptance. Reports should explain business consequences and uncertainty, not assume directors can interpret raw technical alerts.

How this differs by situation
  • business dependency — What services, information, accounts and suppliers are critical, and what would happen if they became unavailable or untrusted?
  • risk and control — What are the top credible scenarios, which controls address them and what evidence shows those controls operate?
  • readiness — Who decides during an incident, what has been tested and which services must recover first?
  • escalation — Which incidents, exceptions, supplier changes, overdue actions and risks require leadership attention or acceptance?
COPY THIS, EXACTLY

Management must tell governance what matters, what could materially go wrong, which risks exceed appetite, what evidence shows the controls work and what decisions or resources are required. Material incidents, control failures, supplier changes, overdue actions and accepted risks must not be hidden inside technical reporting.

What cyber-security reporting and metrics belong at leadership level?

Leadership reporting should show risk, resilience and decisions rather than a long list of technical events. A useful report begins with the organisation's top cyber and privacy risks, current exposure relative to appetite, important changes and decisions required. It should combine leading indicators, such as MFA coverage, critical patch compliance, privileged-access review, backup testing, supplier assessments, exercise completion and overdue corrective actions, with outcome indicators such as material incidents, near misses, customer impact, recovery performance and recurring causes. Trends and exceptions matter more than isolated counts. Metrics should identify scope, target, actual result, movement, limitations, owner and response. A green status should not be given merely because no incident was detected. IoD says meaningful board reporting should help boards understand top risks, ensure mitigation strategies are robust and track progress over time, while NCSC says cyber activity should be measured and reported as a basis for continuous improvement.

How this differs by situation
  • risk view — Show top risks, movement, exposure against appetite, treatment status and decisions required.
  • control and readiness view — Report coverage, exceptions and testing of controls linked to the most important risks and services.
  • incident and recovery view — Show material events, business impact, response performance, recurring causes and unresolved lessons.
  • decision quality — Explain uncertainty, data limitations, ownership, overdue actions and the consequence of deferring treatment.
COPY THIS, EXACTLY

Leadership reporting will focus on material risk, resilience, control effectiveness and decisions. Each report will show the top risks, exposure against appetite, important control and supplier changes, incidents and near misses, recovery readiness, overdue corrective actions, accountable owners and any resources or risk acceptance required.

How should leadership govern suppliers, outsourcing and third-party cyber risk?

Outsourcing a service does not outsource the organisation's business consequences or all of its legal responsibilities. Governance should know which suppliers can access important systems or personal information, which services have no practical substitute, where information is held, who performs security tasks and how an incident at the supplier could affect operations and customers. Management should perform proportionate due diligence, document responsibility boundaries and include security, access, logging, incident notification, continuity, subcontracting, data return or deletion and exit requirements in contracts. Critical suppliers should be monitored and included in incident and recovery exercises where appropriate. NCSC says organisations should understand how supply chains and relationships affect security posture and where responsibilities lie between the organisation and suppliers. IPP 5 also requires an organisation giving personal information to a service provider to do everything reasonably within its power to prevent unauthorised use or disclosure.

How this differs by situation
  • criticality and concentration — Identify suppliers whose failure, compromise or loss would materially affect operations, information or customers.
  • responsibility boundary — Document who owns updates, identity, backups, logging, monitoring, incident response, recovery and notification.
  • contract and assurance — Set measurable requirements, access limits, reporting duties, evidence rights, subcontractor controls and exit arrangements.
  • governance oversight — Escalate critical supplier risks, exceptions, incidents, concentration and unresolved assurance findings.
COPY THIS, EXACTLY

We may outsource services, but we do not outsource accountability for the resulting business, privacy and customer risks. Critical suppliers must be identified, assessed and governed through clear responsibility boundaries, contractual requirements, assurance, incident coordination, continuity arrangements and an executable exit plan.

What is leadership's role before, during and after a cyber incident?

Before an incident, leadership should approve the response and recovery approach, define escalation thresholds and decision authority, identify critical services, confirm access to technical, legal, privacy, communications and insurance support and participate in exercises. During an incident, governance should ensure management has authority and resources, receive reliable situation reports, make decisions reserved for leadership and maintain attention on people, customers, continuity, legal duties and organisational values. Directors should not disrupt technical containment by issuing uncoordinated operational instructions. The privacy officer must be able to assess any personal-information breach, while leadership supports timely OPC and affected-person notification where required. Afterward, governance should require an honest review, ensure corrective actions are funded and completed, reassess accepted risks and supplier arrangements and oversee communications and trust restoration. The NCSC Framework says response plans should be flexible, critical services should be restored first and plans should be practised.

How this differs by situation
  • before — Approve roles, thresholds, critical-service priorities, advisers, communications, notification routes and exercises.
  • during — Support the incident lead, make reserved decisions, oversee impact and ensure governance and legal duties are addressed.
  • after — Review decisions and causes, fund corrective work, monitor completion and rebuild stakeholder confidence.
  • privacy officer and specialists — Provide expert assessments and recommendations with direct escalation access to accountable leadership.
COPY THIS, EXACTLY

Before an incident, leadership will approve roles, decision thresholds, critical-service priorities and tested response arrangements. During an incident, leadership will support the authorised incident lead, make governance-level decisions and oversee customer, privacy, continuity and communication consequences. Afterward, leadership will require an honest review and ensure corrective actions are funded, owned and completed.

What are the common governance failures that cause cyber attention to slip?

Common failures include treating cyber as an IT budget line with no accountable business owner; discussing it only after an incident; no documented risk appetite; accepting risk without recording reasons; reports dominated by technical activity rather than business exposure; no independent assurance; unsupported privacy and security personnel; leadership exemptions from policy; reactive purchases without a strategy; critical suppliers omitted from risk reporting; incident plans that leaders have never exercised; and corrective actions that remain overdue without escalation. Attention also slips when boards receive only reassuring averages, when the absence of detected incidents is treated as proof of control effectiveness or when cyber literacy is concentrated in one director or executive. A small business does not need a complex committee structure, but it still needs regular attention, named accountability, clear decisions and evidence that agreed actions occurred. Australian Corporations Act, ASIC, APRA CPS 234, SOCI Act, Essential Eight and SMB1001 requirements must not be presented as New Zealand law or official New Zealand private-sector governance rules.

How this differs by situation
  • ownership failure — Cyber risk is delegated to a technician or provider without an accountable business owner or escalation route.
  • attention and information failure — Cyber is absent from regular agendas or reporting obscures risk, uncertainty, exceptions and overdue action.
  • assurance and readiness failure — Controls, suppliers, backups and response plans are assumed to work but are not independently checked or exercised.
  • decision failure — Resource constraints and accepted risks are left implicit rather than documented, owned and reviewed.
COPY THIS, EXACTLY

Cyber risk must remain a regular leadership topic with named accountability, documented decisions and evidence of control effectiveness. Governance will not treat absence of detected incidents as proof of security, allow material risks to remain implicit or accept technical activity reports that do not explain business exposure and required decisions.

What's my next step?

Common misconceptions

  • Cyber security is an IT operational issue that does not require board or owner attention. NCSC says boards and senior executives play a critical governance role. VERIFIED
  • The Companies Act 1993 contains a standalone cyber-security duty applying identically to every director. Sections 131 and 137 impose broader general director duties rather than a cyber-specific code. INFERRED
  • Directors must personally understand and operate every technical control. Governance should obtain appropriate information and assurance while management and specialists perform operational work. INFERRED
  • Hiring an IT provider transfers the organisation's cyber and privacy accountability. Supplier responsibilities can be allocated, but leadership still owns resulting business risk and applicable Privacy Act duties. INFERRED
  • Every New Zealand business should spend the same percentage of revenue on cyber security. Resourcing should reflect material risks, dependencies, obligations and sustainable outcomes. INFERRED
  • A dashboard showing no detected incidents proves that controls are effective. Assurance also requires control evidence, testing, scope information and consideration of detection capability. INFERRED
  • Board reporting should contain every technical alert and vulnerability. Leadership reporting should focus on material risk, resilience, trends, exceptions and decisions. INFERRED
  • Risk acceptance can remain an informal understanding between management and IT. Material accepted risks should be documented, owned, authorised and reviewed. INFERRED
  • Governance only becomes relevant after a major incident. Leadership is responsible for readiness, priorities, assurance and response authority before an incident occurs. VERIFIED
  • The privacy officer automatically owns all organisational privacy risk. OPC distinguishes the privacy function's expert work from governance accountability and risk-acceptance decisions. VERIFIED
  • A small business needs a complex board committee before it can govern cyber risk. OPC says governance arrangements can be proportionate and that small-organisation leaders may wear multiple hats. VERIFIED
  • Australia's Corporations Act, ASIC, APRA CPS 234, SOCI Act, Essential Eight and SMB1001 are New Zealand cyber-governance authorities. They are not and must not be presented as New Zealand law or official New Zealand private-sector baselines. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Companies Act 1993 section 131 duty to act in good faith and in the company's best interests New Zealand courts A director exercises powers or performs duties as a director of a company. Ongoing whenever the director exercises powers or performs duties.
Companies Act 1993 section 137 director's duty of care New Zealand courts A director exercises powers or performs duties as a director, including making or overseeing decisions involving material company risk. Ongoing whenever the director exercises powers or performs duties.
Privacy Act 2020 IPP 5 reasonable security safeguards Office of the Privacy Commissioner The organisation holds personal information, including information held on its behalf by a service provider. Ongoing while the information is held and whenever systems, people, suppliers, uses or risks change.
Privacy officer appointment Office of the Privacy Commissioner The entity is a business or organisation that is an agency under the Privacy Act. Maintain at least one person fulfilling the privacy-officer role on an ongoing basis.
Notifiable privacy breach governance Office of the Privacy Commissioner A privacy breach has caused or is likely to cause serious harm to an affected individual. Notify OPC and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000.

Sources

  1. Companies Act 1993 primary
  2. Privacy Act 2020 primary
  3. Privacy Act 2020 Principle 5 — Storage and security of information primary
  4. Information for privacy officers primary
  5. Poupou Matatapu — Governance primary
  6. Poupou Matatapu — Security and Internal Access Controls primary
  7. NotifyUs of a serious privacy breach primary
  8. NCSC Cyber security governance primary
  9. NCSC Cyber Security Framework primary
  10. NCSC Critical Controls: Summary primary
  11. NCSC Protect your organisation primary
  12. More than half of New Zealand businesses experiencing cyber threats primary
  13. Choosing an IT service provider primary
  14. Business online security assessment tool primary
  15. Cyber risk: A practical guide 2025 primary
  16. Reporting cybersecurity to boards primary
  17. Cybersecurity resources for boards primary
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.