You can see the threat. Can you survive it? The ANZ recovery gap that every board needs to close.

Three quarters of organisations across Australia and New Zealand believe they can handle a cyber attack. Fewer than one in three have a formal plan for when it happens. That is not a technology problem. It is a governance problem. And it is exactly the kind of gap that ends careers, ends contracts, and ends trust with customers.

New research puts that gap in sharp relief. The Datacom 2026 Cybersecurity Index, drawing on responses from 714 security leaders across Australia and New Zealand, found that only 30 per cent of organisations have a business continuity or cyber incident response plan in place. The rest are confident they can see the threat coming. They just have no clear plan for surviving it.

For boards and executive teams, this is the conversation that matters most right now. Not whether your firewall is patched. Not whether your SIEM is generating alerts. Whether your organisation can function, recover, and retain customer trust in the hours and days after a serious incident lands.

What The ANZ organisations Answered

The research surveyed 506 security leaders in Australia and 208 in New Zealand. The findings reveal a confidence gap that should concern every board.

Among New Zealand respondents, 73 per cent said they had sufficient visibility of risks, vulnerabilities, and compliance. Seventy-eight per cent said they had the internal resources to deal with a cyber attack. Strong numbers. Reassuring, even. But set those against a 30 per cent business continuity planning rate and a very different picture emerges. Organisations can see the threat. Most have no tested pathway through it.

The pattern holds across the Tasman. Australian respondents showed similarly high confidence in monitoring and detection, while lagging significantly on operational recovery planning. The report's conclusion is direct: detection is now table stakes. Resilience is the differentiator. And just over 30 per cent of organisations will not survive a serious attack when it comes.

There is a related data sovereignty thread worth noting. Fifty-one per cent of New Zealand organisations said they were concerned about where their data is held and processed, and 48 per cent said those concerns were actively affecting their cybersecurity approaches. For organisations weighing their cloud strategy and managed services partnerships, the location of your data and the jurisdiction of your security operations centre matters. It is not an abstract policy question. It has direct operational implications for incident response.

AI-enabled attacks ranked as the top concern on both sides of the Tasman. Phishing and social engineering campaigns are becoming more effective through greater use of automation, deep-fakes, and synthetic identities, compressing attack timelines from weeks to hours. The time available to detect, contain, and recover is shrinking. The cost of not having a plan is rising.

What happens when you have no plan: the FIIG penalty

If the research captures the risk, the FIIG Securities Federal Court decision captures the consequence.

In February 2026, the Federal Court of Australia ordered FIIG Securities to pay AUD $2.5 million in civil penalties plus $500,000 in costs, following proceedings brought by ASIC for cyber security failures that contributed to approximately 385GB of client data being compromised in a May 2023 attack. Around 18,000 FIIG clients were affected.

This is the first time the Federal Court has imposed civil penalties for cyber security failures under general Australian Financial Services Licence obligations. The signal from ASIC is unambiguous. Cyber resilience is no longer an IT matter sitting below the licence threshold. It is a licence-to-operate condition.

ASIC's 2026 key issues outlook makes the position explicit: regulators will assess not just whether risk management frameworks exist, but whether they are consistently implemented, proportionate to the nature and sensitivity of the business, and subject to active governance and oversight. A policy document sitting in a shared drive does not constitute a framework. A framework that has never been tested does not constitute resilience.

For boards of AFSL holders, this case is a reference point. For boards of organisations operating under APRA CPS 230 and CPS 234, the Privacy Act 1988 (Australia), the Privacy Act 2020 (New Zealand), and equivalent frameworks across both countries, the trajectory is the same. Regulators across both countries are moving toward enforced accountability for cyber governance, not just reported compliance.

The FIIG breach began in March 2019. It was not detected and contained for four years. The question every board should be asking is not whether a breach is possible. It is how long yours would go undetected, and what your organisation looks like on the other side.

The volume is not slowing

Context matters. This is not a low-volume threat environment in which a small number of sophisticated targets bear the bulk of risk. The Australian Signals Directorate received nearly 85,000 cybercrime reports in 2024-25. That is one every six minutes. Individual victims lost more than $22,000 on average.

New Zealand's 2026-30 Cyber Security Strategy, released earlier this year, acknowledged that malicious cyber activity is now integral to broader geopolitical campaigns, with state-sponsored attacks affecting critical systems reaching into the Pacific neighbourhood. The threat is not abstract or distant. It operates across all sectors, at volume, every day.

1,700 Victorian government schools. Australian state and federal courts across five jurisdictions. A New Zealand medication management platform serving aged-care residents. A children's toy retailer with dozens of stores across Australia and New Zealand. A resort hotel and conference venue on Victoria's Mornington Peninsula. A global medical technology company.

They are organisations operating in the same peer group as Insicon Cyber’s clients, so here is what boards across that peer group need to understand. This is not a hypothetical risk profile. It is the environment your organisation is already operating in.

The Australian Signals Directorate has issued an active advisory on the INC Ransom group, identifying its campaigns as a specific threat to networks in Australia, New Zealand, and Pacific island states. The same conditions highlighted in the research — high confidence in detection, low investment in recovery — are the conditions that allow groups like INC Ransom to maximise impact.

Detection without a recovery plan does not limit damage. It just means you know exactly what is happening as it gets worse.

What recovery readiness actually looks like

Closing the gap between detection confidence and recovery readiness is not primarily a technology purchase. It is a governance and investment decision that starts in the boardroom.

The research puts it plainly: the gap between how quickly leaders believe they can recover and how long recovery actually takes is not a technology problem. It is a preparedness problem. Detection reduces surprise. It does not reduce disruption. And disruption is what costs organisations customers, revenue, and trust.

A mature recovery posture includes a tested incident response plan, not a draft. It includes defined roles and decision authorities for the first 24 hours of an incident -- who declares, who communicates, who negotiates with law enforcement, who manages the regulator notification. It includes a board-level understanding of recovery time objectives for critical systems. And it includes a managed security operations capability that focuses as much on mean time to recovery as on mean time to detect.

For organisations operating under APRA CPS 230, the operational resilience obligations are explicit. Boards must understand and formally approve the organisation's risk tolerance for operational disruption, including cyber incidents. For organisations governed by the NZ Privacy Act 2020 and NZISM, the same expectation applies: documented, tested, board-approved response capability.

The role of a fractional CISO in this environment is not to produce another policy document. It is to drive this conversation into the boardroom before the breach arrives, build the testing cadence that turns a plan into a practiced capability, and ensure that when regulators ask what the organisation had in place, the answer is demonstrable and proportionate. Not aspirational.

Three in ten ANZ organisations are already there. For boards that want their organisation in that group, the first step is an honest conversation about the gap between what you believe you can do and what you have actually tested.