12 min read
Insicon Cyber
:
4/11/25 9:52 AM
Every six minutes, a cybercrime is reported to the Australian Signals Directorate. Across the Tasman, more than half of New Zealand’s small to medium businesses experienced an online threat in the six months to September 2025. For directors governing organisations with operations spanning Australia and New Zealand, the message is unequivocal: board-level cyber governance is no longer optional, it's a strategic imperative that demands informed oversight, continuous adaptation and coordinated action across jurisdictions.
As we navigate through 2025-26, two significant Australian publications have established clear priorities for boards, while New Zealand's governance frameworks continue to evolve in parallel. For trans-Tasman directors, understanding both landscapes and how they intersect is critical to fulfilling governance responsibilities effectively.
The Australian Institute of Company Directors (AICD) and Australian Signals Directorate (ASD) Cyber Security Priorities for Boards of Directors 2025-26 represents something unprecedented: a direct collaboration between Australia's leading governance body and our national signals intelligence agency.
This isn't generic cybersecurity advice. The guidance is informed directly by ASD's threat intelligence gathering and identifies four priority areas where Australian boards must engage with management in 2025-26.
Robust event logging is foundational to detecting and responding to cyber threats. The guidance asks whether organisations are collecting event logs from network devices, security appliances, operating systems, applications, databases and cloud services, whether logs are configured to capture sufficient detail, whether they're time-synchronised and forwarded to centralised logging systems, and whether detection rules are defined for known threats and anomalies.
For trans-Tasman boards, this raises an important set of questions: are your logging capabilities consistent across both Australian and New Zealand operations? Do your New Zealand subsidiaries have the same visibility into security events as your Australian parent company? Time zone differences and separate IT infrastructure can create blind spots that sophisticated attackers exploit.
Legacy IT presents significant and enduring risks to organisational cyber security posture. Directors must understand which legacy systems exist across their trans-Tasman operations, assess the vulnerabilities these systems present, and oversee management's plans for risk mitigation while maintaining business continuity.
In our experience working with organisations operating on both sides of the Tasman, legacy systems often proliferate during mergers and acquisitions. An Australian company acquiring a New Zealand business may inherit outdated technology that becomes the weakest link in the combined entity's security posture. Boards need visibility into this risk at a group level, not just within individual operating companies.
Modern organisations depend on complex supplier ecosystems. For trans-Tasman operations, this complexity multiplies. Your Australian operations may rely on local suppliers, while your New Zealand business uses different vendors for similar services. Some suppliers serve both jurisdictions, creating concentration risk.
Boards need assurance that third-party risks are understood, contractually managed and continuously monitored across all operations. This includes understanding where data flows between jurisdictions, which suppliers have access to systems in both countries, and whether supplier security standards are consistently applied.
Quantum computing will fundamentally disrupt current encryption methods. Forward-thinking boards are asking management how organisations are preparing for this cryptographic transition and protecting long-term sensitive data.
For trans-Tasman organisations, quantum readiness planning must consider both Australian and New Zealand regulatory requirements as they evolve. The timeline is uncertain, but the need for preparation is not. Boards should ensure roadmaps exist that cover all jurisdictional operations.
The ASD Corporate Plan 2025-26 provides critical context for understanding these priorities. ASD's purpose is to defend Australia from global threats and advance our national interest through foreign signals intelligence, cyber security and offensive cyber operations.
The Corporate Plan emphasises that Australia faces its most complex and challenging strategic environment since the Second World War, with entrenched and increasing competition a primary feature. This isn't hyperbole. Directors need to understand that the threat environment has fundamentally shifted, driven by geopolitical tensions across the Middle East, Ukraine and the Indo-Pacific.
State-based actors are pre-positioning for disruptive attacks against critical infrastructure. For boards, this means cybersecurity is no longer just about protecting against opportunistic criminals. Nation-state threats require different thinking about risk, resilience and response.
ASD is investing in enhanced cyber capabilities through the REDSPICE program and emphasising adaptive capability to handle increasing data complexity and respond to technological developments. Boards should mirror this adaptive mindset in their own governance approach.
While Australian boards are digesting the AICD/ASD guidance, New Zealand directors are navigating their own evolving landscape of cyber governance expectations.
The Institute of Directors New Zealand released an updated Cyber Risk: A Practical Guide in March 2025, which includes guidance on managing quantum computing risks, improving resilience against AI-driven threats and strengthening governance over third-party security. The similarities to the Australian priorities are striking and deliberate.
The IoD NZ guide retains five core principles for boards in their oversight of cyber risks, emphasising that cybersecurity is not just an IT issue but an organisation-wide risk affecting strategy, resilience and business continuity.
Critically, the guide notes that boards must prioritise cyber risk, build their own cyber literacy and ensure they have access to the right expertise, while remaining aware of evolving privacy laws, regulatory obligations and the legal consequences of cyber incidents.
In July 2024, New Zealand's Computer Emergency Response Team (CERT NZ) was integrated into the National Cyber Security Centre (NCSC) organisational structure, forming the New Zealand Government's lead operational cyber-security agency. This consolidation mirrors Australia's integrated approach through the Australian Cyber Security Centre (ACSC) within ASD.
For the period from 1 April to 30 June 2025, a total of 1,315 incidents were reported to the NCSC. Like Australia, New Zealand is experiencing sustained and increasing cyber threat activity.
In April 2025, New Zealand's Office of the Auditor-General released "Mind the gap: Governing cyber security risks", which found that although governors are taking cyber security seriously, they have more work to do to support their organisations to reduce the gap between the amount of cyber security risk they are comfortable with and the amount of risk they currently face.
This finding should resonate with Australian directors as well. Understanding your organisation's risk appetite is one thing. Ensuring your actual security posture aligns with that appetite is quite another.
For directors governing organisations with operations in both Australia and New Zealand, several themes emerge from comparing the 2025-26 guidance:
Both the AICD/ASD Australian guidance and the IoD NZ updated practical guide emphasise quantum computing risks. This alignment reflects global recognition that quantum-safe cryptography isn't a distant concern, it's something boards should be planning for now.
For trans-Tasman organisations, this means ensuring your quantum readiness roadmap covers all operations. Don't let your New Zealand subsidiary become the overlooked weak point in your group's cryptographic transition.
The IoD NZ guide emphasises improving resilience against AI-driven threats. While the AICD/ASD guidance doesn't explicitly prioritise AI threats, the broader Australian discourse certainly does, particularly around AI governance.
Trans-Tasman boards need to consider how AI is being used both by your organisation and against it. Are your Australian operations deploying AI capabilities without equivalent governance frameworks in New Zealand? Are both sides of the Tasman equally prepared for AI-enabled phishing, deepfakes and automated attacks?
Both jurisdictions emphasise third-party and supply chain risks. For trans-Tasman organisations, this is particularly complex. You may have:
Boards need a consolidated view of supply chain risk across the group, not siloed assessments that miss cross-border dependencies.
The AICD/ASD guidance makes event logging a priority one. While the IoD NZ guidance doesn't explicitly prioritise logging in the same way, the underlying requirement for visibility, detection and response is identical.
Trans-Tasman boards should ask: do we have equivalent logging and detection capabilities in both jurisdictions? If a sophisticated attack targets our New Zealand operations, do we have the same visibility and response capability as we would for our Australian business?
While the threat landscape and governance principles converge, the regulatory frameworks diverge in ways that trans-Tasman directors must understand.
Australian boards are navigating:
New Zealand directors are working with:
For organisations operating in both jurisdictions, regulatory complexity is real:
Breach Notification: Both countries require breach notification, but the thresholds, timeframes and reporting authorities differ. Your incident response plan must account for both regimes.
Critical Infrastructure: If your Australian operations fall under SOCI, but your New Zealand operations don't have equivalent obligations, how do you ensure consistent security posture? Should you apply SOCI-equivalent controls across the group?
Privacy and Data Flows: Trans-Tasman data flows are common, but the legal frameworks differ. Boards should understand where customer and employee data is stored, how it moves between jurisdictions, and what obligations apply.
Legal Privilege: There are differences in the law governing legal advice privilege in New Zealand and Australia. Unlike in Australia, New Zealand's statutory definition of legal advice privilege makes no mention of the need for a dominant purpose. This affects how boards should structure cyber incident investigations and what protection they can expect for reports.
Drawing from both the Australian and New Zealand guidance, here are the strategic questions every trans-Tasman board should be asking:
"Can we confidently state that we understand the cyber security posture of our entire group, including all Australian and New Zealand operations? Do we have consolidated reporting that shows us our weakest points across jurisdictions?"
Too often, boards receive separate reports from Australian and New Zealand operations, making it difficult to identify group-wide vulnerabilities or cross-border attack vectors. Ensure your reporting provides a holistic view.
"If we experience a cyber incident in our New Zealand operations, do we have the same response capability as we would for an Australian incident? Are our logging, detection and response capabilities equivalent across jurisdictions?"
The most sophisticated attacks don't respect borders. Attackers may target your perceived weakest point, whether that's in Sydney or Auckland. Your defences need to be consistently strong.
"Do we understand which suppliers have access to systems or data in both jurisdictions? If a key supplier experiences a breach, what's the blast radius across our trans-Tasman operations? Have we tested our ability to respond to a supply chain incident?"
Supply chain attacks are increasing. The AICD/ASD guidance and IoD NZ guidance both emphasise this for good reason. Trans-Tasman operations add complexity that attackers can exploit.
"Is our approach to quantum-safe cryptography, AI governance and other emerging challenges being coordinated across both jurisdictions, or are we allowing inconsistent preparation that creates risk?"
Emerging threats won't wait for organisations to align their trans-Tasman approaches. Start coordinating now on quantum readiness, AI governance and other forward-looking priorities.
The Latitude Financial cyberattack in March 2023 provides a sobering case study for trans-Tasman boards. The attack exposed the personal records of 14 million customers, including a million New Zealand driver's licence numbers and 40,000 passport records.
The response required coordinated action between the New Zealand Privacy Commissioner and the Office of the Australian Information Commissioner, triggering a joint privacy investigation. This resulted in a $1 million legal claim by an affected customer and opened the door to potential class action proceedings - demonstrating the real legal and regulatory exposure trans-Tasman boards may face following a significant incident.
For boards, the Latitude incident demonstrates:
The most effective trans-Tasman boards are moving beyond compliance thinking toward resilience thinking. This shift requires:
Rather than ensuring Australian operations comply with SOCI while New Zealand operations meet PSR requirements, develop an integrated cyber security strategy that meets the highest standards across the group. Use the strongest regulatory framework as your baseline everywhere.
Invest in threat intelligence capabilities that cover both jurisdictions. When ASD issues warnings about specific threat actors or NCSC releases advisories, ensure both sides of your organisation can respond effectively.
Develop board reporting that provides a consolidated view of cyber risk across all operations. Include metrics that matter:
Ensure your cyber security teams on both sides of the Tasman collaborate effectively. Consider:
The threat environment is evolving rapidly. Your governance approach must evolve with it. This means:
For trans-Tasman boards, working with cybersecurity partners who understand both jurisdictions can provide significant advantages. The right partner can:
Translate Regulatory Requirements: Help boards understand how different Australian and New Zealand requirements apply to their specific operations and what harmonised approach makes sense.
Provide Consolidated Visibility: Deliver reporting and monitoring capabilities that provide a single pane of glass across both jurisdictions, rather than forcing boards to piece together separate views.
Enable Consistent Implementation: Ensure that strategic decisions made at board level translate into consistent operational capability on both sides of the Tasman.
Deliver Adaptive Capability: As the threat environment evolves and new guidance emerges (like the AICD/ASD 2025-26 priorities), help boards adapt their approach without starting from scratch.
At Insicon Cyber, we work with trans-Tasman organisations to create this kind of comprehensive approach. Our Australian base gives us deep familiarity with the AICD frameworks, ASD guidance and local regulatory requirements. Our work with New Zealand clients ensures we understand the IoD guidance, NCSC expectations and the nuances of cross-border operations.
As we move through 2025-26, several trends will shape board cyber governance for trans-Tasman organisations:
Both Australia and New Zealand will continue refining their cyber security regulatory frameworks. Australia's strategic environment is becoming increasingly challenging, and New Zealand faces parallel pressures. Expect more requirements, not fewer.
Boards should ensure they have mechanisms to track regulatory developments in both jurisdictions and assess implications for the group.
Recent global events have shown that organisations must be prepared for state-based actors pre-positioning for disruptive attacks against critical infrastructure and services. Australia and New Zealand's geographic position in the Indo-Pacific means both countries are navigating complex geopolitical dynamics.
Trans-Tasman boards should consider state-sponsored threats as part of their strategic risk landscape, not as theoretical concerns but as real possibilities that require preparation.
The focus on quantum-safe cryptography and AI-driven threats in both the Australian and New Zealand guidance signals that these are no longer future concerns. They're current governance priorities that require board attention now.
Trans-Tasman boards should ensure management has concrete plans and timelines for quantum readiness and AI governance, not vague commitments to "monitor developments."
Supply chains will remain a critical vulnerability. As global trade patterns shift and geopolitical tensions affect supplier relationships, boards need increasing visibility into third-party risks across their trans-Tasman operations.
Based on the AICD/ASD priorities, IoD NZ guidance and our experience working with trans-Tasman organisations, here are concrete steps boards can take:
Immediate (Next Board Meeting):
Short Term (Next Quarter):
Medium Term (Next 6-12 Months):
The AICD/ASD Cyber Security Priorities for Boards 2025-26 and the parallel guidance from IoD New Zealand represent something significant: recognition by leading governance bodies and national security agencies that directors must play an active, informed role in cyber security governance.
For boards governing trans-Tasman organisations, this guidance creates both obligation and opportunity. The obligation is to lift cyber literacy, ask harder questions and ensure organisations are genuinely prepared for an evolving threat environment that doesn't respect borders. The opportunity is to turn cybersecurity governance into a strategic advantage that builds resilience, stakeholder trust and competitive positioning.
The four priorities from the AICD/ASD guidance, event logging, legacy IT risks, supply chain security and quantum readiness, aren't just Australian concerns. They're universal challenges that New Zealand operations face as well. The convergence of guidance from both sides of the Tasman makes this the moment for trans-Tasman boards to elevate their approach.
Directors don't need to become cybersecurity technicians. They do need to exercise strategic oversight, ask informed questions, ensure adequate resources are allocated, and hold management accountable for building resilience across all operations.
As we navigate 2025-26's complex threat environment, the boards that will succeed are those that embrace cyber governance not as a compliance burden but as a strategic imperative that requires sustained attention, continuous adaptation and coordinated action across their entire trans-Tasman enterprise.
The question isn't whether cyber security should be a board priority. The AICD, ASD, IoD NZ and every serious governance expert have answered that question definitively. The only remaining question is whether your board is prepared to provide the strategic oversight that this priority demands.
About Insicon Cyber
Insicon Cyber is a trusted cybersecurity partner, delivering integrated solutions from boardroom strategy to 24/7 threat detection and response. We work with organisations operating across Australia and New Zealand, helping boards navigate complex trans-Tasman cyber governance requirements with confidence. Our board cyber advisory services translate threat intelligence and regulatory requirements into actionable strategies, backed by operational excellence and continuous support.
Contact us to discuss how we can support your trans-Tasman board's cyber governance objectives.
Australian Resources:
New Zealand Resources:
Insicon Cyber : 17/09/24 9:45 AM
APRA CPS 230 and CPS 234. What's the difference? The Australian Prudential Regulation Authority (APRA) is instrumental in maintaining the financial...
Insicon Cyber : 10/06/25 10:37 AM
With just 21 days until July 1, 2025, the clock is ticking on CPS 230 compliance. If you're an APRA-regulated entity, this deadline isn't negotiable...
Insicon Cyber : 22/05/25 8:00 AM
The starting point for this blog was an excellent Top 10 list of current CISO concerns from Royce Markose, the CISO at VISTRADA. See the original...