When we discuss cybersecurity with Australian CEOs, the conversation inevitably turns to director liability and regulatory compliance. But increasingly, we're seeing trans-Tasman businesses grappling with a complex question: what happens when your directors operate across both sides of the ditch? New Zealand's evolving cybersecurity legislative framework is creating new liability pressures that Australian businesses with New Zealand operations - or Kiwi directors on Australian boards - simply cannot ignore.
Australian businesses have grown accustomed to navigating our own regulatory complexity - from the SOCI Act to the Privacy Act amendments. But the reality of modern business means many organisations operate with directors who hold responsibilities across both jurisdictions. When a cyber incident occurs, the question isn't just about Australian compliance anymore; it's about understanding how New Zealand's director liability framework intersects with your existing risk profile.
The challenge is that while Australia has been building a comprehensive regulatory approach to cybersecurity, New Zealand has been quietly developing its own framework - one that places significant emphasis on director accountability in ways that may surprise Australian business leaders.
Under the Companies Act 1993, New Zealand directors are obligated to exercise their powers with care, diligence, and skill (section 137), and must act in good faith and in the best interests of the company (section 131). While the Companies Act doesn't contain specific cybersecurity directives, these general duties are expected to be applied to cyber incidents, creating accountability for directors who fail to manage cybersecurity risks effectively.
The Australian ASIC v RI Advice case has established "stepping-stone liability" principles that are increasingly being viewed as a benchmark for regulatory bodies in New Zealand when contemplating similar claims. This precedent signals that New Zealand regulators like the Financial Markets Authority (FMA) can hold directors personally accountable for failing to prevent their company's cybersecurity breaches.
If directors breach their duties, they may be required to pay penalties and could be held personally liable to repay or restore funds if the company goes into liquidation. Criminal offences may also apply for material breaches, with penalties of up to five years imprisonment or fines of up to $200,000.
Under the Privacy Act 2020, there is a mandatory requirement for agencies to notify the New Zealand Privacy Commissioner and affected individuals of "notifiable privacy breaches" - defined as privacy breaches that are reasonably believed to have caused or are likely to cause serious harm to individuals.
Agencies must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a notifiable privacy breach, with the Privacy Commissioner expecting notification within 72 hours of discovering a breach. Non-compliance with the Privacy Act 2020, including failing to notify the Commissioner about a serious privacy breach, carries fines of up to $10,000 NZD.
Recent amendments under the Statutes Amendment Bill have clarified that knowledge of a notifiable privacy breach by an agent or service provider will be treated as being known by the principal agency, effectively extending director accountability across their entire supply chain.
The regulatory landscape becomes more complex when considering sector-specific requirements. The Financial Markets Authority (FMA) mandates effective cyber security controls and post-incident reporting for financial market participants, while the Reserve Bank of New Zealand (RBNZ) requires banks, non-bank deposit takers and insurers to report "material cyber incidents" as soon as practicable, but within 72 hours.
Under the new RBNZ rules, failing to supply required cybersecurity information can trigger significant statutory penalties - up to NZ$1 million under the Banking (Prudential Supervision) Act 1989, or NZ$500,000 under the Insurance (Prudential Supervision) Act 2010. This represents a material escalation compared to Privacy Act penalties.
These reporting requirements came into effect on April 8, 2024, requiring entities to submit initial reports, incident updates, and post-incident conclusions for any material cyber incidents.
For Australian businesses with New Zealand operations, this creates a complex operational challenge. Your cybersecurity strategy must now account for different liability frameworks, different breach notification requirements, and different standards of director accountability. More importantly, it requires understanding how these frameworks interact when an incident spans both jurisdictions.
The intelligence-driven approach we advocate for Australian businesses becomes even more critical in this context. Directors need real-time visibility into cybersecurity posture across all jurisdictions, with clear escalation pathways that account for different regulatory requirements and liability standards.
Directors should view recent regulatory developments as a reminder to ensure appropriate experts are engaged to assess and implement proper controls that address risks relating to cybersecurity and cyber resilience.
The New Zealand government is undertaking a phased approach to company law reform, with the Law Commission expected to commence a review of directors' duties and related issues of director liability, sanctions, and enforcement in 2025. This review will examine issues raised in landmark cases like Mainzeal, potentially further strengthening director accountability provisions.
As the threat landscape evolves, so too must director accountability frameworks. The pattern we're seeing suggests convergence towards more stringent accountability standards across both jurisdictions, particularly around emerging technologies and AI governance.
This evolution requires a fundamentally different approach to cybersecurity governance—one that treats director liability not as a compliance checkbox, but as a continuous risk management discipline. Directors need ongoing intelligence about their cybersecurity posture, regular updates on regulatory evolution, and clear frameworks for demonstrating due diligence across multiple jurisdictions.
The reality for modern directors is that cybersecurity accountability can no longer be managed in jurisdictional silos. Whether you're an Australian director with New Zealand responsibilities or a New Zealand director operating in the Australian market, your liability framework extends across borders in ways that traditional risk management approaches simply don't address.
This is where comprehensive cybersecurity partnership becomes crucial. Directors need partners who understand not just the technical aspects of cybersecurity, but the regulatory complexity of operating across multiple jurisdictions. They need intelligence-driven insights that can anticipate regulatory evolution and adaptive governance frameworks that can respond to changing accountability standards.
From our perspective working with trans-Tasman businesses, the organisations that thrive are those that treat cross-border director liability as a strategic advantage rather than a compliance burden. They implement governance frameworks that exceed the requirements of any single jurisdiction, creating resilience that positions them for success regardless of how regulatory frameworks evolve.
The cybersecurity landscape will continue to evolve, and director liability frameworks will evolve with it. New Zealand's recent changes are just the beginning of a broader trend towards enhanced director accountability for cybersecurity governance. The question for Australian businesses isn't whether to adapt to these changes, but how quickly they can implement governance frameworks that anticipate future requirements.
As cybersecurity accountability becomes increasingly complex across both Australia and New Zealand, you need a partner who operates seamlessly in both jurisdictions. Insicon Cyber delivers comprehensive cybersecurity solutions that understand the nuances of Australian and New Zealand regulatory frameworks - from the SOCI Act and Privacy Act amendments in Australia to the Companies Act 1993 and Privacy Act 2020 obligations in New Zealand.
Our trans-Tasman expertise means you get:
Don't let regulatory complexity across the ditch become your competitive disadvantage. Contact Insicon Cyber today to discover how our comprehensive trans-Tasman cybersecurity partnership can protect your directors, ensure compliance, and position your business for success - regardless of jurisdiction.
Sources:
Insicon Cyber delivers comprehensive cybersecurity partnership for Australian businesses operating across complex regulatory landscapes. From advisory excellence to operational protection, we ensure your cybersecurity works as one - regardless of jurisdiction.