Companies and organisations are being warned to pay more attention to cybersecurity, or face financial consequences and other risks for failing to adequately protect data.
A recent survey by the Institute of Directors indicated cybersecurity matters had slipped down the list of concerns for directors of New Zealand's companies and organisations, though it was identified as a top priority in a global survey by insurer Allianz.
The global survey said cyber incidents cost the world economy about US$1 trillion last year, with an average of US$4 million for data breaches, which was expected to climb to US$5m this year.
Chapman Tripp corporate and commercial partner Kelly McFadzien said recent comments by the privacy commissioner highlighted a serious issue for companies, with a 41 percent increase in the serious harm posed by privacy beaches in the six months ended December, over the year earlier.
The regulations required companies to put people and privacy ahead of reputation or risk, and to report notifiable breaches within 72 hours of identification, McFadzien said.
"For any given set of circumstances, an organisation that has suffered a data breach may have more, or less, time to notify than 72 hours.
"I think there are a lot of other competing risks and priorities for boards, particularly over the last couple of years. And so it's easy to understand potentially why cybersecurity is one of those things that could be relegated to a yearly report from the tech team or the chief digital officer."
But that would not be good enough, she said.
The threats to data were increasing and evolving at a rapid pace, with a rise in malicious activity and cyberattacks, and strengthening cybersecurity was not a nice to-have but a must-do, she said.
"It's a complex intersection of technology and risk and people and the time to be thinking about it as not reactive, when we're not if a cyber risk hits you, and to be showing that you're not having to respond to a live situation, but that you've got processes and rescue plans in place for dealing with a situation when it happens."
The recommended approach was for organisations to treat all ransomware attacks as having the potential to cause serious harm, which meant any instance of malicious activity involving ransomware will initially meet the threshold for notification to the Privacy Commission.
Companies could face financial consequences if they failed to report a breach as soon as practicable.
Additionally, companies could face further liability for the breach itself if they have not adequately protected data.
Australia recently lifted penalties for companies who fail to adequately protect data to A$50m, McFadzien said.
Those regulations could be applicable to New Zealand companies with exposure in Australia, she said.