Reading the CERT NZ Data: What It Actually Means for Your Business
CERT NZ (Computer Emergency Response Team New Zealand) publishes quarterly and annual threat intelligence reports that offer the clearest picture available of what's happening in the NZ cyber threat landscape. This article unpacks the key trends from recent reporting and translates them into practical business risk management decisions.
The Headline Numbers
CERT NZ received over 9,000 incident reports from NZ businesses and individuals in the most recent full year of reporting. Financial loss reported directly to CERT NZ exceeded $20 million — and this significantly understates the true figure, as most businesses do not report to CERT NZ and indirect losses (business interruption, recovery costs) are rarely captured in reported figures.
The most common incident types reported were: phishing and credential harvesting (the most frequent), scams (particularly invoice and payment fraud), unauthorised access to systems, and malware including ransomware. Scams and fraud accounted for the majority of financial loss, driven by a small number of high-value business email compromise cases.
The SME Targeting Trend
One of the most consistent findings in CERT NZ reporting is that small and medium businesses are disproportionately represented among victims. Large organisations have dedicated security teams, mature incident response capabilities, and security controls that make them harder targets. SMBs typically do not — making them both easier to attack and less likely to detect attacks promptly.
CERT NZ has specifically called out the low adoption of basic controls among NZ SMBs: multi-factor authentication remains far from universal, basic email authentication (SPF, DKIM, DMARC) is missing from a significant proportion of NZ business domains, and many businesses have not reviewed account access controls when staff depart.
Sectors Under the Most Pressure
Professional services, finance, healthcare, and retail consistently feature among the most targeted sectors in CERT NZ reporting. Professional services firms — lawyers, accountants, consultants — are targeted because they hold client financial data, operate trust accounts, and are involved in high-value transactions. The legal sector has seen specific targeting of trust accounts and conveyancing processes, with BEC attacks timed to coincide with property settlements.
The Reporting Gap — And Why It Matters for Insurance
CERT NZ consistently notes significant under-reporting of cyber incidents. Businesses often don't report for several reasons: shame or reputational concern, uncertainty about whether an incident is "serious enough" to report, not knowing that CERT NZ exists, or simply resolving incidents internally without seeking outside help. This under-reporting means the true scale of cyber crime affecting NZ businesses is substantially larger than published figures suggest.
For insurance purposes, under-reporting also means that the actuarial data insurers use to price policies is based on incomplete information. As reporting improves and the true frequency and severity of NZ cyber incidents becomes clearer, premium pricing and underwriting criteria will likely tighten — making earlier adoption of cyber insurance more cost-effective than waiting.
What CERT NZ Recommends — And How Insurance Complements These Steps
CERT NZ's baseline recommendations for NZ businesses align closely with what cyber insurers require and reward: enabling multi-factor authentication on all accounts, maintaining regular and tested backups stored separately from production systems, keeping software and devices patched and up to date, using unique passwords managed through a password manager, and knowing who to call when an incident occurs.
Cyber insurance sits at the end of this list as the financial safety net: when prevention fails (and statistics show it will at some point for most businesses), insurance converts what might be a business-ending event into a manageable and recoverable situation. CERT NZ's own guidance acknowledges that technical controls cannot prevent all incidents — preparation for when they fail is equally important.
Using CERT NZ Resources
CERT NZ provides free resources for NZ businesses at cert.govt.nz, including the Critical Controls checklist, incident reporting tools, and sector-specific guidance. Reporting an incident to CERT NZ doesn't carry legal obligations or penalties — it contributes to the national picture of threats and can result in direct assistance for your business during an incident.
About the Author
CyberCover Team — the CyberCover crew are self-confessed insurance geeks on a mission to make cyber cover simple, accessible and jargon-free for businesses of every size.