Time to get serious about the legal aspects of cybersecurity

Cyber threats are escalating in sophistication and frequency, making robust preparedness a strategic imperative for businesses, incuding considering the legal aspects of cybersecurity. 

A new report from law firm Simpson Grierson Cyber Risks - Be Prepared, outlines critical steps organisations must take to mitigate risks, emphasising proactive planning, informed decision-making during crises, and post-breach accountability. 

Emergency preparedness and response

Cyber-breach response plans are non-negotiable, says Simpson Grierson. These should outline containment protocols, recovery measures, and predefined roles for internal stakeholders and external advisors (e.g., legal, IT, communications teams). Regular table-top simulations are recommended to stress-test strategies and expose vulnerabilities before real-world incidents occur. For example, involving cross-functional teams in mock scenarios helps refine coordination and decision-making under pressure.

Director liability for cyber incidents

Directors of companies hit by cyber attacks that resulted in data breaches or other types of damage haven’t yet faced legal action in New Zealand, but Simpson Grierson see it as a “real and emerging risk for boards in this country” given developments overseas.

Key areas of potential exposure include:

• Breach of statutory duties: Companies Act duties to act in the best interests of the company and to exercise reasonable care, diligence and skill are broad enough to encompass acts (and omissions) relating to cyberattacks and data breaches. This applies to the lifecycle of a cyber incident, from failiing to prepare for one to mishandling the reponse.

• Fair Trading Act: Directors may be personally liable under the Fair Trading Act for misleading representations about the security of systems or how their organisation manages and stores sensitive or personal information. 

• Breaches of continuous disclosure obligations: The Financial Market Authority’s recent successful enforcement action against directors and a CFO in the CBL litigation highlights that senior executives and directors can have accessory liability for breaches of continuous disclosure obligations. This could potentially extend to a failure to disclose known cybersecurity deficiencies (the basis of the Australian shareholder class action against Medibank)

“It is clear that where directors have the requisite level of knowledge of, and involvement in, a breach by the company they face a real risk of significant personal liability, says Nina Blomfield, head of litigation at Simpson Grierson.

“Managing cyber risk is a critical issue for many boards, particularly as directors increasingly find themselves in the crosshairs of regulators, shareholders, and consumers alike. The stakes are certainly high.” 

The Ransom dilemma

The report highlights ransomware payments as a fraught dilemma. While 44% of New Zealand businesses attacked in the past two years paid ransoms, the government strongly advises against this due to ethical concerns and lack of guarantees. Legal risks also loom: payments violating sanctions could lead to fines up to $1 million for organisations. Boards are urged to preemptively debate this issue and align on principles, guided by frameworks like Australia’s ransomware “decision-tree”.

Insurance and legal safeguards

Cyber insurance is increasingly critical, with the global market projected to double to $29 billion by 2027. Policies often cover extortion payments and forensic costs, but businesses must notify insurers immediately post-breach to avoid coverage disputes. Legal tools such as injunctions can block hackers from exploiting stolen data, as demonstrated in New Zealand’s Mercury IT case. Contracts should also be audited to identify notification obligations to partners or regulators, reducing liability exposure.

Strategic communication and regulatory compliance

A tight communications strategy is vital to prevent reputational harm and legal fallout. The report warns against speculative internal discussions, as emails or messages may become discoverable in litigation. For instance, Australian cases involving Optus and Medibank revealed that reports commissioned post-breach lost privilege protection because they served multiple purposes (e.g., public relations, regulatory compliance). To safeguard sensitive documents, legal privilege must be prioritised early in incident investigations.

Regulatory notifications require precision. While serious privacy breaches mandate alerts to New Zealand’s Privacy Commissioner and affected individuals, premature disclosures risk confusion or unnecessary liability. Sector-specific obligations (e.g., financial services reporting to the FMA) add complexity, underscoring the need for clear escalation protocols.

Future-proofing against evolving threats

The rise of Ransomware-as-a-Service (RaaS) and AI-driven attacks demands adaptive defences. Automated phishing campaigns and multilingual extortion schemes will likely proliferate, necessitating investments in AI-powered threat detection. Collaboration with “professional ransomware negotiators” is suggested to assess hackers’ credibility, though legal and insurance consultations remain essential before any engagement.

Key takeaways for boards

Preparedness over panic: Establish and rehearse incident response plans.

Ransomware ethics: Develop a principled stance on payments, informed by legal and insurance advisors.

Privilege preservation: Restrict post-breach communications to essential personnel and involve legal counsel in documentation.

Regulatory agility: Map sector-specific reporting requirements and integrate them into response protocols.

The report concludes that cybersecurity is no longer an IT issue but a boardroom priority requiring multidisciplinary collaboration. By combining technical resilience with legal foresight and transparent governance, businesses can better withstand modern cyber threats.