A recent survey has revealed that a majority of New Zealanders want stricter penalties for companies suffering cybersecurity breaches.
The research, orchestrated by Anthem alongside Talbot Mills Research, involved feedback from over 1,000 participants to understand public sentiment regarding corporate accountability in the wake of cyber incidents.
The survey's results pointed to a clear demand for more stringent actions against cyber threats, with a significant portion of respondents signalling that the current maximum fine of $10,000 for cybersecurity breaches in New Zealand is too lenient.
Comparative analysis with international standards showed New Zealand's cybersecurity fines are relatively modest. For instance, Europe can impose fines up to $20 million, and Australia's maximum can reach $50 million.
According to the survey, 40% of respondents advocated for fines exceeding $100,000, and 23% suggested that fines for significant breaches involving large organizations should be no less than $500,000.
Palo Alto Networks managing director Misti Landtroop suggested a re-evaluation of the approach towards fines, proposing a shift towards reward systems that encourage transparency and proactive measures in cybersecurity practices.
“When considering higher fines for cyberattacks, it's crucial to question where the money goes and is it being used to help protect Kiwis from future attacks? Instead of relying solely on punitive measures, there's value in exploring more nuanced reward systems. Transparency regarding cybersecurity breaches and investments is increasingly recognised as a strategic and competitive advantage in today's landscape,” she said.
The importance of timely and clear communication with customers following a cybersecurity breach was another critical insight from the survey.
An overwhelming 92% of those surveyed emphasised the need for immediate notification about breaches, and 91% supported the requirement for businesses to disclose previous cybersecurity incidents and the measures taken to address them.
Additionally, 65% of participants believed the financial burden of cybersecurity breaches should fall on the company's board of directors, highlighting the expectation for senior management to take responsibility for cyber risk management.
Drawing an analogy to communal garden care, Microsoft New Zealand technology strategist Hilary Walton stressed the collective responsibility within organisations to maintain cybersecurity vigilance.
“Organisations must be transparent with their customers about the steps they are taking to remedy cyberattacks, providing clear timelines for when updates will be released. Scenario planning and pre-prepared communications will help expedite this process and get customers informed quicker, reinforcing the vital connection between communication, customer trust, and respect,” she said.
The survey also revealed the potential impact of cybersecurity breaches on consumer loyalty, with 71% stating they would consider switching their business following a breach. This highlights the broader implications of cyber incidents beyond financial penalties, touching on reputation and customer trust.
Anthem co-founder Jane Sweeney emphasised the strong call from the public for more rigorous cybersecurity measures and the critical nature of transparent, customer-oriented communication post-breach.
“Companies should take notice of the number of New Zealanders who will take their business elsewhere if they aren't satisfied with their response to a cyberattack. It's not just a fine at stake, but their reputation and the trust of their customers,” she said.
Talbot Mills Research managing director David Talbot added: “As cybercriminals become increasingly sophisticated, experts say attacks are likely to increase, and our research shows New Zealanders are looking for accountability and clear communication, otherwise they will vote with their feet.”
This study forms part of the “Fair Enough?” series, which seeks to delve into public perceptions on a range of issues, focusing on fairness and the management of reputational risks.