top of page

Governance and Incident Response

16 March 2026

2026 has been a busy year for incident response in New Zealand. Manage My Health was subject to a ransomware and data theft attack in January and MediMap experienced an unauthorised modification of data by an attacker in February.

 

There has been significant commentary on both of these incidents and the way they were handled by their respective companies. The Ministry of Health is conducting a review and has confirmed that it will be ‘considering the broader issue of how private companies secure health data’. Governance is a core focus area in both the government led review and the review launched by the Privacy Commissioner.

 

We expect there will be a great deal about what constitutes reasonable steps, robust assurance and risk management in these reviews, however, In this CyberCuration, we take a look at the critical role of governance and the Board when preparing for an incident.

Roles and Responsibilities

In the midst of an incident, clear roles and responsibilities are critical. The Board must govern and provide friction, the leadership team must lead the operational response.

 

Explicitly define who does what and what information they need to execute for your range of threat scenarios.

 

For example, make sure it’s clear who is responsible for:

  • Communications with regulators, insurers and investors vs staff, stakeholders and customers

  • Developing a response to extortion demands vs approving that response

  • Setting and executing response strategy

  • Engaging 3rd party specialists

  • Commissioning independent reviews

  • Taking down services and recovery priorities vs risk appetite and safe restoration.
     

Define the activities required during an incident at the leadership level and be super clear with the Board about what they need to address, who will do it, where the inputs will come from and when.

Provide Friction

The governance role provides friction to the leadership team. The board needs to ask the questions to ensure that the team responsible for the response are not overly optimistic or too defensive.

 

They must force transparency ensuring that teams continue to communicate and that messaging and communication is aligned with the response strategy and supported by facts.

 

The board must apply friction to notions of a quick fix. They must ask questions to ensure that evidence is preserved and that vulnerabilities are not reintroduced during the restoration of data.

 

The board must apply friction to the regulatory process. They must satisfy themselves that they understand any regulatory impacts and that communications are timely.

 

Together with the leadership team, define and clarify what assurance you have and what further assurance you want, to satisfy that the risks

Take Advice

If you don’t have someone on the board who can translate technical risks into business impacts, then you need to import that advice.

 

The Privacy Commissioner has signalled that a failure to seek expert advice when Board’s lack internal skills could be evidence of a failure to take ‘Reasonable Steps’ under Privacy Principle 5.

 

The Institute of Directors highlight that relying solely on management reporting can create blind spots. Management may unintentionally downplay risks to preserve performance.

 

The duty of care for a Director requires you to be inquiring. If you don’t know the questions to ask or the answers to expect then you have a duty to engage someone who does.

 

Review the skills you have as a Board in this space and determine whether you can adequately satisfy yourselves that you have taken reasonable steps to both protect your information and can discharge your duties in an incident. The NZ Institute of Directors has good resources to help you understand what you need to know. https://www.iod.org.nz/resources-and-insights/guides-and-resources/cyber-risk-a-practical-guide-2025#/

Practice

Realistically, you will never be practiced enough to govern through a crisis if your core business isn’t crisis.

 

However, simulations aren’t just for the first responders. You can regularly run simulations and tabletop exercises to rehearse your procedures in different scenarios and under different conditions.

 

As you develop your roles and responsibilities, communications plans, strategies and frameworks, you will find that many of the answers you seek will be answered with ‘it depends…’. Practicing specific scenarios will allow you to better understand and prepare for the decisions you will face and the actions you might take.

 

There are a number of resources at your fingertips to help you do this. The Australian Signals Directorate and the UK National Cyber Security Centre both offer ‘Exercise in a Box’ which are free services that you can use to simulate and practice incident response. https://www.cyber.gov.au/business-government/exercise-in-a-box

Get in touch…

We are a specialist group of senior security practitioners with a proven track record of delivery, built on insight, deep domain knowledge and experience.

 

If you want to make a difference instead of ticking boxes, get in touch with us… info@cybercure.co.nz

Contact

Media enquiries

cybercure@cybercure.co.nz

bottom of page