Notes from the Asia-Pacific region: Cyber risk is outpacing organizational response

In his March address to the National Cyber Security Summit 2026, New Zealand Privacy Commissioner Michael Webster set out a clear, if somewhat uncomfortable, message — New Zealand's cyber risk environment is intensifying, but organizational responses are not yet keeping pace.

A central theme: cybersecurity has moved firmly into the spotlight. Political attention, media coverage and a steady flow of incidents have shifted it from a technical concern to a board-level issue. That much is explicit. What is perhaps more telling, though, is the commissioner's suggestion that organizations may still be underestimating the scale of the challenge.

Survey data cited from the Institute of Directors points to a persistent gap. Boards are engaging with artificial intelligence and digital transformation, but cyber and privacy oversight have plateaued. The implication — that organizations are innovating faster than they are managing risk — is not new, but it does seem to be hardening into an accepted pattern.

The commissioner's breach statistics reinforce that concern. With 61% of serious privacy breaches now attributed to malicious activity, and a growing proportion involving unauthorized access or employee browsing, the risk landscape appears to be shifting away from accidental failure toward more deliberate misuse.

Where the commissioner's speech becomes more interesting is in the way it frames the relationship between privacy and cybersecurity. He draws a clear distinction between cybersecurity, which protects all information, and privacy, which is concerned with the stewardship of personal information. But the practical message is that the two cannot operate in isolation. Privacy outcomes depend on security practices, and security decisions increasingly carry privacy consequences.

The discussion of "reasonable security safeguards" under Information Privacy Principal 5 of the NZ Privacy Act reinforces this. The commissioner frames reasonableness as a function of context, risk and recognized standards, rather than perfection. In practice, that likely requires closer alignment between privacy, security and risk functions than many organizations currently have, in order to properly assess data risk. 

The focus on employee browsing is a good example. The risk is neither purely technical nor purely behavioral. It sits at the intersection of system design, access controls, culture and oversight. Addressing it effectively would seem to require coordinated action across both privacy and cybersecurity functions, rather than ownership sitting neatly with one.

My key takeaway from the commissioner's speech is that protecting personal information in today's environment is no longer something privacy functions can do alone, nor something cybersecurity functions can treat as a subset of technical risk. 

The expectation, increasingly, is that organizations take a more integrated approach, that reflects how data actually flows through systems, people and processes. This need for better integration between functional domains is something the privacy profession has been acutely aware of for some time, and the IAPP has been actively positioning privacy within a wider set of digital responsibility domains, alongside cybersecurity and AI governance.