NZ Incident Response Bulletin – January 2026

Incident Response Preparedness Is Now a Baseline Expectation

Last month’s bulletin highlighted a clear shift in New Zealand’s operating environment. With the release of updated Government guidance on the Minimum Cyber Security Standards, the message was unambiguous: security maturity is no longer optional, and reactive incident response is no longer acceptable.

These standards are positioned as a baseline. They assume that organisations can detect malicious activity, understand what is at risk, and coordinate an effective response across technology teams and the wider business. Where that capability does not exist, organisations are exposed not only to cyber risk, but to regulatory, reputational, and governance consequences.

“Minimum” does not mean easy. It means expected. If you cannot quickly identify abnormal behaviour, retain and access the right evidence, or make timely decisions during an incident, you are already behind the curve.

The context has changed again, and scrutiny is rising

During the Christmas holidays, the Government commissioned a review into the Manage My Health cyber security breach. The review is examining the causes of the incident, the adequacy of security controls, and the effectiveness of the response, with the explicit aim of preventing similar events in the future.

This is an important signal. Cyber incidents are no longer viewed purely through a technical lens. They are treated as whole-of-organisation events, with scrutiny extending into governance, preparedness, decision-making, and accountability.

Recent high-profile breaches reinforce the same lesson. Once an incident becomes public, attention quickly shifts from what happened to how it was handled. In that environment, a breach is judged not just by its occurrence, but by the speed, clarity, and confidence of the organisation’s response.

In this environment, preparedness is no longer an IT responsibility alone. It is a leadership obligation.

Preparedness is not documentation. It is a capability.

Many organisations still equate incident response readiness with having a document on the intranet. In practice, preparedness is demonstrated through behaviour under pressure.

Prepared organisations can:

  • recognise an incident quickly, even when signals are ambiguous,
  • prioritise the right systems and data based on business impact,
  • make confident decisions with incomplete information,
  • coordinate technical, legal, communications, and executive actions, and
  • show evidence, after the fact, that response actions were reasonable, timely, and proportionate.

Unprepared organisations struggle with authority, lose time debating next steps, and default to improvisation. That gap is increasingly visible to regulators, customers, and Boards.

Four steps organisations should action now

1. Incident Response Planning: publish and maintain a fit for purpose plan

A cyber incident response plan is the organisation’s pre-agreed operating model for crisis conditions. It defines how decisions are made, who leads, how escalation occurs, and how response activities are coordinated.

Without a current and practical plan, response efforts quickly fragment. Authority becomes unclear, critical evidence is mishandled, and valuable time is lost during the most sensitive phase of an incident. A fit for purpose plan should be:

  • aligned to your actual business risks and critical services,
  • understood at both operational and executive levels,
  • supported by scenario-based playbooks for realistic threats, and
  • reviewed regularly, not just after a breach.

Plans should evolve as systems change, threats shift, and lessons are learned from exercises and real incidents.

Reference: https://incidentresponse.co.nz/incident-response-plan/

2. Tabletop Simulations: test decision-making, not documentation

A plan that has never been exercised remains theoretical.

Tabletop simulations are where preparedness is validated. They test how people actually behave when timelines compress, information is incomplete, and trade-offs must be made between containment, recovery, legal exposure, and public communication.

Effective simulations:

  • involve executives, legal, communications, and system owners, not just IT,
  • focus on decisions and consequences rather than technical walkthroughs,
  • surface hidden dependencies and assumptions, and
  • build shared understanding of roles under pressure.

For many leadership teams, a well-run simulation is the first time they experience the organisational and decision-making strain of a serious cyber incident. That experience is difficult to replicate any other way, and invaluable when a real incident occurs.

Reference: https://incidentresponse.co.nz/cyber-incident-simulations/

3. Post Incident Review: lock in the learnings, or repeat the incident

Too many organisations treat incident closure as the end of the process. In reality, it is the most important transition point.

A post-incident review ensures that effort spent responding results in improved resilience. Without it, the same weaknesses tend to reappear, often in the next incident.

A strong post-incident review should:

  • clearly reconstruct the timeline, including detection, escalation, and decision points,
  • identify root causes rather than symptoms,
  • assess what worked and what failed across technical and business response,
  • present findings in a format executives and Boards can act on and translate recommendations into tracked remediation actions.

Post-incident reviews should occur after material incidents and major exercises, and they should directly inform updates to plans, playbooks, and training.

Reference: https://incidentresponse.co.nz/post-incident-review/

4. Incident Response Retainer: secure year-round capability before you need it

One of the most common failure points in cyber incidents is attempting to secure specialist support during the crisis itself. At that point, organisations are under intense time pressure, internal stress is high, and external scrutiny may already be building. Delays while availability, scope, or contracts are negotiated can materially worsen outcomes.

An incident response retainer removes that risk by establishing access to expertise and essential services in advance. This typically includes readiness support, access to experienced responders, operational coordination tools, and defined engagement pathways that can be activated immediately when needed. From an executive perspective, a retainer is less about cost efficiency and more about certainty of response.

Reference: https://incidentresponse.co.nz/incident-response-retainer/

Executive Expectations and Call to Action

At an executive level, strong incident response preparedness is demonstrated when roles and decision authority are clear, leaders have practised responding under pressure, response capability is proven rather than assumed, and lessons from incidents are converted into measurable improvement. This is now the standard stakeholders expect.

Against the backdrop of clearer Government baselines, ongoing high-impact breaches, and an active Government-commissioned review into cyber preparedness, organisations should act now, not after the next incident. Preparedness must be treated as an ongoing leadership discipline, supported by a current incident response plan and risk-aligned playbooks, regular tabletop simulations, disciplined post-incident reviews, and assured access to specialist response capability.

In today’s environment, the question is not whether an incident will occur, but whether your organisation will be ready to respond when it does.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.