Do I Need A Cyber Security Policy? (2026 Updated)

If you run a business in New Zealand, chances are you rely on emails, cloud software, online payments, shared drives, and devices that move between home and work. That convenience is great for growth, but it also means cyber security isn’t just an “IT issue” anymore - it’s a business risk issue.

A cyber security policy is one of the simplest ways to get everyone on the same page about how your business protects information, systems, and customer trust. And because cyber incidents are increasingly common (and privacy expectations are higher than ever), it’s worth making sure your approach is current - which is why we’ve updated this guide.

So, do you need a cyber security policy? In most cases, if you handle customer information, take online payments, store business IP, or have staff accessing business systems, the practical answer is yes.

What Is A Cyber Security Policy (And What Does It Actually Do)?

A cyber security policy is a written set of rules and procedures that explains how your business protects its systems and data day to day.

It’s not the same thing as “having antivirus”, and it’s not just a document you put in a drawer. A good cyber security policy sets clear expectations for your team and creates repeatable processes - especially when something goes wrong.

What A Cyber Security Policy Usually Covers

Most cyber security policies include practical rules such as:

• Access control: who can access what systems, and how access is granted/removed (especially when someone leaves).
• Password and authentication standards: minimum password requirements, password manager use, and multi-factor authentication (MFA).
• Device and remote work rules: expectations for laptops, phones, home Wi-Fi, and public networks.
• Email and phishing awareness: how to identify suspicious messages and what to do if you click something.
• Software updates and patching: who is responsible for updates (and how quickly they must happen).
• Backups: what is backed up, how often, and how restores are tested.
• Data handling: how customer and business data is stored, shared, and deleted.
• Incident response: the steps to take if there’s a suspected breach, ransomware, lost device, or unauthorised access.
• Third-party risk: expectations for vendors (like IT providers, SaaS tools, and payment platforms).

This kind of policy is often supported by related documents and processes - for example, staff confidentiality rules, onboarding/offboarding checklists, and clear boundaries on acceptable system use. Many businesses roll those expectations into a handbook or internal policies, but the cyber security policy keeps the “security essentials” in one place.

Why Having A Policy Matters (Even If You’re Small)

Cyber incidents don’t just hit large organisations. In practice, smaller businesses can be attractive targets because they often:

• have fewer security controls and less training
• use shared logins
• rely heavily on one or two “admin” people
• use common tools that attackers already know how to exploit

A policy helps you move from “we’ll deal with it if it happens” to “we already know what to do”. That saves time, money, and stress - and it can significantly reduce the size of the damage.

When Do You Legally Need A Cyber Security Policy In New Zealand?

There isn’t one single New Zealand law that says “every business must have a cyber security policy”. But there are legal obligations that effectively push you towards having one - especially if you collect, use, store, or share personal information.

Privacy Act 2020: Reasonable Security Safeguards

If you handle personal information (like customer details, employee records, names, emails, addresses, health information, or payment-related information), you’ll have obligations under the Privacy Act 2020.

In plain terms, you’re expected to take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure.

A cyber security policy is one of the clearest ways to show you’ve taken “reasonable steps” - because it documents the safeguards you expect your business to follow.

It’s also closely linked with your external-facing Privacy Policy, because what you promise customers about how you protect and use their data should align with what you actually do internally.

Notifiable Privacy Breaches: You Need A Plan

Under New Zealand privacy law, some privacy breaches may need to be reported (for example, to the Privacy Commissioner and/or affected individuals) if they’re likely to cause serious harm.

Whether a breach is “notifiable” depends on the circumstances, but what matters here is this: if something happens, you’ll want a clear internal process for:

• identifying and containing the incident
• preserving evidence (so you can work out what happened)
• assessing harm
• deciding whether notification is required
• communicating with affected customers/staff

This is where an incident response section in a cyber security policy can be a lifesaver - it reduces confusion and helps you act quickly.

Industry-Specific Requirements (Where A Policy Is Often Expected)

Depending on what you do, you might also have cyber security expectations coming from:

• contracts with enterprise customers (who may require policies, audits, or minimum standards)
• payment providers and card processing requirements (often tied to PCI DSS expectations)
• health, education, or financial services environments where sensitive data is handled
• government or council tenders, where suppliers are asked to prove their security controls

Even if a law doesn’t explicitly force you to have a written policy, your commercial reality might.

What Risks Do You Face Without A Cyber Security Policy?

If you don’t have a cyber security policy, the real issue is usually inconsistency.

When everyone “does their own thing”, you can end up with weak links that are hard to spot until something goes wrong. And when something does go wrong, it can be harder to prove you took reasonable steps to protect information.

Common Problems We See In Small Businesses

• Shared logins: you can’t track who accessed what, and it’s difficult to remove access cleanly.
• No clear offboarding: former staff or contractors may still have access to email, drives, CRMs, or social accounts.
• Phishing “close calls”: staff don’t know what to do when they suspect a scam, so issues aren’t escalated quickly.
• Unapproved apps: staff sign up for tools using work emails, creating unknown data storage locations (“shadow IT”).
• Weak remote work setup: work devices used on insecure Wi-Fi or mixed with personal accounts.
• No incident plan: people panic, systems get wiped too early, or key steps are missed.

Legal And Commercial Consequences

Cyber incidents can lead to:

• privacy complaints (and time-consuming investigations)
• customer trust damage and reputational harm
• business interruption (including downtime from ransomware)
• contract disputes if you can’t deliver services due to a cyber incident
• employee issues if staff data is exposed

And if you make public statements about your security practices that don’t reflect reality, you can also create risk under general consumer and fair dealing principles. It’s another reason to keep your policies accurate, practical, and actually followed.

What Should A Good Cyber Security Policy Include For A New Zealand Business?

The best cyber security policy is the one your business can actually follow. For most SMEs, that means keeping it practical, assigning responsibilities, and aligning it with how your team works.

Core Sections To Include

Here are the sections we typically recommend considering.

• Purpose and scope: what the policy covers (systems, devices, staff, contractors) and what it’s trying to achieve.
• Roles and responsibilities: who is responsible for decisions, approvals, training, and incident escalation.
• Access management: rules for account creation, permission levels, admin access, and removal of access.
• Authentication standards: password rules, MFA requirements, and use of password managers.
• Acceptable use and email rules: what is (and isn’t) allowed, especially around suspicious links, attachments, and unknown software.
• Data classification and handling: how sensitive data is stored and shared, including encryption expectations where appropriate.
• Remote work and device security: device locks, updates, Wi-Fi expectations, and separation between work/personal use.
• Backups and recovery: backup frequency, storage, retention, and testing restores.
• Incident response: what to do immediately, who to contact, how to contain the issue, and how you decide if notification is required.
• Third-party providers: due diligence expectations, minimum contract requirements, and access permissions for vendors.
• Training and compliance: how you train staff and how you monitor/report issues.

Make Sure It Fits With Your Employment Documents

If you have employees, your cyber security policy shouldn’t float in isolation. It should be consistent with:

• confidentiality obligations
• expected standards of conduct
• disciplinary processes (if someone repeatedly ignores security rules)

Many businesses address this by linking policies into the employment relationship from the start, such as by referencing policies in the Employment Contract and maintaining a clear set of workplace rules.

If you use contractors (like IT providers, developers, or virtual assistants), you’ll also want to make sure your Contractor Agreement covers confidentiality, security expectations, and what happens if there’s an incident linked to their access.

Don’t Forget Your Website And Customer Touchpoints

If you collect personal information through your website (contact forms, mailing lists, client portals, bookings, payments), you’ll likely also need clear external documents, including a Privacy Policy and appropriate website terms where relevant.

Your external documents set expectations; your cyber security policy helps you meet them in practice.

How Do I Implement A Cyber Security Policy Without Overwhelming My Team?

This is where many business owners get stuck: you don’t want to roll out a 40-page policy that nobody reads, but you also want real protection.

A good approach is to treat implementation as a simple, repeatable process.

Step-By-Step Implementation Checklist

1. Map what you use. List your key systems (email, accounting, CRM, cloud storage, payments, project tools) and who has access.
2. Identify what data you hold. Customer contact details, employee records, ID documents, health information, payment info (even partial), etc.
3. Pick a “baseline” security standard. For example: MFA on everything, password manager use, device auto-lock, and regular updates.
4. Decide who is responsible. Even if you outsource IT, someone internally should own approvals and incident escalation.
5. Write the policy in plain English. Use short rules and clear “what to do” steps.
6. Train your team. Keep it simple: phishing examples, how to report incidents, and why the rules matter.
7. Build it into onboarding and offboarding. New starters should get access the right way, and leavers should have access removed immediately.
8. Review and improve. Set a review schedule, and update the policy when your tools or risks change.

Use Practical Rules Your Team Can Follow

Instead of vague rules like “keep information secure”, aim for practical rules like:

• “MFA must be turned on for email, accounting, and any system with customer data.”
• “No sharing passwords via email or chat - use the password manager.”
• “If you receive an invoice change request, confirm by phone using known contact details.”
• “If a device is lost, report it within 30 minutes.”

These are the kinds of rules that actually change behaviour.

Make Sure Your Legal Documents Match Your Reality

It’s also important that your public-facing documents (like privacy statements, terms, and customer contracts) don’t overpromise security measures you don’t actually have in place.

If you’re updating your policies or rolling out new systems, it can be smart to review your key customer-facing terms at the same time - for example, your Website Terms And Conditions if you sell online or run a platform.

Key Takeaways

• A cyber security policy sets clear, practical rules for how your business protects systems and information, and it helps your team respond quickly when something goes wrong.
• Even if there isn’t one law that forces every business to have a cyber security policy, the Privacy Act 2020 expects you to take reasonable steps to keep personal information secure.
• Without a cyber security policy, small gaps (like shared logins, weak offboarding, or inconsistent device security) can turn into expensive and stressful incidents.
• A strong cyber security policy usually covers access controls, passwords and MFA, remote work rules, phishing and email practices, backups, incident response, and third-party provider access.
• Your cyber security policy should align with your wider legal setup - including your Privacy Policy, Employment Contracts, and Contractor Agreements - so your expectations are clear and enforceable.
• The most effective policies are simple, tailored to your systems, and actually implemented through onboarding, training, and regular review.

If you’d like help putting the right cyber security and privacy foundations in place (including policies and the contracts that support them), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.