In key findings from the report:

The total financial losses reported to Cert NZ were below those found by a Ministry of Business, Innovation and Employment (MBIE) survey on digital scams related to banks.

That survey drew on data supplied directly by ASB, ANZ, BNZ, Kiwibank, Westpac and others and found $198m in losses in 2023.

A Netsafe-Global Anti-Scam Alliance (GASA) survey of 1857 New Zealanders that extrapolated estimated total losses from digital scams at $2.3 billion for the year to August 2024.

Former Cert NZ director Rob Pope (now WorkSafe inspectorate head) conceded his organisation’s figures were just the “tip of the iceberg” due to sheepishness about reporting being scammed and relatively low public awareness of the option to report a scam to his agency.

The Netsafe-GASA survey found many members of the public confused about where to report cyber-incidents – and they could be forgiven for not being able to keep up with recent changes.

Cert NZ – the Computer Emergency Response Team – was created by Sir John Key’s Government in 2016 as a “triage” unit to point small businesses and individuals to the right technical and law enforcement support after suffering a cyber attack.

In the final months of the last Government, GCSB Minister Andrew Little announced that Cert NZ would be folded into the spy agency’s National Cyber Security Centre.

The integration was recently completed, with Pope’s position as Cert NZ director not replaced. The operation is now under NCSC director of mission enablement Michael Jagusch.

The Cert NZ brand will be phased out, the NCSC told the Herald (for the time being, reports have NCSC-Cert NZ co-branding).

The Cert NZ reporting website will remain under its current livery, for the time being, but the Cert NZ “Own Your Online” tips website has (keep up) already been rebranded NCSC.

Meanwhile, more changes could be on the way, given Commerce and Consumer Affairs Minister Andrew Bayly is currently reviewing how multiple agencies co-operate in their response to scams.

Does Cert NZ’s new management think incidents are being under-reported?

“It is certainly the case that not all incidents are reported, not just here in Aotearoa but globally. Our surveys showed almost half of our respondents experienced a recent cyber security incident, but this volume is not reflected in our reporting numbers,” Jagusch told the Herald.

“Reporting is important to us to understand the threats that are out there, so we can warn others about them, and take actions to disrupt them.”

How is the NCSC encouraging more people to report incidents?

“Through our publications and campaigns, we constantly encourage New Zealanders to report any cyber security incident, big or small to us. Since the beginning of October, we have been reminding people how and where to report, through a small advertising campaign.

“We saw a significant increase in reporting in Q3 and we urge the New Zealand public to keep those reports coming. Increased reporting helps us in understanding the cyber threat landscape better and in shaping our response these threats,” Jagusch.

Some Cert NZ positions ‘disestablished’

In mid-2023, Little positioned Cert NZ’s integration with the NCSC as a move to streamline its response rather than to cut bodies. The integration wrapped up in July.

The NCSC told the Herald last month: “Establishing an integrated structure for New Zealand’s lead operational cyber security agency has enabled the functions of the NCSC and Cert NZ to be brought together to provide cyber security services to all New Zealanders – from individuals through to nationally significant organisations.

“This integration process has meant that some positions were disestablished, and new positions were created. All staff working for the NCSC (including Cert NZ staff) at the time of implementing the new structure from July 2024, were offered roles.”

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.