News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Insights
  3. Cyber Threat Reports
  4. 2023/2024 Cyber Threat Report
  5. Loss and harm

Ngā ngaronga me te tūkinotanga Loss and harm

The total impact of cyber security threats is difficult to quantify. This year the NCSC prevented loss of an estimated $38.8 million while also receiving reports of $21.6 million of direct loss. Due to under-reporting of cyber incidents, the NCSC recognises this is only a small proportion of the overall harm

Harm prevention through response to incidents of potential national significance

In 2023/2024, the detection, disruption and threat intelligence services the NCSC provides prevented an estimated $38.8 million of harm to Aotearoa New Zealand’s nationally significant organisations. This figure reflects incidents where the NCSC’s detection of malicious cyber activity or engagement with victims likely prevented future harm. Since 2016, the NCSC has prevented approximately $421 million worth of harm to significant organisations across New Zealand.

The model used to estimate harm factors in important impacts such as losses caused by intellectual property theft, including copyright and patent infringement. While assigning a dollar value to harm prevention can provide a useful benchmark, many of the impacts of cyber harm are intangible. Loss of public confidence and trust, reduced health and wellbeing, and hesitance to adopt new technologies can all eventuate when cyber resilience is low.

There are a number of potential factors affecting the difference in the value of estimated harm prevention compared with 2022/2023’s $65.4 million figure. In 23/24, the NCSC recorded fewer significant incidents. Equally, many organisations were able to respond to incidents with less intervention from the NCSC. Another potential contributing factor is the year-to-year variations in victim organisations, and the differing criticality of their roles and services.

Direct financial loss reported through incidents handled through general triage process

The NCSC records the direct financial loss reported by victims, whether lost to scams or the cost of recovery (including IT contractors). Across the 6779 incidents handled through NCSC’s general triage process, the direct financial loss reported in 2023/2024 totalled $21.6 million, decreasing from $22.4 million in 2022/2023.

Of the incidents reporting a loss value, 63% were below $500. Of the 40 incidents involving losses of $100,000 or more, 17 related to a scam concerning an offer of a job, business or investment opportunity, 8 related to cryptocurrency scams, 4 related to dating or romance scams, 4 related to unauthorised access, 3 related to buying, selling, or donating goods online, 1 related to denial-of-service, and 1 related to inheritance scams.

Although the number of incidents handled through the NCSC’s general triage process in 2023/2024 decreased by 12.5%, the total direct financial loss across all incidents was comparable to 2022/2023. This meant that the average direct financial loss per incident increased significantly, from $14,000 to $25,500. In 2023/2024, individuals reported a total direct financial loss of $20.1 million, compared to organisations reporting a total of $1.2 million.

Another trend was an 81% increase in the total financial loss reported for incidents where there was unauthorised access to systems and/or network – an increase from $2.7 million to $4.9 million. The total loss from investment scams increased from $1.6 million in 2022/2023 to a total of $4 million in 2023/2024. In demographic terms, the total amount of financial loss reported in the age 65+ band doubled from $2 million in 2022/2023 to $4 million in 2023/2024.

The NCSC has recorded several types of loss amongst the incidents handled through the general triage process:

  • 1674 financial loss incidents: this includes not only money lost as a direct result of an incident, but also the cost of recovery, for example the cost of contracting IT security services. 
  • 245 data loss incidents: loss or unauthorised copying of data, business records, and intellectual property.
  • 66 reputational loss incidents: damage to the reputation of an individual or organisation as a result of the incident.
  • 42 operational impact incidents: the time, staff and resources spent on recovering from an incident, taking people away from normal business operations.
  • 11 technical damage incidents: impacts on services like email, phone systems or websites, resulting in disruption to a business or organisation.
  • 62 other loss incidents: includes types of loss not covered in other categories.
Top