New Zealand Tech Users Association Calls for Shift to 'Security by Design' and Stronger System Accountability

Executive Summary

The Tech Users Association of New Zealand (TUANZ) has released a Trust and Safety position paper on June 30, 2026, calling for a paradigm shift in New Zealand's national approach to cybersecurity. The paper argues that the current 'user beware' model is unsustainable in the face of rapidly evolving threats. TUANZ is advocating for the government and industry to formally adopt 'security by design' and 'secure by default' principles. This would shift the primary responsibility for security from end-users and small businesses to the providers and designers of digital products and services. The organization warns that without this change, a growing 'equity gap' will leave under-resourced segments of the population increasingly vulnerable to cyberattacks.

Regulatory Details

The position paper is not a new regulation but a policy recommendation aimed at shaping New Zealand's future cybersecurity strategy. It calls for a move beyond awareness campaigns and towards building a digital ecosystem where security is an intrinsic and non-negotiable component. The core tenets of the proposal are:

• Security by Design: The principle that security should be integrated into products and systems from the very beginning of the design phase, not added as an afterthought.
• Secure by Default: The idea that products should be shipped with the most secure configuration settings enabled out-of-the-box, requiring users to deliberately weaken security rather than having to strengthen it.
• System Accountability: A framework for holding technology providers, developers, and service operators responsible for the security of their offerings.

TUANZ suggests that while institutions like the National Cyber Security Centre (NCSC) are valuable, their efforts are not enough to counter the scale and sophistication of modern threats.

Affected Organizations

This proposed policy shift would impact the entire digital ecosystem in New Zealand:

• Technology Providers and Developers: They would face increased responsibility and potential liability for the security of their products. This would require greater investment in secure development lifecycles (SDLC).
• Small and Medium-Sized Enterprises (SMEs): As a key focus of the paper, SMEs would be major beneficiaries. A 'security by design' environment would lower the barrier to achieving a strong security posture, as the tools and services they use would be inherently more secure.
• Individual Citizens: Individuals, particularly those who are less tech-savvy, would be better protected from scams, fraud, and data theft.
• New Zealand Government: The government would be responsible for creating the legislative and regulatory framework to enforce these principles.

Impact Assessment

The long-term business and operational impact of adopting TUANZ's recommendations would be significant:

• Increased Upfront Costs for Developers: Tech companies would need to invest more in security during the development phase, which could increase initial costs.
• Reduced Downstream Costs for Society: These upfront investments would likely be offset by a massive reduction in the downstream costs of cybercrime, including fraud losses, incident response expenses, and business downtime.
• Improved National Resilience: A more secure digital ecosystem would make New Zealand a less attractive target for cybercriminals and enhance its overall economic and national security.
• Creation of a 'Security Equity Gap': The paper warns that the current trajectory is creating an 'equity gap,' where only well-resourced organizations can afford adequate protection. The proposed shift aims to close this gap by raising the baseline level of security for everyone.

Compliance Guidance

For organizations looking to align with the principles advocated by TUANZ, the guidance is to be proactive:

1. Adopt Secure SDLC: For technology producers, this means integrating security into every stage of the development process, from threat modeling in the design phase to penetration testing before release.
2. Prioritize Secure Configurations: When deploying new systems, always choose the most secure settings by default. Avoid configurations that trade security for convenience unless absolutely necessary and the risk is accepted.
3. Procurement Policies: For technology consumers, update procurement policies to favor vendors who can demonstrate a commitment to 'security by design'. Ask potential vendors about their secure development practices and demand transparency.
4. Advocate for Change: Support industry and government initiatives that promote stronger system-level accountability for cybersecurity.

This approach represents a maturation of cybersecurity thinking, moving from a reactive, incident-driven model to a proactive, engineering-based one.