Short answer: New Zealand professional services firms should treat frontier AI as a reason to strengthen cyber basics now: MFA, least-privilege access, patching, monitoring, recovery testing, incident response, and AI governance. Those controls protect the systems where client confidentiality, reputation, and daily operations already sit.

What this helps you check

Use this as a practical starting point for a calmer internal review.

  • MFA, patching, monitoring, and recovery
  • Microsoft 365 permissions before AI expands visibility
  • Leadership decisions before a cyber incident

New Zealand's National Cyber Security Centre has put a sharper frame around a risk many firms are already thinking about: AI is not only changing how teams work, it is changing how quickly cyber risk can move.

On 23 June 2026, NCSC joined Five Eyes cyber security partners in a call to action on AI preparedness. The message was not that every organisation needs to panic or buy the newest tool. It was that leaders should understand their risk, strengthen foundational controls, give cyber leaders enough authority and resources, and stay engaged as the threat environment changes.

For legal, financial, and advisory firms, that is a practical business issue. These firms hold sensitive client information, depend heavily on Microsoft 365, and often make high-pressure decisions through email, documents, Teams, SharePoint, and specialist systems.

The question is not "Are we using frontier AI?" The better question is: if AI-enabled threats make scanning, phishing, vulnerability discovery, or exploitation faster, are the firm's basic controls ready?

The latest NZ signal

NCSC's 22 June 2026 Q1 Cyber Security Insights update reported three highly significant incidents in the first quarter of 2026, the first incidents of that category since the 2021/22 financial year. It also reported 1,164 incidents for the quarter, with phishing and credential harvesting the most common incident type.

NCSC also noted that direct financial loss for Q1 2026 totalled $5.6 million, up 76% from the previous quarter. That figure is not a prediction for any one firm. It is a reminder that identity, email, payment, access, and incident-readiness controls still matter every day.

What stands out is how ordinary the recommended starting points are. NCSC highlighted multi-factor authentication, managing full access to networks, protecting network edges, and getting basic security measures in place.

That is where professional services firms should start too.

1. Confirm MFA is actually enforced

Most firms believe they have multi-factor authentication. The useful check is whether it is enforced consistently across the accounts and systems that matter.

Look at email, Microsoft 365, remote access, administrator accounts, practice-management systems, finance systems, cloud storage, and any third-party tools that hold client information. Check former staff, contractors, shared mailboxes, service accounts, and external collaborators as well.

MFA should not be treated as a one-time setup. It should be part of a regular identity review.

2. Review who has broad access

AI-connected tools can make poor information governance more visible. If too many people can already access sensitive folders, AI may simply surface what the permissions already allow.

That makes access review a practical priority. Firms should know who can access client files, finance folders, HR records, leadership documents, archived matters, and shared mailboxes. They should also know which external guests, old links, and administrator roles are still active.

The goal is not to slow the team down. It is to make sure access reflects the work people genuinely need to do.

3. Patch the systems that carry firm risk

NCSC's frontier AI guidance points to a world where known weaknesses may be found and exploited faster. For smaller and mid-sized professional services firms, patching can easily become invisible until something breaks.

A practical patching process should cover laptops, servers, firewalls, remote access tools, core business applications, browser updates, plugins, and security tools. The firm should know what is patched automatically, what needs manual oversight, and what is no longer supported.

If an old system cannot be patched, that should be a risk decision, not an accident.

4. Watch for unusual behaviour

Many incidents are not immediately obvious. A mailbox rule forwards messages. A guest account signs in from an unusual location. A staff member approves an MFA prompt they did not initiate. A file-sharing link is used unexpectedly.

Professional services firms should have enough visibility to notice abnormal activity in the systems they rely on most. That often means reviewing Microsoft 365 alerts, sign-in logs, email rules, impossible-travel signals, privileged account activity, and unusual file sharing.

The aim is not constant noise. The aim is to see the things that would matter.

5. Make recovery a tested process

Backups are only useful if the firm knows what they cover and how quickly important data can be restored.

That includes email, shared files, practice-management data, finance records, laptops, key cloud systems, and any documents stored outside the main environment. Firms should test recovery before they need it, and they should know who can approve a restore during an incident.

A backup that has never been tested is still an assumption.

6. Put AI use inside governance

AI adoption should not sit outside the firm's normal security and privacy decisions. Staff need simple rules on approved tools, confidential information, client data, human review, record keeping, and when to ask for help.

For Microsoft 365-connected AI tools, the governance work should also include permissions, retention, sensitivity labels, external sharing, and which repositories the tool can search.

Safe AI is not just a policy. It is policy plus configuration, training, access control, and review.

What should firm leaders do this month?

A calm starting point is a short readiness review. Ask six questions:

  • Is MFA enforced for every important system and privileged account?
  • Can we see and justify who has access to sensitive client and firm information?
  • Are our exposed systems and core applications patched within a clear timeframe?
  • Would we notice suspicious sign-ins, mailbox rules, or unusual file sharing?
  • Have we tested recovery for the systems the firm cannot operate without?
  • Are AI tools governed by clear rules and Microsoft 365 permissions that make sense?

If several answers are unclear, that is a useful signal. It does not mean the firm has failed. It means there is practical work to prioritise before an incident creates urgency.

Common questions

What should NZ professional services firms check after NCSC's June 2026 AI and cyber updates?

Firms should check MFA enforcement, broad access permissions, patching, monitoring, backup recovery, incident response, and AI governance. These are practical technology controls, not legal or regulatory advice.

Why does Microsoft 365 governance matter for frontier AI readiness?

Microsoft 365 often holds email, files, Teams conversations, SharePoint sites, and client records. AI-connected tools can surface information based on existing permissions, so access and sharing settings need regular review.

Is this article legal, financial, regulatory, privacy, or compliance advice?

No. The article is general technology-risk information for New Zealand professional services firms. Firms should take appropriate professional advice for their own obligations and circumstances.

Source note

This article is based on official NCSC New Zealand material published in June 2026: Leaders of Five Eyes Cyber Security Agencies Call to Action on AI Preparedness (23 June 2026), Quarter One sees significant cyber incidents (22 June 2026), and Cyber readiness in the Frontier AI era (4 June 2026).

Compliance note: This article is general information only. It is technology-risk guidance, not legal advice, financial advice, regulatory advice, privacy advice, or compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.