Some Monday mornings offer something unexpected.

As I typed "Mōrena" in our team chat recently, I found myself in an RNZ radio studio's waiting room, noting the exceptional soundproofing: "I can't hear anything except the water chiller and my phone's keyboard clicks."

Minutes later, I was on air with Kathryn Ryan on Nine to Noon, discussing The Law Association's open letter to the Prime Minister about New Zealand's reliance on cloud computing. RNZ had framed it starkly: the letter warns of "catastrophic and unrecoverable risks of harm."

After listening to Kathryn and Lloyd Gallagher from the Law Association's Technology Committee discuss the letter, I offered my perspective as CEO of Catalyst Cloud, New Zealand's sovereign cloud provider. This is a longer version than the interview had time for.

Where I Agree

There's a genuine protection gap affecting New Zealand businesses regarding cloud data security. The Law Association is right to raise this now, before we experience a major crisis. Their letter has prompted us - and I hope other providers - to review our terms for better transparency.

The cloud market is highly concentrated. It's an oligopoly where a few providers hold most market share. This creates an enormous blast radius - huge concentrations of data make tempting targets for attackers. If it's just a matter of time until any provider is breached, we should debate: how many baskets should a prudent country put all their eggs in? Should any be sovereign?

Cyber breaches are 'when, not if'. This is something all cloud providers live with as a daily risk. The threat landscape is persistent and evolving.

Where I Disagree

Cloud infrastructure itself isn't weak. The letter suggests 'weaknesses in essential cloud infrastructure,' but in my experience, cloud infrastructure is robust, hardened, resilient and constantly monitored. Security is a core capability, regularly audited through ISO27001, PCI DSS, SOC 2, and DIA certifications. These standards are nearly ubiquitous among serious cloud providers.

The greater risk lies in the application layer. Security maturity is more patchy in the software and service layers on top of cloud - the applications between raw cloud 'ingredients' and end customers or consumers. These are the products in which many of us "entrust" our data. Most media stories about breaches I read relate to vulnerabilities in this sector, not the underlying cloud infrastructure itself.

Alternatives do exist. The letter states there is 'no alternative' to dominant providers. That's not accurate. Alternatives exist - Catalyst Cloud is one credible example. The dominant position of multinational clouds is largely the sum of our individual purchasing decisions. We weren't forced into this concentration; we chose it, often valuing price, convenience, or the "safety in numbers" mentality over resilience, fairness, and lower risk.

Jurisdiction is significantly. Where your cloud provider is domiciled affects both security and recourse. Which country's laws apply? In what country would you need to seek remedy? When things go wrong with an offshore provider, you're facing foreign jurisdictions and foreign law. Operating under New Zealand law means real accountability through New Zealand courts - without the complexity and cost of foreign legal systems.

What This Means for You

Here's what many don't realize: if you're relying on insurance payouts to protect you when you lose your data, there's already been a strategic error. Insurance money won't get your data back. It might not even save your business.

So while we wait for potential Select Committee inquiries and legislative reforms, what can businesses actually do right now?

Step One: Understand Your Current Exposure

Read your actual cloud and SaaS contracts. Not the marketing materials - the actual terms and conditions. Specifically look for:

• Liability and data loss clauses
• Which jurisdiction governs your agreement
• Where disputes would be handled
• What's actually excluded from coverage

Blindly ticking "I agree" doesn't cut it any longer. You need to know what protection you actually have versus what you're assuming you have.

Ask hard questions of your vendors:

• Where is my data stored and processed?
• What incident notification commitments do you make?
• Have you had breaches in the past 3 years, and what happened?
• What's your RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
• Can I see your SOC 2, ISO 27001, or other security certifications?

Many businesses have never asked these questions. Start now.

Don't assume adequate backup is included in your SaaS subscription. Usually it isn't. If you already know this, you're ahead of the pack.

Step Two: Mitigate the Risks You Can Control

Using proven best practices from information security, business continuity, and disaster recovery:

Follow the 3-2-1 backup rule: Three copies of your data, on two different mediums, with one copy in a different physical location from where the data is mastered. This is non-negotiable for critical data. And here's the key part that most businesses skip: test your restores regularly. I've seen too many businesses discover their backup strategy doesn't actually work only when it's too late.

Increase your cyber security maturity. Start with the Minimum Cyber Security Standards from our National Cyber Security Centre - they're excellent and openly available online. These aren't theoretical; they're practical guidelines developed specifically for New Zealand organizations.

Go multi-cloud. Don't rely on any single provider. If your production systems are on Cloud A, make sure your backups are on Cloud B. Mature environments already deploy this strategy widely. Yes, it adds complexity, but that complexity is your insurance policy.

Diversify critical systems over providers, geographies, and technologies. Consider hybrid approaches where critical data has local copies and you can operate (even in degraded mode) if cloud services become unavailable.

Document your disaster recovery and business continuity procedures - and test them before a real emergency. Run tabletop exercises. What would 24 or 48 hours of system unavailability actually cost your business? If you don't know the answer, you're not prepared.

Train your staff. Multiple people should know your recovery procedures. Don't create a single point of failure in your team. Hold regular tabletop exercises for cyber incidents so when - not if - something happens, people know what to do without panic.

Negotiate for better deals with your vendors. If you can't do this on your own, explore whether group purchasing schemes or demand aggregation mechanisms are available to you.

Review your procurement approach. Do you choose providers strategically, evaluating security posture, jurisdiction, and recourse mechanisms? Or do you only shop on price? The cheapest cloud option often means accepting liability terms written in another jurisdiction with limited recourse under New Zealand law.

Consider provider domicile strategically. For critical data and systems, evaluate whether having a provider operating under New Zealand law matters to you. You have more choice than you might think.

Step Three: Review Your Insurance

Understand your cyber insurance coverage, exclusions, and what actions might reduce your premium. Ask your insurer what you can do to improve your risk profile. But be realistic: insurance is your last line of defense, not your primary strategy. These actions I've outlined will usually be cheaper and always more useful than insurance alone.

On Regulation: Welcome It, But With Caution

We welcome efforts to ensure fair contractual terms and appropriate risk allocation between clients, suppliers, and insurers. The Law Association's recommendations deserve serious consideration.

But care must be taken to deliver real economic benefit to New Zealand. Changing trading laws and increasing compliance costs tends to disproportionately impact small and medium businesses - the very businesses that need protection most.

Here's my concern: allocating more risk to cloud providers sounds good in principle, but could have a chilling effect on New Zealand companies' ability to compete against global providers who operate beyond our regulatory reach.

The question we should be asking isn't "should we regulate cloud providers?" but rather "do we want regulations that apply to all providers serving New Zealanders, or just those domiciled here?"

If Parliament creates minimum standards that only New Zealand companies must meet, while offshore providers continue operating with immunity, that doesn't solve the problem - it just creates competitive disadvantage for local options.

Any regulatory framework needs to consider: how do we enforce standards on providers serving New Zealand customers regardless of where they're domiciled? Otherwise, we risk driving business toward the very concentrated offshore providers whose dominance created this protection gap in the first place.

The Network Effect Myth

The letter mentions network effects and switching barriers as reasons why there's "no alternative" to dominant providers. Let me challenge that.

The network effect might be real for social media platforms, where value comes from everyone being on the same platform. But for cloud infrastructure and many SaaS applications? Open standards and good connectivity significantly reduce that hold. The network effect becomes more excuse than reality.

Yes, there are switching costs. Yes, there's complexity in migration. But these are business decisions, not impossible barriers. Many organizations successfully diversify their cloud strategy or switch providers entirely.

We fall back on the old saying: "Nobody ever got fired for buying IBM." We value safety in numbers. But then we can't really complain about the consequences of that choice.

What Happens Next

The Law Association has requested that Parliament:

• Refer this issue to a Select Committee inquiry
• Seek input from stakeholders - businesses, consumer groups, insurers, cloud providers, cybersecurity experts, and the legal profession
• Advance reforms that ensure fair risk allocation, effective redress, and stronger incentives for prevention

I support this process. These conversations need to happen at a national level. We need more public debate about data, software, cloud infrastructure, and how we allocate liability fairly.

Lloyd's letter has prompted us at Catalyst Cloud to review our own terms for even better transparency. We already negotiate with customers on security and service commitments, and we're committed to continuous improvement.

Full disclosure: our terms include liability limitations similar to what the Law Association describes. No provider can guarantee 100% uptime, zero data loss, or unlimited consequential liability - at least not at current market pricing. The mathematics of cloud economics and insurance simply don't work that way.

But here's the key difference: we're a New Zealand company operating only under New Zealand law. You can talk to us directly - we're approachable and accessible. And if something goes wrong, you have real recourse through New Zealand courts under the Fair Trading Act.

The Bottom Line

The question isn't whether cloud providers should have some liability protections - the question is: what's a reasonable baseline, how do we ensure transparency, and how do we enforce standards on providers serving New Zealand customers regardless of where they're domiciled?

But here's what I want you to take away from this: individual businesses and organizations don't need to wait for regulation.

Take stock of your risk today. Read your contracts. Ask hard questions. Implement the 3-2-1 backup rule and actually test your restores. Go multi-cloud. Document and test your disaster recovery procedures. Train your people.

These actions will leave you better informed, better prepared, and more resilient - regardless of what Parliament decides to do.

The Law Association is right to raise this now, before we have a major crisis. But we can all take action today to close our own protection gaps.

Talk to people like Lloyd and me. Support the open letter. And join this national conversation, because your voice needs to be heard.

New Zealand's digital future - and who bears the risk when things go wrong - is too important to leave to chance.

Paul Seiler is CEO of Catalyst Cloud, New Zealand's sovereign cloud infrastructure provider. Catalyst Cloud operates entirely under New Zealand law and jurisdiction, providing cloud computing services to businesses, government agencies, and organizations across the country.