Cyber Insurance NZ

First-party recovery, third-party liability, ransomware response and Privacy Act 2020 breach-notification cover, arranged by a licensed NZ adviser.

Cyber insurance funds the response to a cyber incident — forensic investigation, system rebuild, customer notification, lost revenue during downtime, claims by affected parties, regulatory work. For most NZ businesses with any digital footprint (card payments, customer records, cloud accounting, a booking system, email-driven workflow) the exposure is non-trivial. The relevant questions are usually 'what does the policy actually cover' and 'what controls are required to keep cover in force' — both of which vary materially across the market.

The NZ cyber-incident landscape

CERT NZ — the government cybersecurity response team — publishes quarterly incident reports that show the actual pattern of attacks on NZ businesses. The recurring top-three reported incident types are:

  • Phishing and credential harvesting: Targeted email attacks to capture login credentials, often as a precursor to business email compromise or unauthorised access
  • Business email compromise (BEC): Attackers gain control of business email, impersonate executives or vendors, and divert payments. Often the highest-loss incident type for SMEs
  • Ransomware and unauthorised access: Encryption-for-ransom and broader unauthorised access. Smaller share by count than BEC but the per-incident response cost is high

Free resources for NZ small business: CERT NZ's small business guides cover the baseline controls insurers typically expect. The Office of the Privacy Commissioner publishes guidance on Privacy Act 2020 breach-notification obligations.

What cyber insurance typically covers

First-party cover (your own recovery costs)

  • Forensic investigation: Specialist incident-response work to determine how an attack happened, what was compromised, and how to restore systems safely
  • System restoration: Rebuilding systems, restoring data, hardening against repeat attack
  • Business interruption: Lost revenue and continuing fixed costs during system downtime caused by an insured cyber event
  • Data restoration: Cost of recreating lost data — including from backup if recoverable, or from scratch if not
  • Ransomware response: Negotiator, forensic, and (subject to wording, sanctions checks and insurer approval) the ransom itself
  • Customer notification: Cost of identifying affected individuals and complying with Privacy Act 2020 notification
  • PR and reputation: Communications work during and after the incident

Third-party cover (claims by others)

  • Privacy liability: Claims by customers, employees or other parties whose data was compromised
  • Regulatory investigation: Cost of responding to Privacy Commissioner or other regulator investigations
  • Fines and penalties: Subject to wording and NZ law on insurability — some insurers cover where lawful, some exclude entirely
  • Network security liability: Claims arising from a security failure that affected third parties (e.g. your compromised system transmitted malware to a customer)
  • Media liability: Defamation, IP infringement, and similar claims arising from your digital content

Cyber insurance vs other commercial covers

  • vs general business contents: Contents covers physical damage to hardware; cyber covers the data and digital systems themselves. A fire destroys hardware (contents responds); a ransomware attack encrypts data (cyber responds).
  • vs business interruption: Standard BI usually requires physical damage as a trigger. Most modern BI wordings exclude cyber-driven interruption. Cyber-specific business interruption (under a cyber policy) fills the gap.
  • vs professional indemnity: PI responds to claims arising from your advice or professional services. A breach of a customer's data is usually a cyber-policy event, but if the breach was caused by negligent advice, PI may also respond — modern policies coordinate.
  • vs management liability: Management liability covers directors' and officers' decisions. If a director is sued personally over a cyber-incident response, ML responds; the company-level cyber claim is the cyber policy.

Controls insurers typically expect

Cyber insurers increasingly require evidence of basic security controls before binding cover — and may exclude or reduce claims where these controls were absent at the time of an incident. Common minimum expectations:

  • Multi-factor authentication (MFA): On email, remote access, and admin accounts. Often mandatory.
  • Endpoint detection and response (EDR) / managed antivirus: Modern endpoint security on all business devices
  • Patching cadence: Operating systems and key applications kept current
  • Backups: Regular, tested, and isolated from the production environment (the 3-2-1 rule is a common baseline)
  • Employee security awareness: Basic training, particularly around phishing recognition
  • Incident response plan: Documented response and escalation path

Insurers vary on which of these are strict requirements versus nice-to-haves; the proposal form will list what your specific insurer expects. Honest disclosure on the proposal matters — misrepresentation can void cover.

Industries we commonly arrange cyber cover for

  • Professional services (advice, financial, legal-adjacent, design)
  • Tech, software and SaaS
  • Healthcare and allied health (Privacy Act sensitivity is high)
  • Retail and e-commerce (card payment exposure)
  • Hospitality (booking and POS systems, customer data)
  • Education and training providers
  • Manufacturing (operational-technology and supply-chain exposure)

For the broader cover picture, see our small business insurance guide, insurance for tech startups, and insurance for e-commerce. For the Privacy Act 2020 context, the Office of the Privacy Commissioner publishes free guidance.

Frequently asked questions

What does cyber insurance cover?

Cyber policies typically cover two sides — first-party costs (your own recovery: forensic investigation, system restoration, data recreation, customer-notification, PR, ransomware response, business interruption) and third-party liability (claims by customers, regulators or other affected parties). The mix varies materially by insurer and wording — see the cover breakdown below.

Is cyber insurance worth it for a small business?

Most NZ small businesses with any digital footprint carry meaningful cyber exposure. CERT NZ's quarterly reports consistently rank business email compromise (BEC), unauthorised access and ransomware as the most-reported incident types. A small policy can fund forensic investigation, customer notification under the Privacy Act 2020, and lost-revenue cover during system downtime — costs that materially exceed the policy premium even for a modest incident.

Does cyber insurance cover Privacy Act 2020 breach notifications?

Yes — most modern NZ cyber policies include cover for the costs of complying with the Privacy Act 2020 notifiable-privacy-breach obligations (notifying the Privacy Commissioner, notifying affected individuals, public-communications work). Some also cover the cost of regulatory investigation and any reinstated fines or penalties (subject to wording and NZ law on insurability).

Does cyber insurance pay ransomware demands?

Most NZ cyber policies will fund ransomware response (negotiator, forensic, system rebuild), and some will fund the ransom payment itself — but subject to specific approval, sanctions screening, and the insurer's anti-financial-crime checks. Wording is genuinely diverse on this point and changing in real time as the regulatory environment evolves. Read the policy wording specifically.

What does cyber insurance not cover?

Common exclusions: prior-known incidents (acts before policy inception), war and nation-state attacks (some policies cover, some exclude), bodily injury (other policies handle this), property damage caused by cyber (depending on wording, sometimes covered, sometimes excluded), fines and penalties uninsurable under NZ law, and breaches arising from non-compliance with basic security controls (some policies make MFA mandatory).

What about cloud and supply-chain exposure?

Cyber policies usually respond to incidents involving your IT environment, including cloud services you use. Supply-chain incidents (your vendor's breach affecting you) are handled differently by different insurers — some include outright, some via a 'dependent business interruption' extension, some exclude. Worth confirming if your business is dependent on a single SaaS provider or cloud platform.

Get cyber insurance quotes

Quotes are arranged by Evolve Group Limited, a licensed Financial Advice Provider (FSP711891). One short form, response within one business day.

Get Free Quotes