CERT NZ Critical Controls — What Cyber Insurers Now Underwrite Against

Over the past three years, NZ cyber insurers have converged on CERT NZ's 10 Critical Controls as the underwriting baseline. If your business can evidence the controls, you can typically buy cyber cover at NZ market rates; if you can't evidence the controls, expect either a decline, a heavily-loaded premium, or a quote with major sub-limits applied. This guide walks each control, what insurers ask about on application, and how to evidence each one in plain English. The CERT NZ framework itself is the primary source — always read it alongside this summary.

Why insurers care about CERT NZ controls

NZ cyber insurers have analysed their claims data and found that the same handful of control failures sit behind most claims: phished credentials, unpatched internet-facing services, missing MFA on admin accounts, no backups (or backups attached to compromised domains), and no incident-response plan. CERT NZ's controls map closely to those failure modes. From an underwriter's perspective, an applicant who attests to the 10 controls is a substantially lower expected-loss-cost than one who doesn't. The CERT NZ Quarterly Cyber Threat Report reinforces this — ransomware, phishing, and unauthorised-access incidents account for the vast majority of reported events, and the controls below directly target those vectors.

The 10 Critical Controls — and what insurers ask about each

1. Patch your software and systems

What CERT NZ says: Apply security patches within defined timeframes; prioritise internet-facing systems.
Application question: "Do you patch internet-facing systems within 14 days of vendor release? What's your patch cadence for internal systems?"
How to evidence: Screenshot of your patch-management tooling (Intune, Patch Manager Plus, Automox); a written patch policy; or third-party MSP attestation.

2. Implement multi-factor authentication (MFA)

What CERT NZ says: MFA on all remote access, all administrative accounts, and all email/cloud platforms.
Application question: "Is MFA enforced on 100% of admin accounts? On 100% of remote-access (VPN, RDP, M365)? On all webmail and SaaS?"
How to evidence: M365/Azure AD conditional-access policy screenshots showing MFA enforcement on all roles; VPN/RDP gateway MFA configuration; MSP attestation.
Underwriting impact: No MFA on admin accounts is the single most common decline reason in 2024-2026 cyber underwriting.

3. Provide and use a password manager

What CERT NZ says: Deploy an enterprise password manager; ban password re-use; rotate compromised credentials.
Application question: "What password manager is deployed, and what % of staff use it?"
How to evidence: 1Password Business / Bitwarden / LastPass usage reports; written policy banning password re-use across personal and work accounts.

4. Configure logging and alerting

What CERT NZ says: Centralised logs from endpoints, network gear, and identity systems; alerting on anomalous access patterns.
Application question: "Do you have SIEM or equivalent centralised logging? What's the retention window? Who reviews alerts?"
How to evidence: Microsoft Sentinel / Splunk / Wazuh / Elastic deployment evidence; an MSP SOC contract; or a written logging policy with retention period.

5. Use asset lifecycle management

What CERT NZ says: Inventory all assets; remove unsupported software; decommission devices securely.
Application question: "Do you maintain an asset register? When was end-of-life software last audited?"
How to evidence: Asset-management tool (Lansweeper, Snipe-IT, Intune device inventory); annual EOL audit document.

6. Implement application allow-listing or control

What CERT NZ says: Restrict which applications can execute on endpoints to known-good lists.
Application question: "Is application allow-listing or EDR with allow-list capability deployed?"
How to evidence: Microsoft AppLocker / WDAC config; SentinelOne / CrowdStrike / Sophos Intercept X allow-list deployment; or an MSP attestation.

7. Enforce the principle of least privilege

What CERT NZ says: Day-to-day accounts have minimum necessary access; admin actions use separate accounts.
Application question: "Do administrators use separate admin accounts from day-to-day accounts? How often are privileged accounts reviewed?"
How to evidence: Azure AD PIM (Privileged Identity Management) screenshots; a written role-based-access-control policy; or an annual access-review report.

8. Configure secure backups

What CERT NZ says: Backups follow the 3-2-1 rule (3 copies, 2 media types, 1 offsite/immutable). Test restoration regularly.
Application question: "Are backups immutable or offline? When was the last full restoration test? Are backup credentials separate from domain credentials?"
How to evidence: Veeam / Datto / Backblaze immutable-backup configuration; quarterly restoration-test logs; a written backup policy noting separate credentials.
Underwriting impact: "Backups attached to compromised domain" is the second-most-common claim-driver after MFA-on-admin. Insurers ask specifically about credential separation.

9. Implement network segmentation

What CERT NZ says: Separate untrusted, internal, and sensitive networks; restrict lateral movement.
Application question: "Are sensitive systems segmented from general user networks?"
How to evidence: Network diagram showing VLAN/firewall segmentation; a written segmentation policy.

10. Implement secure backups in incident response

What CERT NZ says: Have a documented incident-response plan; run tabletop exercises; pre-arrange specialists.
Application question: "Do you have a written IR plan? When was the last tabletop? Who is your IR firm?"
How to evidence: Written IR plan with named roles, escalation paths, and vendor contacts; tabletop-exercise summary; an MSP / vCISO IR retainer agreement.

What happens if you can't evidence all 10?

NZ cyber underwriters have differing thresholds. Specialist cyber managers (Delta, Dual, Chubb) will often work with applicants who attest to 6-8 of the 10 controls with a remediation plan for the rest, sometimes at a premium load. Generalist commercial insurers (NZI, QBE, Zurich) tend to require closer to 8-10 of 10 for any cover at all, particularly on businesses above mid-size. Either way, getting MFA-on-admin (control 2) and immutable backups (control 8) right is non-negotiable across the panel — these two controls correlate most strongly with claims experience.

The NZISM connection

For government suppliers and businesses handling regulated data, the New Zealand Information Security Manual (NZISM) sets a higher bar — it's the standard managed by NCSC New Zealand. NZISM compliance maps to ~80% of CERT NZ's 10 controls but goes further on cryptographic standards, supply-chain risk, and physical security. For most NZ SMEs, CERT NZ's 10 controls are the practical baseline; NZISM compliance becomes relevant once you contract to government or hold sensitive personal data at scale.

Bringing it back to insurance

A well-prepared cyber insurance application that addresses each of the 10 controls — with evidence ready when underwriters ask — typically produces:

• More insurers willing to quote (broader panel = better pricing leverage)
• Fewer policy sub-limits and exclusions (especially around ransomware payment and prior incidents)
• Better terms on the renewal cycle, since underwriters have evidenced controls to point to

FCIB's standard application process walks through the 10 controls during the initial conversation; if your business has gaps, we can usually scope a 60-90-day remediation plan that gets you to quote-ready. That conversation costs nothing.

Primary sources cited in this guide

• NCSC / CERT NZ — Critical Controls (ncsc.govt.nz)
• CERT NZ / NCSC — Quarterly Cyber Security Insights (ncsc.govt.nz)
• New Zealand Information Security Manual (NCSC NZ)

Disclaimer: This article is general information, not personalised cybersecurity or insurance advice. Insurer underwriting practices vary; your broker's assessment of which insurers will quote your business is specific to your control posture, sector, and revenue size. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.