CERT NZ Quarterly Threat Report — What the Data Says About NZ Cyber Insurance

CERT NZ's Quarterly Cyber Threat Report is the most authoritative public record of cyber incidents reported by New Zealand businesses and individuals. Each quarter, CERT NZ publishes a category breakdown — phishing, scams, ransomware, unauthorised access, malware, command-and-control activity, suspicious network traffic — alongside an estimated financial-loss tally where reported. For anyone shopping for cyber insurance, the Quarterly Report is the single best document for grounding your sense of "what actually happens to NZ businesses" versus the marketing narrative. This guide walks how to read it, and how each category maps to what a cyber insurance policy will and won't pay for.

How CERT NZ collects and categorises incidents

CERT NZ — formally Computer Emergency Response Team New Zealand, established under the Department of Internal Affairs in 2017 — accepts incident reports through its public portal and through a triage line for business victims. Reports come from a mix of individuals, SMEs, and larger enterprises; the data is voluntary, so it under-represents the true NZ incident volume (many incidents go unreported, especially when an organisation chooses not to disclose or when the incident is contained internally). Despite this caveat, CERT NZ remains the most consistent NZ-specific dataset available, and its category taxonomy has stayed stable enough quarter-to-quarter that trend analysis is meaningful.

Each Quarterly Report contains:

• Total incidents reported for the quarter
• Direct financial losses reported (a sum of what reporters told CERT NZ they had lost — an under-count, since indirect losses, downtime, and recovery costs are typically excluded)
• Category breakdown — phishing/credential harvesting, scams, unauthorised access, ransomware, malware, suspicious network traffic, denial of service, command-and-control activity, and others
• Trend commentary on what's changing quarter-over-quarter
• "Top tips" aligned to the 10 Critical Controls

For a comparator-level view, the NCSC New Zealand Annual Cyber Threat Report covers nationally-significant incidents (typically state-sponsored or critical-infrastructure incidents that fall under the GCSB's remit), and complements CERT NZ's SME-focused dataset.

The categories that drive most cyber-insurance claims

1. Phishing and credential harvesting

Quarter after quarter, phishing sits at or near the top of the incident-volume table. The vast majority of NZ phishing incidents that result in business losses follow one of three patterns: (a) the attacker phishes a staff member's email credentials and uses the mailbox to redirect an invoice or wire payment; (b) the attacker compromises a vendor's email and sends an "updated bank details" email to the victim; or (c) the attacker uses harvested credentials to pivot into a SaaS environment (Xero, MYOB, Microsoft 365, Salesforce, etc.) and extract data or wire funds.

What cyber insurance pays for under these scenarios:

• Forensic-investigation costs to determine the scope of compromise (which mailboxes accessed, what data exposed)
• Breach-notification costs if personal information was accessible (Privacy Act 2020 section 117 triggers)
• Credit-monitoring or identity-monitoring services for affected individuals
• PR / crisis-management costs if the incident is public-facing
• Regulatory-defence costs if the Privacy Commissioner investigates

What cyber insurance often won't pay: the wire-fraud loss itself, unless the policy has a specific social engineering / fraudulent funds transfer coverage section with a stated sub-limit. This is one of the most-missed gaps in NZ cyber buyers — the "we got phished and paid a fake invoice" loss requires a dedicated social-engineering extension. Standard cyber policies focus on the data-breach response, not the fund loss. Ask your broker specifically whether the policy includes social-engineering cover and what the sub-limit is.

2. Ransomware

Ransomware incidents reported to CERT NZ are smaller in volume than phishing but vastly higher in average impact. CERT NZ's Quarterly Reports have consistently noted that ransomware represents a disproportionate share of total reported financial losses, and the NCSC NZ Annual Reports describe ransomware as a continuing significant threat to NZ critical infrastructure. Most NZ ransomware victims are SMEs hit by criminal-ransomware-as-a-service operators rather than state-sponsored actors.

What cyber insurance pays for in a ransomware scenario:

• Forensic investigation to determine root cause, scope, and whether data was exfiltrated
• Ransom payment itself (subject to insurer prior written consent and sanctions screening — see your policy's cyber extortion or ransom payment section)
• Data-restoration costs (paying specialists to rebuild systems, restore from backups, decrypt)
• Business-interruption losses during the outage (typically with a waiting-period excess of 8-24 hours and an indemnity period of 6-12 months)
• Crisis management, regulatory defence, breach notification — the full incident-response stack

Coverage caveats specific to ransomware:

• Sanctions exclusion. Insurers will not pay a ransom if doing so would breach NZ, US, UK, EU, or UN sanctions law. Some ransomware groups are listed as sanctioned entities; paying them is illegal and uninsurable. Insurers screen each ransom-payment request against current sanctions lists.
• Prior consent. Most policies require the insurer's prior written consent before any ransom is paid. Paying without consent voids coverage on the ransom payment itself (though downstream incident-response costs often remain covered).
• Backup-attached-to-domain exclusion. If your backups are accessible from the compromised domain (i.e. the attacker can encrypt them), and you can't restore without paying, some insurers will treat this as a contributory negligence finding. CERT NZ Critical Control 8 — immutable / offline backups with separate credentials — is the underwriting baseline.

3. Unauthorised access

CERT NZ's "unauthorised access" category captures incidents where an attacker accesses systems or data without permission, but where no ransomware or destructive payload was deployed. These are often the precursor to a larger incident — credentials stolen, lateral movement attempted, data exfiltrated.

What cyber insurance pays for: the same incident-response stack as for phishing, with the addition of data-restoration coverage if files were modified or deleted, and regulatory-defence coverage if the Privacy Commissioner opens a notifiable-breach investigation under the Privacy Act 2020. The dollar amounts vary by policy — your wording's sub-limits for each coverage section are where the real comparison happens, not the headline aggregate limit.

4. Scams (invoice / business email compromise)

"Scams" in CERT NZ's taxonomy is broad, but a meaningful share are business-email-compromise (BEC) scams where the criminal intercepts an email thread between supplier and buyer, then sends "updated bank details" to redirect a legitimate payment. CERT NZ has flagged BEC consistently as one of the highest-financial-impact categories.

For cyber insurance, BEC sits in the same coverage trap as phished-credential wire fraud — the loss is typically not covered by the base policy, but may be covered by a specific fraudulent funds transfer or social engineering extension. Crime insurance (a separate product) sometimes covers it; some commercial property/crime policies offer a small sub-limit. Cyber + crime stacked is the most common solution for NZ businesses with significant outbound payments.

5. Malware and command-and-control activity

Reported less often by SMEs than phishing or ransomware (because SMEs often don't detect dormant malware), but represents a meaningful tail. Cyber-insurance coverage here is straightforward — forensic investigation, data restoration, business interruption — but the policy's retroactive date rules matter. If malware was sitting on your systems before the policy started, some insurers will exclude the resulting incident from coverage; check the retroactive-date clause carefully.

How underwriters use CERT NZ data

From an insurer's perspective, the CERT NZ Quarterly Reports validate that the NZ threat landscape mirrors broader trends — ransomware and phishing dominate, BEC drives wire-fraud losses, and a small number of high-impact incidents account for a large share of total reported losses. This is why NZ cyber insurers underwrite tightly against the 10 Critical Controls: the controls map directly to the categories CERT NZ reports as highest-impact.

Insurers' premium pricing is sensitive to:

• Your sector's CERT NZ incident profile (healthcare, financial services, professional services, retail all have different threat profiles)
• Your control evidence against the 10 Critical Controls — particularly MFA-on-admin and immutable backups
• Your business size, dependency on email-based payment workflows, and number of staff who can authorise outbound payments
• Your prior claims and any incidents reported in CERT NZ-style categories

Reading the next Quarterly Report as a buyer

When the next CERT NZ Quarterly Report drops, three things to look at as a cyber-insurance buyer:

1. Category trend. Is your sector or business type appearing more often this quarter? If you're in a category that's trending up (e.g. professional services hit by phishing), your insurer's risk appetite for your sector may tighten at renewal.
2. "Top tips" alignment. CERT NZ pairs each quarter's report with practical tips, almost always aligned to the 10 Critical Controls. Use them as your renewal-cycle to-do list.
3. Loss totals. The aggregate financial loss figure indicates how severe the quarter was. Quarters with high losses often precede market-cycle tightening (insurers reducing limits, adding sub-limits, raising premiums).

Primary sources cited in this guide

• CERT NZ / NCSC — Quarterly Cyber Security Insights (ncsc.govt.nz)
• NCSC / CERT NZ — Critical Controls (ncsc.govt.nz)
• NCSC New Zealand — Annual Cyber Threat Report (ncsc.govt.nz)
• Companion guide: CERT NZ Critical Controls — what cyber insurers underwrite against

Disclaimer: This article is general information, not personalised cybersecurity or insurance advice. CERT NZ Quarterly Reports are the authoritative NZ source — always read them directly. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.