Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

How to Choose the Right Cyber Insurance Coverage for Your NZ Business

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

Choosing cyber insurance well is mostly about asking better questions of your own business than of the insurer. This guide walks through the four questions that drive sizing, the trade-offs that hide inside a "comparable" quote, and the decision framework we use when placing cover for NZ clients.

The four questions that determine your cover

Before any insurer can be approached, four questions need honest answers. Get these right and the rest of the buying process is mechanical.

1. What's the worst credible incident?

Not the worst imaginable — the worst credible. For most NZ SMEs the worst credible is a multi-day ransomware event with data exfiltration: 5–10 days of operational disruption plus a notifiable privacy breach. For a SaaS-dependent business, it might be a contingent supply-chain incident — a vendor outage that takes you offline. For a payment-handling retailer, a card-data breach with PCI-DSS implications. The shape of the worst credible scenario tells you what cover sections matter.

2. How much personal data do you actually hold?

Notification cost scales linearly with the number of affected individuals. A business holding 50,000 customer records has a different exposure to one holding 500. Walk through your systems honestly: CRM, email archives, file shares, SaaS platforms. Old data you no longer need is liability without value — and the data retention policy that follows from this exercise is something insurers want to see.

3. How dependent is revenue on uptime?

An e-commerce retailer loses revenue every hour the store is down. A consultancy that can keep working from laptops loses much less per hour. Your business interruption sublimit needs to match the realistic loss-per-day, multiplied by an indemnity period long enough to cover full restoration (typically 6 months for a serious incident).

4. Who else's data are you holding?

If you process payments, you have PCI obligations. If you handle health data, the Health Information Privacy Code applies. If you process EU residents' data, GDPR. Each adds a regulatory dimension that affects how much third-party cover and regulatory-defence sublimit you need.

The six numbers to compare across quotes

When two NZ insurers send back terms for your business, the comparison is rarely about premium alone. The numbers that matter:

  1. Aggregate limit — the most the policy will pay across all claims in the period.
  2. Cyber crime sublimit — for BEC and fraudulent transfer. Often capped well below the aggregate.
  3. Ransom sublimit — sometimes 10–25% of aggregate; sometimes equal to it.
  4. BI waiting period — 6 hours vs 24 hours can be the difference between an outage being claimable or not.
  5. Defence costs treatment — "in addition to" vs "within" the limit.
  6. Excess — per-claim, aggregate, or per-section.

Premium is the seventh number. We don't put it first because two policies with $1,000 difference in premium can easily have $200,000 difference in real-world claim outcomes — and the difference is in the six numbers above.

Trade-offs we see most often

A few practical trade-offs come up in every cyber placement:

  • Lower premium vs lower sublimits. The cheap quote is usually thinner on cyber crime and notification. If you have any meaningful customer-data or payments exposure, the saving evaporates at claim time.
  • Higher excess vs lower premium. A $25K excess instead of $5K typically takes 15–25% off premium. Worth taking if your business can comfortably absorb a $25K hit.
  • Wider cover vs harder underwriting. Premium policies (Chubb, AIG CyberEdge at higher tiers) come with a longer application and higher control expectations. If your security posture is genuinely strong, the premium-tier comparison is favourable; if it's not, a more accessible insurer may be better placed.

A simple decision framework

After a few hundred placements, the framework that works for most NZ businesses:

  1. Pin down the worst credible scenario in dollars. Not abstract limits — actual dollars across forensics, legal, notification, BI, restoration. That sets the limit floor.
  2. Choose the excess you can comfortably wear. $5K, $10K, $25K, $50K — your call. Higher excess pulls premium down materially.
  3. Check the six sublimits against your worst credible scenario. Where the policy is thinner than your scenario, ask the broker to negotiate up.
  4. Read the exclusions, particularly the war exclusion wording and any pre-existing-condition language.
  5. Confirm the panel — forensics, legal, PR, ransomware negotiator. These are who you'll work with at 2am during an incident.
  6. Then look at premium. Three quotes that all pass the above checks should be within ~15% of each other on premium. If one is dramatically cheaper, find out where the cover is thinner.

Common questions

How do I size the right limit for my business?

The defensible answer comes from the worst credible scenario — typically a multi-day ransomware incident with data exfiltration. Add up forensics ($30K–$80K), legal ($20K–$60K), notification (scales with affected individuals), business interruption (use revenue × downtime estimate), restoration ($20K–$150K), plus a margin for third-party claims. For most NZ SMEs the answer lands at $1M–$5M aggregate; mid-market is usually $5M–$10M.

Is cheaper cyber insurance better or worse value?

Sometimes it's better — for a low-data, low-revenue business, an entry-level policy is honest pricing for honest exposure. More often, cheaper means thinner sublimits, longer waiting periods, or pre-existing-condition exclusions that make claims harder. Compare the six numbers we list in Understanding Cyber Insurance Coverage, not just the premium.

Should I get cyber insurance or improve my security first?

Both, in parallel. Insurers will require MFA, tested backups, and a documented incident response plan as a baseline. Improving these things is what gets you a quotable application AND reduces incident likelihood. The two move together.

What's the right excess (deductible)?

High enough that you can absorb a small claim without making a notification, low enough that the policy actually responds to material incidents. NZ SME excesses typically sit at $5K–$25K; mid-market $25K–$100K; enterprise $100K+. Higher excess pulls premium down meaningfully.

Should I use a broker or buy direct?

For cyber specifically, a broker who specialises in commercial insurance is genuinely useful. The wordings are dense, the application is detailed, and at claim time you'll want someone who has placed and managed cyber claims for other businesses guiding the conversation with the insurer. That's what FCIB does.

What to do next

Bring an honest answer to the four sizing questions, and we'll do the rest of the work — shopping the market, comparing the six numbers, and presenting options that actually match your scenario. Related reading: what cyber insurance covers · controls insurers look for · glossary.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Detailed underwriting form