Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

Cyber Insurance for New Zealand Business — A Buyer's Guide

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

Cyber insurance is one of the few covers where what's not in the policy matters as much as what is. This guide explains what New Zealand cyber policies typically respond to in 2026, what insurers want to see before they'll quote, the regulatory backdrop you're actually buying cover against, and the questions to ask before you commit.

On this page

Why cyber cover matters in NZ now

CERT NZ's quarterly reports have shown a steady rise in the financial harm reported by New Zealand businesses since the Privacy Act 2020 came into force.1 The pattern isn't novel attacks — most incidents still start with a phished credential or an exposed remote-access service — but the cost of resolving them has climbed because the legal and notification work that follows a breach has become more demanding.

Three drivers in particular reshape what a cyber policy needs to do for a New Zealand buyer in 2026:

  • Privacy Act 2020 maturity. The Notifiable Privacy Breach regime under sections 113–118 is now five years old. The Privacy Commissioner has built up a body of expectations around how breaches should be assessed for "serious harm" and how affected individuals should be notified.2 Doing this badly is now visible in the Commissioner's annual reports.
  • Supply-chain and vendor incidents. A material share of the impact CERT NZ reports for NZ businesses in any quarter originates upstream — a SaaS provider, an MSP, or a payment processor — rather than at the affected business itself. Supply-chain and contingent business interruption wordings have moved from optional to baseline for most mid-market quotes.
  • Underwriter discipline. NZ cyber insurers no longer offer a frictionless quote on a one-page application. They want evidence of multi-factor authentication, tested backups, and a documented incident response plan before a policy is bound. Brokerages that pretend otherwise are quoting against the market they used to have, not the one we're in.

The practical implication is that buying cyber insurance well is increasingly an exercise in framing your security posture honestly — not in shopping for the lowest premium. Insurers respond to clear answers, documented controls, and a broker who can translate your environment into the language they underwrite to.

What a cyber policy actually covers

Cyber insurance is split into two halves: first-party covers your own losses; third-party covers claims that other people bring against you. Most NZ buyers care most about first-party because that's where the immediate cash outflow happens.

First-party (your own losses)

The headline first-party covers in a typical NZ wording are event response (forensics, legal, PR, notification costs, credit monitoring), cyber extortion (ransom payment subject to sanctions screening, plus negotiation services), business interruption for income lost while systems are down, and restoration costs to rebuild data and systems whether or not you pay any ransom.

The numbers that matter inside each of these are the sublimits (the cap on each section, often lower than the overall policy limit) and the waiting period for business interruption (typically 6–24 hours — anything below the waiting period isn't paid). Two policies with identical headline limits can deliver very different recovery experiences once you read the sublimits.

Third-party (claims others bring against you)

Third-party cyber covers network security liability (damages from your network being used to attack someone else, e.g. malware spread), privacy liability (claims from individuals whose data you mishandled), and regulatory defence (legal costs for Privacy Commissioner investigations and, where relevant, sector-regulator inquiries). Defence costs can sit "in addition to" the limit or "within" it — read the wording, because the difference can be six figures on a contested claim.

Things that are commonly excluded

Standard exclusions to look for include the war exclusion (refined in recent years to address state-sponsored cyber attacks — read your policy's specific wording), pre-existing breaches you knew about and didn't disclose, breach of contract that wasn't itself caused by a cyber event, and intentional acts by senior officers. Patent and IP infringement claims, professional indemnity exposure for technology firms (which usually needs Tech E&O alongside cyber), and physical bodily injury are generally out — these are different policies.

What insurers ask for before they'll quote

The current NZ cyber application typically asks 30–60 questions, but they cluster into a handful of decisions an underwriter is making. If you can answer these confidently and with evidence, you'll get faster terms and better pricing.

  • MFA on email and remote access. Almost universally required as a baseline. "We're working on it" is not an answer most underwriters will accept on email — the application is harder to place if MFA isn't already deployed.
  • Backups, with tested restoration. Daily or near-daily, ideally offline or immutable, with restoration tested at least annually. The bar is a tested restore — not a backup that runs successfully but has never been used.
  • EDR on every endpoint. Modern endpoint detection has largely replaced "antivirus" as the underwriter's question. Mature deployments score better than partial coverage.
  • A documented incident response plan. The threshold isn't a 50-page document — it's a written plan that names who calls whom in the first 4 hours, where the backups are, and which lawyer you call. Many insurers offer a discount for businesses that have run a tabletop exercise in the last 12 months.
  • Patching cadence. Most NZ wordings now ask how quickly critical security patches reach production — 30, 60, or 90 days. Slower patching pulls premiums up.
  • Vendor risk. Especially for SaaS-heavy operations: which third parties hold your data or run your business processes, and what's the contractual position on breach notification.

Where a control isn't yet in place, "we're rolling this out by Q3" is more credible than "we're considering it" — but only if the project has a budget line and a named owner. Insurers underwrite to the application; gaps in the application become exclusions in the policy.

The NZ regulatory picture

Five regulators sit around the cyber-incident table in New Zealand, and which ones you talk to depends on your sector and the data involved.

  • Privacy Commissioner — Notifiable Privacy Breaches under sections 113–118 of the Privacy Act 2020. The threshold is "serious harm or the likelihood of it". Notification is to both the Commissioner and the affected individuals, generally as soon as practicable after becoming aware.2
  • CERT NZ — the operational incident-reporting channel. Reporting is voluntary in most cases but provides access to government technical assistance and feeds the quarterly reports the rest of the market reads.1
  • FMA — for licensed financial advice providers (like First Commercial Insurance Brokers Ltd) and listed issuers' continuous-disclosure obligations. A cyber incident that materially affects a listed company is disclosable.
  • RBNZ — for registered banks and licensed insurers, with prudential expectations around operational resilience.
  • Sector codes — the Health Information Privacy Code applies on top of the Privacy Act for health agencies; there are similar codes for credit reporting, telecommunications, and the justice sector.

A good cyber policy will pay the legal and reporting costs for the regulators that apply to you. A great broker will help you map which conversations to start in the first 72 hours of an incident — because doing the wrong notifications in the wrong order can amplify both regulatory and reputational harm.

What a real claim looks like

The two most common shapes of New Zealand cyber claims are email-based fraud and ransomware-with-exfiltration. Two illustrative scenarios — these are not specific clients, and outcomes vary by policy and circumstances:

Illustrative scenario — Business email compromise

An accounts payable team receives an email that appears to come from a long-standing supplier, asking for a change of bank details. The change is processed and the next two invoices — totalling around $180,000 — are paid into the criminal's account. The cover that responds here is cyber crime (often a sublimited extension, not the core cyber section), and the application question that matters most is whether you have a documented out-of-band verification step for bank-detail changes. Without it, the claim is harder to defend — with it, the same loss is usually paid subject to the relevant excess.

Illustrative scenario — Ransomware with data exfiltration

A 50-person professional services firm is hit by ransomware overnight. Encrypted files include client matters going back years; the attackers also exfiltrated about 30GB of documents and threaten to publish. The covers that respond are event response (forensics + legal + PR), cyber extortion (ransom negotiation; payment subject to sanctions screening), business interruption (lost billable time while systems are down), notification costs (the Privacy Commissioner is notified within days; affected clients are notified by post), and restoration costs (rebuilding the practice management system from backup). A typical policy with $1M aggregate and standard sublimits handles this end-to-end; the sticking point in practice is usually whether tested backups existed and whether the law firm pays the ransom — both decisions covered by the policy but driven by the firm's facts.

Real claims rarely look like the marketing material. The work that determines the outcome happens in the first 72 hours and depends on a calm, prepared team and an incident response plan that names the right people. That's why insurers reward businesses with documented IR plans, and why the broker's job extends beyond placing the policy.

Common questions

Do I actually need cyber insurance in New Zealand?

If your business holds any personal information, accepts payments online, runs systems your customers depend on, or relies on email for invoicing — yes. The Privacy Act 2020 already requires you to notify the Privacy Commissioner when a breach causes serious harm, and the costs of doing that competently (forensics, legal, customer notification, credit monitoring) routinely run into tens of thousands of dollars before any business-interruption losses are counted. Cyber cover pays for that response. Whether you need it isn't really the question — it's whether your business can absorb the cost without it.

How much does cyber insurance cost a New Zealand business?

Premium depends on revenue, sector, headcount, and your security posture. We don't quote ranges on this page because publishing a number that doesn't match your circumstances would be misleading under FMA expectations. Start a quote and we'll give you an actual figure after a 10-minute scoping conversation. As a rough orientation: lower premiums tend to go to businesses that demonstrate MFA, tested backups, and a documented incident response plan.

Will the policy pay a ransom?

Most policies do, subject to sanctions screening — meaning the insurer must verify the ransom recipient isn't on a sanctions list before any payment. Insurers also typically require their pre-approved ransomware negotiator to be involved before any payment is authorised. Whether you should pay is a separate question — the FBI and most NZ government guidance recommend against, and many policies will also cover the cost of restoring systems if you choose not to pay.

Is the FMA the right regulator to talk to about cyber?

The FMA regulates licensed financial advice providers (like First Commercial Insurance Brokers Ltd) and listed companies' continuous-disclosure obligations. CERT NZ is the operational reporting channel for incidents. The Privacy Commissioner is who you notify when personal information is exposed. Sector regulators (RBNZ for banks, MOH for healthcare) layer on top. We'll help you map the right notifications when an incident happens — that's part of what your adviser is for.

What if we've been breached before?

Tell us up-front. Insurers will ask, and a non-disclosed prior incident can void cover when you most need it. A clean breach history with documented remediation is normal and quotable. An unresolved incident or active litigation will narrow your options — but "narrow" isn't "none", and being upfront usually means we can still place cover with a tailored exclusion or higher excess for the previously affected exposure.

What to do next

If you're at the start of the conversation, the fastest first step is the 3-step quote — three quick questions about your business and Stewart will follow up with options from the cyber insurers we hold agreements with. If you'd rather walk through the underwriting questions in detail before we approach insurers, the long-form quote covers MFA, backups, prior incidents, and the rest in one go.

You can also read our reviews of the four cyber insurers we work with most often — Delta (NZ-owned), AIG (CyberEdge), Chubb, and QBE — or browse our cyber-insurance glossary if any of the terms in this guide need a plain-English definition.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Detailed underwriting form