Cyber Incident Response Playbook for NZ Businesses — First 72 Hours

Published 18 May 2026 · By Stewart Hunt, FCIB (FSP748591)

The first 72 hours after a cyber incident sets the trajectory for everything that follows — legal cost, customer impact, regulator engagement, claim outcome. This playbook walks the response hour by hour, maps each step to the relevant NZ authority (CERT NZ, NCSC, Office of the Privacy Commissioner) and shows where your cyber insurer fits in each call. It's a general framework; your specific incident needs specialist advice. Print this. Pin it to your IR plan. Tabletop it once a year.

Hour 0 — Detection

The incident has been detected: a ransomware note, a customer reporting unauthorised charges, an alert from your EDR, your bank flagging a suspicious wire, a staff member realising they fell for a phish. Whoever spots it first must:

Not turn off the affected systems. Turning them off destroys forensic evidence. Disconnect from the network (unplug the cable, disable Wi-Fi) but leave the system powered.
Not pay any ransom, communicate with the attacker, or click "decrypt" / "test decrypt" buttons. Engaging the attacker before legal review is what makes coverage decline.
Notify the incident commander immediately (per your IR plan — if you don't have one, default to: CEO, CFO/Finance, IT lead, your insurance broker, all in that order).

Hour 1 — First calls

Three calls in the first hour, in this order:

Your broker (or insurer's IR hotline if you have one). The cyber policy almost certainly requires prior consent before you engage forensics, counsel, or PR. Calling your IT firm first and the insurer later is what causes claim disputes. The broker's job at this point is to notify the insurer formally, open the claim, and get the insurer's panel IR firm assigned.
The CEO / board chair (if not already in the loop). This is going to need executive attention; loop them in before the day is out.
NCSC New Zealand if the incident affects critical infrastructure, government, or large enterprise, or if there's potential national-significance impact. Otherwise, CERT NZ is the right first call for most SME incidents — they triage and route to NCSC if needed. Both are free. CERT NZ reporting form; NCSC incident reporting. Reporting to CERT NZ does NOT trigger any regulatory action against you — they're a resource, not an enforcer.

Hours 2–6 — Containment

The insurer-panel forensics firm is now engaged. Their goals in this window:

Establish initial-access vector (phishing? unpatched vuln? compromised credentials?)
Identify and contain the blast radius — which systems, what data, who else may be affected
Preserve evidence — memory images, log captures, malware samples — before remediation overwrites them
Determine whether the attacker has persistence mechanisms (additional accounts, backdoors) that need separate removal

Your role: provide access, point them at the right systems, ensure they have what they need. Don't start cleaning up infected systems without their guidance — premature remediation destroys evidence and frequently leaves persistence mechanisms in place.

Hours 6–24 — Scope assessment

By the end of day 1, the forensics firm should have a working theory on:

The nature of the breach (data exfiltration, ransomware, business email compromise, etc.)
The approximate number of records / accounts affected
What types of personal information are involved
Whether the breach is contained or still active

At this point you have enough to make the Privacy Act 2020 "serious harm" assessment. If the answer is yes (or "likely"), the 72-hour clock to notify the Office of the Privacy Commissioner has started. The OPC's serious-harm test factors are detailed in our Privacy Act notification guide. Your panel lawyer is making this call with you — don't call it yourself.

Hours 24–48 — Notifications + comms

If a notifiable breach has been confirmed:

OPC notification. Submit at privacy.org.nz/notifications. Partial notification within 72 hours is better than full notification outside the window.
Customer / affected-individual notifications. The cyber policy's notification-cost cover pays for letters, call-centre capacity, credit monitoring. Drafted by the panel lawyer; mailed by the panel notification firm.
Staff communications. A short, factual internal email — what happened, what we're doing, what staff should and shouldn't say externally. The PR / crisis-management cover funds an external comms firm if needed.
Bank notification if financial data was compromised. The bank will assist with card-replacement timing and fraud-monitoring.
If exfiltration involved card data: notify card-brand acquirer (Visa, Mastercard, Amex) — this triggers PCI-DSS investigations and potential fines. Cyber-policy PCI cover responds.

Hours 48–72 — Restoration

By this stage you should be:

Restoring systems from clean backups (verified clean by the forensics firm)
Resetting all potentially-compromised credentials
Rotating admin accounts and revoking session tokens system-wide
Implementing the additional controls the forensics firm has identified as gaps (often the CERT NZ Critical Controls you didn't have — see our CERT NZ Critical Controls guide)
Confirming with the insurer's claims team what's covered and what's needed for proof-of-loss

If the incident took customer-facing systems offline, your business-interruption cover is responding from the start of the indemnity-trigger waiting period (typically 6-24 hours into the outage, depending on policy).

Day 4 onwards — Recovery + remediation

The acute response is over; the multi-week recovery begins:

Forensic report finalised — typically 4-6 weeks for full report
Customer-care line continues for affected individuals (typically 90 days)
Credit monitoring runs for the contracted period (usually 12-24 months for affected individuals)
Internal lessons-learned process — what controls failed, what to add, what your IR plan got right and wrong
OPC engagement continues if they've opened a separate investigation
Insurance claim documentation submitted — log of all decisions, invoices for everything, evidence of mitigation

What insurance pays for, by step

Step	Cyber-policy coverage section
Hour 0-1 (detection, broker call)	No cost; relationship covered by your annual premium.
Hours 2-24 (forensics + containment)	Forensic-investigation cover. Often a sub-limit within the aggregate policy limit; size varies materially by insurer — confirm in each quote.
Hours 6-24 (legal advice on notification)	Legal-defence cover.
Hours 24-72 (notification mechanics)	Notification-cost cover — letters, call centre, credit monitoring.
Hours 24+ (system unavailability)	Business interruption — profit + increased cost of working.
Hours 48+ (PR if needed)	PR / crisis-management cover.
Week 2+ (regulatory engagement)	Regulatory-defence cover.
If ransom paid	Cyber-extortion cover (subject to sanctions screening, prior consent, sometimes a separate sub-limit).
If card data + PCI investigation	PCI-DSS fines + investigation cover.

Where to get help (free + paid)

CERT NZ — free triage and advice for any NZ cyber incident.
NCSC New Zealand — for incidents affecting critical infrastructure, government, large enterprise.
Office of the Privacy Commissioner — mandatory notification if serious-harm threshold met.
IDCARE — free support service for individuals affected by identity / cyber-security compromise.
Your insurer's incident-response hotline — first call for any cyber claim.

Primary sources cited in this guide

Disclaimer: This article is general information, not personalised legal, cybersecurity, or insurance advice. Your specific incident needs specialist input; this playbook is a generic framework only. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.

Build your IR plan + arrange cover

FCIB helps NZ businesses arrange cyber insurance and align it with their incident-response plan. Free quote, no obligation.

Get a quote →