Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

Cybersecurity Controls Insurers Actually Look For — A New Zealand SME Guide

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

There are hundreds of "cybersecurity best practices" lists online. Most are exhausting, all-or-nothing, and don't tell you which controls actually move the underwriting needle. This is a different list — what NZ cyber insurers ask about on the application, ranked by how much each one affects whether you can get cover, the premium you'll pay, and the policy you'll be offered.

The five baseline controls

If you do nothing else, do these five. Without them, getting a cyber quote in 2026 is hard; with them, you're in the conversation.

1. Multi-factor authentication on email and remote access

MFA is the single biggest control NZ cyber underwriters look at. Almost every meaningful claim we see started with a phished credential, and almost every one of those would have been blocked by MFA on the right system. The bar is MFA on every user, not just admins; on email, every remote-access service, VPN, and any system holding sensitive data.

2. Tested backups

A backup that runs nightly but has never been restored is, from an underwriter's view, theoretical. Insurers want backups that are: at least daily, ideally offline or immutable, geographically separated, and demonstrably restored at least annually. The annual restoration test is the part most businesses skip; insurers now ask for it specifically.

3. Endpoint detection and response (EDR)

EDR has largely replaced traditional antivirus on the application form. The question is now "what EDR product do you run?" — not "do you have antivirus?". Mature deployments (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint at the right tier) score better than partial coverage or older products.

4. A documented incident response plan

An incident response plan answers four questions for the first 4 hours: who calls whom, where the backups are, which lawyer we call, which insurer hotline we trigger. A one-page plan that's been read by the team is worth more than a 50-page binder. Many insurers offer a measurable premium discount for businesses that have run a tabletop exercise in the last 12 months.

5. Patching cadence

Most NZ cyber wordings now ask how quickly critical security patches reach production — 30, 60, or 90 days. Slower patching pulls premium up; faster patching (especially with documented testing) pulls it down.

Five controls that move you from "quotable" to "preferred"

Once the baseline is in place, these are the controls that get you better terms — wider cover, higher sublimits, lower premium.

  • Email security beyond default M365 / Workspace. Anti-phishing tools, banner-warnings on external email, sandboxing of links and attachments, conditional access policies. Insurers ask whether you've enabled these.
  • Out-of-band verification for bank-detail changes. The single biggest control against business email compromise. A documented requirement to phone-verify any bank-detail change before processing reduces BEC claim risk dramatically.
  • Annual security awareness training — and ideally simulated phishing campaigns. CERT NZ publishes free awareness resources that meet the baseline.1
  • Vendor risk management. A list of your critical third parties (SaaS platforms, MSPs, payment processors) plus contractual security and breach-notification clauses. Increasingly relevant after the high-profile supply-chain incidents of recent years.
  • Logging and monitoring. At minimum, audit logs on email and customer databases, retained for at least 90 days. Without logs, forensic scope is "assume the worst" — which makes notifications larger and claims more expensive.

An illustrative scenario — what good looks like

Illustrative scenario — Phished credential, contained quickly

A finance team member at a 40-person consultancy clicks a phishing link and enters their email credentials on a fake login page. Within 30 minutes, the EDR product flags an unusual sign-in attempt from an overseas IP. MFA blocks the actual login. The IT manager (per the IR plan) immediately resets the user's password, revokes active sessions, and reviews the mailbox audit log for any rules created or messages forwarded. No data was accessed; no notification is required.

This isn't a claim — it's a near-miss that didn't happen because the controls worked. Insurers see the difference, and businesses with a track record of caught-and-contained near-misses get better terms at renewal.

What NOT to spend money on first

Three categories of cybersecurity spending that look productive but rarely move the underwriting needle for an SME:

  • Penetration testing — useful for mature security programmes; for an SME without MFA in place, you're paying to discover the same finding the underwriter would have asked about anyway.
  • Threat-intelligence subscriptions — most NZ SMEs don't have the team to act on the feeds.
  • Security certifications (ISO 27001, SOC 2) — valuable for sales conversations but they're not required for cyber cover. Get the controls right first; the certification follows.

In our experience, the businesses that get the best cyber terms for the lowest premium are the ones who've quietly mastered the five baseline controls — not the ones with the longest list of certifications and tools.

Common questions

What's the single most important control for cyber insurance?

Multi-factor authentication on email and remote access. NZ cyber underwriters now treat MFA as table-stakes — without it, the application is much harder to place, regardless of business size.

Are backups enough on their own?

Backups are necessary but not sufficient. Insurers want tested restoration — proof that you've actually recovered from a backup at least annually. A backup that runs successfully but has never been restored is, from an underwriter's view, theoretical until proven.

Do small businesses really need an incident response plan?

Yes. The bar isn't a 50-page document — it's a written plan that answers four questions in the first 4 hours: who calls whom, where the backups are, which lawyer we call, and which insurer hotline we trigger. A one-page plan that's been read by the team is worth more than a 50-page binder no-one has opened. Many insurers offer a discount for businesses that have run a tabletop exercise in the last 12 months.

What about employee training?

Most NZ cyber claims that don't start at a vendor start with a phished credential or a clicked link. Annual security-awareness training is now expected by underwriters; for higher-risk businesses (finance, professional services), simulated-phishing programmes are increasingly required. CERT NZ publishes free awareness resources that meet the baseline.

We use Microsoft 365 / Google Workspace — is that secure?

Out of the box, partially. Both have strong default security but the configuration matters: MFA enforced on all users, conditional access policies, mailbox audit logging, and OAuth app review. Most NZ SMEs don't fully configure these and rely on the defaults — which is a gap underwriters now ask about.

What to do next

If your business is missing any of the five baseline controls, that's the conversation to have with your IT provider before you start a cyber insurance application — the application gets dramatically easier once the baseline is in place. We can sequence the rollout against an upcoming renewal date if that's helpful. Related reading: cyber risk management beyond the policy · what recent NZ incidents tell us · glossary.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Free risk assessment