ICNZ — Reading the NZ Insurance Industry's Cyber-Risk Posture

The Insurance Council of New Zealand (ICNZ) is the industry body that represents most general insurers operating in New Zealand. ICNZ publishes industry data, advocacy positions, and most importantly for consumer-facing brokers, the Fair Insurance Code — the binding code of conduct most NZ general insurers commit to. For cyber-insurance buyers, understanding ICNZ's role helps in three ways: it sets a floor for insurer conduct on claims, it explains industry-wide premium-cycle dynamics, and it provides industry-level data that complements CERT NZ's incident-level data.

What ICNZ is and who it represents

ICNZ is a membership organisation whose members write the substantial majority of NZ general-insurance premium. Members include the large composite insurers (IAG NZ trading as State / AMI / NZI, Vero, Tower, Suncorp NZ trading as Vero, AA Insurance), specialty cyber insurers operating in NZ (Delta Insurance, Chubb NZ, AIG NZ, Berkshire Hathaway NZ, FM Global), reinsurers, and Lloyd's of London representation. ICNZ does not represent life insurers (that's the Financial Services Council) or health insurers (that's a separate sector body).

ICNZ's relevance for cyber-insurance buyers comes from three things:

1. The Fair Insurance Code. A binding code of conduct that ICNZ members commit to. Among other things, it sets timeliness expectations on claims acknowledgement, decision-making, and communication. The Code is enforced through ICNZ's complaints process and ultimately through the Financial Services Complaints Limited (FSCL) or Insurance & Financial Services Ombudsman (IFSO) external dispute-resolution schemes.
2. Industry advocacy and submissions. ICNZ makes submissions to Government on regulatory matters affecting the industry — Privacy Act amendments, Cyber Resilience Strategy work, insurance contracts law reform. These submissions are public and reveal the industry's view on changes that affect cyber-insurance availability and pricing.
3. Industry data. ICNZ publishes industry-wide premium and claims statistics, including for cyber and financial-lines classes where available. These data points give a market-level view that complements per-insurer underwriting decisions.

The Fair Insurance Code in the cyber context

The Fair Insurance Code applies across all classes of general insurance written by ICNZ-member insurers. For cyber claims specifically, the relevant provisions cover:

• Claim acknowledgement timeliness. Members commit to acknowledging a claim within working days, not weeks. For cyber, where the incident-response clock is measured in hours, this matters: your insurer's claims hotline should be answering immediately, and the first claims handler should be acknowledging the file the same day.
• Claim decision timeliness. The Code commits members to making decisions in reasonable timeframes and communicating progress. Cyber claims are typically more complex than property or motor claims — the forensic investigation, breach-assessment, and regulatory-engagement phases each take time. But the Code's expectation is clear communication, not "we'll get back to you when we can".
• Reasons for declines. If a cyber claim is declined or partially declined, the Code requires the insurer to provide written reasons referencing the policy provisions relied on. This is critical for cyber claims, where declines often turn on sub-limit interpretation, sanctions screening, or causation analysis.
• Complaints handling. The Code requires a fair, accessible complaints process. If you're unhappy with a claim handling decision, you have an in-house escalation path and, if that fails, an external dispute resolution body (FSCL or IFSO depending on the insurer).

The Code doesn't override the policy wording — coverage is what the policy says. But it sets expectations for how the wording is interpreted and applied. For cyber-insurance buyers, the Code is useful as a baseline of professional conduct you can expect from any ICNZ-member insurer and as a starting point if a claim experience falls below that baseline.

Industry-cycle context

Cyber insurance globally has been through a complete market cycle in the last 8 years: a soft market in the late 2010s with broad terms and low premiums; a hard market 2020-2023 driven by ransomware losses, with premium rises, capacity withdrawal, and tightened wordings; and a stabilising market from 2024 with new capacity entering and pricing levelling off.

NZ has tracked the global cycle with some lag and some local idiosyncrasies. ICNZ's industry data and member commentary help explain where in the cycle the NZ market currently sits. Some recurring themes from ICNZ publications and industry forums:

• Ransomware is the dominant driver of cyber loss-ratios. Industry-level data points consistently identify ransomware as the highest-severity, highest-cost claim category. Underwriting questions have tightened materially around backup posture, MFA coverage, and incident-response readiness.
• Cyber capacity is volatile. NZ cyber-insurance capacity (the maximum aggregate limit available across all insurers) is influenced by global reinsurance treaties. When reinsurance markets tighten, NZ aggregate availability tightens too. ICNZ tracks this at industry level.
• Standalone cyber outperforms cyber-as-extension. Cyber covers offered as an extension to general property/liability policies have generally been narrower than standalone cyber wordings. Most NZ specialists recommend standalone for any business with material data, payment workflows, or business-interruption exposure.
• Privacy-Act-related claims have grown. Since the Privacy Act 2020 introduced mandatory notification, the proportion of cyber-claim costs spent on breach-response legal advice, notifications, and regulatory defence has grown. This shows up in policy wording emphasis as well — most insurers have expanded their breach response coverage sections.

What ICNZ publications and submissions reveal

ICNZ's public submissions to Government give cyber-insurance buyers an insider view of where the industry sees regulatory pressure points:

• Privacy Act amendments and consultation submissions reveal industry concerns about notification thresholds, regulator-engagement obligations, and the interaction between Privacy Commissioner powers and insurer subrogation rights.
• Cyber Resilience Strategy submissions (where Government has consulted on national cyber-resilience approaches) reveal industry views on critical-infrastructure designation, mandatory reporting, and the role of insurance in incentivising security uplift.
• Insurance Contracts Law reform submissions reveal industry views on duty-of-disclosure changes, claims-handling obligations, and other reforms that affect cyber-policy wordings.

Read alongside the CERT NZ Quarterly Reports (incident-level data), the NCSC Annual Cyber Threat Report (nationally-significant incidents), and ICNZ industry context (premium and capacity dynamics), an informed NZ cyber-insurance buyer can triangulate between threat data, regulatory direction, and market conditions.

Practical takeaways for NZ cyber-insurance buyers

1. Check that your insurer is an ICNZ member. Most NZ cyber insurers are; if your broker is recommending a non-member, ask about the dispute-resolution path and conduct expectations. NZ-licensed insurers operating outside ICNZ aren't unusual, particularly some Lloyd's syndicates and specialist MGAs — they have their own conduct frameworks, but ICNZ membership is a convenient shorthand for NZ-market alignment.
2. Read the Fair Insurance Code commitments before signing. Specifically the claims-timeliness and complaints provisions. If a cyber claim happens, these are the touchstones you'll reference.
3. Understand the dispute-resolution path. FSCL (which covers FCIB's adviser activities — see fscl.org.nz) and IFSO (which covers most NZ general insurers — see ifso.nz) are the external dispute resolvers. Free, accessible, and binding on insurer side up to certain limits.
4. Track market-cycle indicators. ICNZ's industry commentary and member-level announcements (capacity tightening, capacity entering, wording changes) signal where premiums and terms are heading. If you're at renewal during a tightening cycle, expect questions and remediation requests; if you're at renewal during a stable cycle, the conversation is gentler.
5. Use industry context to ground specific policy decisions. When an insurer says "our backup-related sub-limit is $X" or "we exclude ransomware payments without 48-hour notice", industry context helps you assess whether that's market-standard or unusually narrow. Your broker should be able to translate.

Primary sources cited in this guide

• Insurance Council of New Zealand (icnz.org.nz)
• ICNZ — Fair Insurance Code (icnz.org.nz)
• CERT NZ / NCSC — Quarterly Cyber Security Insights (ncsc.govt.nz)
• NCSC New Zealand — Annual Cyber Threat Report (ncsc.govt.nz)
• Financial Services Complaints Limited (fscl.org.nz)

Disclaimer: This article is general information, not personalised insurance or regulatory advice. The Fair Insurance Code and ICNZ publications are authoritative — read them directly for any specific question. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB's external dispute resolution is provided by FSCL. FCIB Disclosure Statement.