Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

Recent Cyber Attacks in New Zealand — What They Tell Insurers, and Buyers

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

CERT NZ publishes quarterly reports on the cyber-security incidents reported by New Zealand businesses. The reports are dry on first read but they tell a clear story when you flatten them out across the last few years — and that story is the basis for everything an underwriter is doing on your application.

What CERT NZ Quarterly Reports actually show

CERT NZ's published reports cover incidents voluntarily reported by NZ businesses and individuals.1 The headline categories that consistently top the list are phishing and credential harvesting, scams and fraud, unauthorised access, malware (including ransomware), and website compromise. The financial-harm column is where the real story sits — phishing reports outnumber ransomware by orders of magnitude, but ransomware accounts for a far larger share of dollars lost.

Three patterns hold across reports for the last several years:

  • Entry vectors are stable. Most attacks still start with a phished credential or an exposed remote-access service. Novel techniques attract headlines, but the routine pathway hasn't changed.
  • Financial harm is growing. The legal, notification, and PR work that follows a breach has become more demanding under the matured Privacy Act 2020 regime. Same incident, more cost.
  • Small business is increasingly targeted. Ransomware-as-a-service has pushed the floor for what counts as a worthwhile target down significantly.

The shape of an NZ ransomware claim today

A typical NZ ransomware incident in the last 12 months — drawn from observed claim patterns, not any specific client — looks like this:

  • Initial access: a credential phished from a finance or admin user, or a public-facing remote-access service exposed without MFA.
  • Dwell time: several days to weeks before encryption — attackers take their time, exfiltrating data and disabling backups before the ransomware deploys.
  • Encryption + exfiltration: "double extortion" is now standard. The attacker encrypts your systems AND threatens to publish stolen data even if you can restore from backup.
  • Ransom demand: tens of thousands to low millions of NZD, denominated in cryptocurrency, with a 24–72 hour countdown.
  • Recovery: 5–14 days of meaningful operational disruption even with good backups; longer if backups were also compromised.
  • Notification trigger: if any personal information was exfiltrated, the Privacy Commissioner needs to be notified, plus affected individuals.

The total cost — forensics, legal, notification, PR, ransom (if paid), business interruption, restoration — typically lands between $200K and $2M for an SME, with the majority concentrated in the first three weeks.

The supply-chain shift

A growing share of NZ cyber claims have a vendor at their root. The pattern: a SaaS provider, MSP, or payment processor used by your business is breached. Your customer data is exposed via that vendor. You inherit the notification obligation under the Privacy Act 2020 because you're the agency that "holds" the personal information — even though you weren't the one who lost control of it.

Insurance has adapted: contingent business interruption and contingent event response wordings now appear as standard in most NZ mid-market policies, where five years ago they were optional extensions. The application questions have followed: insurers want to see your critical-vendor list and the contractual breach-notification clauses you have in place.

An illustrative scenario from the last 12 months

Illustrative scenario — Vendor breach with downstream impact

A 25-person NZ marketing agency uses a popular international email-marketing platform. The platform discloses a breach affecting customer-list data — names, email addresses, business names — for several thousand of its customers, including the agency. The agency's customer list (≈8,000 contacts at NZ small businesses) was exposed.

Even though the breach happened at the vendor, the agency holds the relationship with its customers. Under the Privacy Act 2020, the agency assesses the breach as notifiable (likely to cause harm via spam / phishing targeting their contacts), notifies the Privacy Commissioner, and notifies affected customers. The contingent event response section of the cyber policy pays for forensics liaison with the vendor, legal advice on the notification, customer-facing comms, and a small block of business-interruption recovery time. Total cost ~$60K. Excess of $5K applies. Outcomes vary by policy and circumstances.

What's shifting next — three watchpoints

Looking forward 12–24 months, three shifts are worth tracking:

  • AI-assisted phishing. Phishing emails are getting harder to spot. Voice deepfakes for CEO-impersonation calls are not theoretical any more. Out-of-band verification for bank-detail changes — and any unusual instruction — is the practical defence.
  • Privacy Commissioner enforcement maturity. Five years into the Privacy Act 2020, the Commissioner has built a body of expectations around how breaches should be assessed and notified. Expect closer scrutiny of late or incomplete notifications.
  • Cyber insurance tightening. Insurers are not loosening the controls they ask for. If your business is renewing without MFA, tested backups, and a documented IRP, expect either a much harder placement or premium increases.

Common questions

What's the most common type of cyber attack on NZ businesses?

CERT NZ Quarterly Reports consistently show phishing and credential abuse as the dominant entry vectors, followed by exposed remote-access services. The headline-grabbing ransomware events almost always start with one of these.

Are NZ businesses bigger targets now than five years ago?

The volume of attempted attacks has grown, but the more important shift is in financial harm — the cost of resolving an incident has climbed because notification, legal, and PR work has become more demanding. NZ businesses today face the same threat actors as overseas peers, just with smaller defences in many cases.

How do supply-chain attacks affect NZ businesses?

Materially. A meaningful share of CERT NZ's reported financial harm in any quarter originates upstream — at a SaaS vendor, MSP, or payment processor — rather than at the affected business itself. Supply-chain and contingent business interruption wordings have moved from optional to baseline for most mid-market quotes.

Does insurance pay out if an attack came from a state actor?

Most NZ wordings now have refined war exclusion language addressing state-sponsored cyber attacks. The exact carve-outs vary — read your policy. Generally, attacks from organised criminal groups (even if the group has loose state ties) are covered; attacks attributed to a state actor as part of a recognised conflict may not be.

What should NZ business owners watch for next?

Three trends our clients are talking about: AI-assisted phishing (more convincing, harder for staff to spot), ransomware-as-a-service driving smaller-business targeting, and the gradual maturity of the Privacy Commissioner's enforcement under the Privacy Act 2020. All three push toward stronger controls and broader cover.

What to do next

Read the most recent CERT NZ Quarterly Report (link below) and ask yourself which of the dominant attack categories your business is most exposed to. Then come and have the cover conversation. Related reading: controls insurers look for · data breach response in detail · glossary.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Detailed underwriting form