Social Engineering and Business Email Compromise — Where NZ Cyber Wordings Pay (and Where They Don't)

According to CERT NZ Quarterly Reports, scams (including business email compromise — BEC — and other social-engineering attacks) are consistently among the highest-financial-impact categories of cyber incidents reported by NZ businesses. CERT NZ's BEC guidance describes the typical attack pattern: an attacker compromises or impersonates a legitimate email account, then redirects an invoice, wire transfer, or payroll payment to attacker-controlled bank details. The financial loss can be in the high six figures from a single successful event. But here's the underappreciated thing: most standard NZ cyber wordings cover the BEC incident response generously and the BEC financial loss itself very narrowly — or not at all. This guide walks the typical coverage shape, the sub-limits to watch, and how to fix the gap.

What BEC and social engineering look like in practice

CERT NZ's BEC patterns boil down to three variants:

1. Compromised internal mailbox. Attacker phishes a staff member's M365 or Google Workspace credentials. With access to the mailbox (and often a forwarding rule set up to evade detection), the attacker monitors invoice threads, then at the right moment, sends a message from inside the trusted mailbox redirecting a vendor or customer payment to a new account.
2. Compromised vendor or partner mailbox. Same as above but the compromised mailbox belongs to a supplier — typically a longstanding vendor whose emails you trust without verification. Updated bank details land in your inbox and look entirely legitimate; the funds go to the attacker.
3. Spoofed-domain impersonation. No actual compromise — the attacker registers a look-alike domain (e.g. yourvendor-nz.com vs yourvendor.co.nz) and sends a polished message that visually matches the real vendor. Particularly effective with executive-impersonation scams ("CEO needs an urgent wire transfer authorised").

NZ Police's cybercrime guidance notes that BEC scams targeting NZ businesses have grown materially over recent years and that recovery is difficult once funds leave NZ banking. International transfers are particularly hard to claw back; even domestic transfers are often gone within hours of crediting the attacker's mule account.

How cyber wordings handle BEC — the typical structure

Open any NZ cyber wording and look for these distinct coverage sections:

• Breach response / event management — covers the forensic investigation, legal advice, notification costs, and PR. Pays when there is a data-access or data-exposure incident. If a BEC starts with a compromised mailbox, breach-response cover responds because credentials were stolen and a mailbox was accessed.
• Cyber crime / social engineering / fraudulent funds transfer — covers the actual financial loss when funds are transferred under fraudulent instruction. This is the section that pays the wire-fraud loss itself. Usually a sub-limit well below the policy's main aggregate limit.
• Cyber extortion / ransom payment — covers ransomware-related payments. Doesn't apply to BEC.
• Network interruption / business interruption — covers lost income during system outages. Usually doesn't apply to BEC unless the attacker has also taken down systems.

In a typical NZ cyber wording, the policy aggregate limit might be $2M-$10M, but the cyber crime / social engineering sub-limit might be only $50,000-$250,000. A $400,000 BEC loss against a $5M policy is paid up to the sub-limit and no further. The remaining loss falls back on the business.

The conditions that often apply to social-engineering coverage

Where social-engineering coverage exists, it usually comes with conditions. Common ones:

• Verification protocol. The policy may require the business to have a written procedure for verifying changes to vendor bank details via an independent channel (phone call to a known number, not just email reply). If the loss occurred because the verification protocol wasn't followed, coverage may be reduced or declined.
• Call-back requirement. Some wordings explicitly require a documented call-back to a previously-known phone number before any change-of-payment-details is actioned. No call-back = no cover.
• Dual-control / two-person approval. For transfers above stated thresholds, two-person approval may be required as a coverage condition.
• Sanctions screening. Standard exclusion — coverage doesn't extend to payments that would breach NZ, US, UK, EU, or UN sanctions.
• Exclusion for losses to known suspicious accounts. If you transferred to an account already flagged in sanctions or fraud-typology databases, coverage may not apply.

Read these conditions carefully. They define a clear standard of care, and a BEC loss that resulted from skipping the standard is harder to recover under the policy than one that occurred despite reasonable controls.

The gap between actual exposure and standard sub-limits

For most NZ businesses, the gap between BEC exposure and standard policy sub-limits is the biggest single coverage shortfall in their cyber programme. A qualitative sense of scale:

• Any business with material monthly outbound payments has, in any given month, multiple individual payments large enough that a successful redirection could substantially exceed a standard cyber-crime sub-limit.
• Construction and trades firms paying progress payments to subcontractors carry concentrated single-payment exposure — one redirected payment can be many times the standard sub-limit.
• Professional-services firms paying batch payroll have concentrated batch-level exposure — the whole batch is at risk if payroll-system credentials are phished.

The "right" cyber-crime sub-limit for a business is broadly proportional to the largest single payment that might be at risk, with some buffer for multiple incidents in a year. The standard sub-limits on entry-level NZ cyber wordings are typically below what's realistic for any business with material monthly outbound payments — confirm yours with your broker against your own payment volume.

Closing the gap — options

1. Negotiate a higher cyber-crime sub-limit on the cyber policy. Many NZ insurers will offer materially higher sub-limits if the applicant evidences good verification controls. Comes with premium uplift but often modest in dollar terms — your broker can quote both options for comparison.
2. Stack a crime policy. A standalone commercial crime / fidelity policy specifically covers wire-fraud / social-engineering / employee dishonesty losses with much higher sub-limits than typical cyber-policy crime extensions. Pricing is separate; combined cyber + crime is the standard structure for mid-sized NZ businesses with material outbound payments.
3. Tighten the verification controls. Insurers will price for evidenced controls. A documented call-back procedure, dual-approval for above-threshold transfers, and quarterly staff training on BEC recognition all reduce premium and increase available sub-limit.
4. Use bank-side controls. Many NZ banks offer transaction-authorisation tools (Confirmation of Payee equivalents, two-factor approval, hold-and-call-back for new payees). These don't replace insurance but reduce loss probability and severity.

Incident-response when BEC happens

If you discover a BEC has occurred:

1. Contact your bank immediately. Same-day recall has the highest success rate; recovery falls sharply after 24-48 hours. NZ banks have anti-fraud teams that can sometimes intercept.
2. Notify your cyber insurer's incident-response hotline. Even if the loss is below the cyber-crime sub-limit, the insurer's breach-response cover usually applies to the underlying mailbox compromise (forensic investigation, credential remediation, customer notification if customer data was exposed).
3. Report to NZ Police via 105. Cybercrime reports to NZ Police feed national-level intelligence; even small cases contribute to broader pattern analysis. Recovery via Police is rare but not impossible.
4. Notify your bank's customer with the redirected funds. If the BEC redirected a vendor payment, the vendor never received the money — you still owe them the underlying invoice. Don't forget the contractual obligation.
5. If personal information was accessed in the mailbox, assess the Privacy Act 2020 section 117 notification threshold. See our companion guide on serious-harm threshold.

Pre-renewal questions to ask your broker

1. What is the current cyber-crime / social engineering sub-limit on my policy?
2. What is my realistic monthly outbound-payment exposure that could be redirected by a single BEC?
3. What conditions apply to the cyber-crime coverage (verification protocol, call-back requirement, dual approval)?
4. Are we evidencing those controls? If not, can we get them documented before renewal to maintain coverage?
5. Would stacking a standalone crime policy make sense given my exposure profile?

Primary sources cited in this guide

• CERT NZ — Business Email Compromise guidance (cert.govt.nz)
• CERT NZ / NCSC — Quarterly Cyber Security Insights (ncsc.govt.nz)
• New Zealand Police — Cybercrime guidance (police.govt.nz)
• Companion guide: CERT NZ Critical Controls — what cyber insurers underwrite against
• Companion guide: Privacy Commissioner serious-harm threshold

Disclaimer: This article is general information on insurance mechanics, not personalised insurance advice. The sub-limit and condition specifics in this guide reflect typical NZ wording structures, not any individual policy — read your own wording for the controlling terms. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591). FCIB Disclosure Statement.