Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

Understanding Cyber Insurance Coverage — What's In, What's Out, What to Read

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

Two New Zealand cyber policies with the same $1M aggregate limit can pay out very differently. The headline number on the cover sheet is the easy part — the underwriting that matters happens in the sublimits, exclusions, and trigger language buried inside. This is a practical reading guide.

First-party vs third-party — the foundational split

Cyber insurance covers two distinct kinds of loss. First-party pays for what the cyber event costs you: forensic investigation, ransom payment (subject to sanctions screening), business interruption, system restoration, customer notification, PR. Third-party pays for what others recover from you: privacy lawsuits, network security liability claims, regulatory investigations.

Most NZ buyers focus on first-party because that's where the immediate cash outflow happens during an incident. But third-party is what saves you from a class action two years later when affected customers organise. A good policy covers both halves; a thin policy is mostly first-party with token third-party limits.

The first-party covers, in detail

Event response

The event response section is the operational heart of a modern cyber policy. It pays for forensics, legal advice, PR, customer notification, and credit monitoring — usually drawn from the insurer's pre-approved panel. The panel matters: trying to use your own consultants without insurer sign-off can void the cover. Sublimits typically scale with the number of affected individuals on the notification side.

Cyber extortion

Cyber extortion covers ransom payment, negotiation services, and decryption support. Insurers will engage their pre-approved ransomware negotiator before any payment is authorised, and sanctions screening is mandatory — meaning the insurer must verify the recipient isn't on a sanctions list before any cryptocurrency transfer. Whether you should pay is a separate question — most policies also pay for restoration if you choose not to.

Business interruption

Business interruption covers income lost while systems are down. Two numbers matter inside this section: the waiting period (typically 6–24 hours — anything below isn't paid) and the indemnity period (how long the cover continues — 3, 6, or 12 months in NZ). For SaaS-dependent businesses, also check whether contingent BI is included to cover a vendor outage that hits you.

Restoration costs

Restoration costs rebuild your data and systems after an incident. This is paid even if you choose not to pay any ransom. Most policies require restoration to be done by the insurer's panel; some allow your in-house team if pre-approved.

Cyber crime

Cyber crime covers direct financial loss from business email compromise, social engineering, and fraudulent funds transfer. This is almost always sublimited — sometimes heavily — and the underwriting question that drives the sublimit is whether you have a documented out-of-band verification step for bank-detail changes.

The third-party covers, in detail

Privacy liability covers claims from individuals whose personal data was exposed. Network security liability covers claims from third parties whose systems were damaged by an attack that propagated through yours. Regulatory defence covers the legal cost of engaging with the Privacy Commissioner, FMA, RBNZ, or sector regulators during an investigation. Where legally insurable, regulatory penalties are also covered (NZ Privacy Commissioner penalties are presently low; GDPR fines for NZ businesses with EU customers are a different conversation).

Reading the sublimits — what to actually compare

When comparing two NZ cyber policies, the headline limit tells you almost nothing. The numbers that determine the policy's real value are:

  • Cyber crime sublimit. Often capped at $50K–$500K against a $1M aggregate. If your business sends or receives high-value invoices, this is where you'd discover a thin policy.
  • Notification costs sublimit. Typically scales by number of affected individuals; a low cap can run dry on a large breach.
  • Ransom sublimit. Some policies cap ransom at 10–25% of the aggregate limit.
  • BI waiting period. 6 hours vs 24 hours can be the difference between an afternoon outage being claimable or not.
  • Defence costs treatment. "In addition" vs "within" the limit.
  • Excess (deductible). Per-claim or aggregate, and what triggers it.

Comparing two policies on these six numbers is more useful than comparing the marketing pages.

What's commonly excluded

Standard exclusions to look for in NZ wordings include:

  • The war exclusion — refined in recent years to address state-sponsored cyber attacks. Read your policy's specific carve-outs.
  • Pre-existing breaches the insured knew about and didn't disclose at application.
  • Intentional acts by senior officers (the policy doesn't cover deliberate fraud by a director).
  • Patent and intellectual-property infringement (this is not what cyber covers).
  • Physical bodily injury (a different policy entirely).
  • Tech firms' professional errors-and-omissions exposure (needs Tech E&O alongside cyber).
  • Voluntary shutdowns where the resulting BI loss isn't tied to a covered cyber event.

Common questions

What's the difference between first-party and third-party cyber insurance?

First-party cover pays your own losses — forensics, ransom, business interruption, restoration. Third-party cover pays claims that other people bring against you — privacy lawsuits, network security liability, regulatory defence. Most NZ buyers feel first-party first because that's where the immediate cash outflow happens, but third-party is what protects you from a class action two years after the breach.

What is a sublimit and why does it matter?

A sublimit is a cap on a specific section of the policy that's lower than the overall limit. Common sublimited sections include cyber crime (BEC / fraudulent transfer), notification costs, ransom payment, and PR. Two policies with identical $1M aggregates can deliver very different recovery experiences once you compare sublimits.

Are defence costs included in the limit?

Depends on the wording. Defence costs can be 'in addition to' the policy limit (you get the full limit for settlement, plus separately funded defence) or 'within' the limit (defence eats the limit, leaving less for settlement). On a contested claim, the difference is six figures.

What's normally excluded from a cyber policy?

Standard exclusions include the war exclusion (refined recently for state-sponsored attacks), pre-existing breaches you knew about and didn't disclose, intentional acts by senior officers, IP infringement claims, and physical bodily injury. Tech firms generally need Tech E&O alongside cyber to cover errors-and-omissions exposure that pure cyber doesn't reach.

Does cyber insurance cover business email compromise?

Most policies do, but BEC sits inside cyber crime cover — usually a sublimited extension, not the core cyber section. The application question that matters most is whether you have a documented out-of-band verification step for bank-detail changes; without it, the claim is harder to defend.

What to do next

When we shop the market for a client, we ask insurers for a structured comparison on the six numbers above — not just headline pricing. If you'd like that for your business, start with the 3-step quote (about 2 minutes) or the long-form for detailed underwriting. Cross-references: data breach response in detail · how to choose cover · glossary.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Detailed underwriting form