Cyber Insurance
Quotes NZ
Start your quote
← Back to Blog

Cyber Risk Management for NZ Business — Beyond the Insurance Policy

By Stewart Hunt, Insurance Adviser at First Commercial Insurance Brokers Ltd (FSP748591) Originally published Last reviewed

Cyber insurance is a treatment, not a strategy. The strategy is cyber risk management — the discipline of identifying which risks matter, assessing how big they are, deciding what to do about them, and watching how that picture changes. Done well, it turns cyber from a tech preoccupation into a board conversation. Done badly, it leaves a business surprised by both incidents and insurance applications.

The four-step cycle

ISO 31000 — the international risk-management standard — describes risk management as a continuous cycle: identify, assess, treat, monitor.1 Applied to cyber:

1. Identify the risks

For most NZ businesses, the meaningful cyber risks are: a phished credential leading to email or system compromise; ransomware encrypting operational systems; a privacy breach involving customer data; a vendor outage taking your business offline; and business email compromise leading to fraudulent payments. The CERT NZ Top 11 Cyber Security Risks document is a good NZ-specific starting list.2

Identification has to be specific to your business. A SaaS-heavy professional services firm has different exposures from a manufacturer with operational technology, which has different exposures again from a healthcare practice. Generic lists are a starting point — the real work is mapping them to your systems.

2. Assess likelihood and impact

Two simple questions for each identified risk: how likely is it (low / medium / high) and how big is the impact in dollars and operational disruption if it happens? You don't need a complex matrix; you need an honest discussion at the executive level. The risks that score high on both axes are where attention belongs.

3. Treat the risks

Four standard treatment options: accept the risk (consciously, after consideration), mitigate it through controls, avoid it (stop doing the thing that causes it), or transfer it via insurance or contractual mechanisms. Most cyber risks need a combination — controls reduce frequency and severity; insurance transfers the residual financial exposure that controls can't eliminate.

4. Monitor

The picture changes. Vendors get breached, threat actors evolve, your business adds systems and people. A meaningful cyber risk-management process reviews the picture annually as a minimum, and on material change in between (new system, new vendor, post-incident, regulatory shift). The annual review usually pairs nicely with cyber insurance renewal because the same information is needed for both.

Where insurance fits in

Cyber insurance is a transfer mechanism for the financial impact of cyber events you can't fully prevent. The cleaner version of the conversation is:

  • Inherent risk — what you'd face with no controls in place at all.
  • Residual risk — what remains after your controls are working.
  • Insurance — transfers part of that residual risk's financial impact to an insurer.
  • Retained risk — what's left after both controls and insurance, which the business carries.

A good cyber insurance placement is sized to make sure the retained risk is something the business can absorb without existential threat. A bad placement either over-insures areas you've already controlled well, or under-insures areas where the residual risk is large.

Who should own cyber risk in an NZ business

Ultimately the board or owner. The pattern that consistently fails is when cyber is treated as a tech problem owned by IT and never makes it onto the executive agenda. By the time it does — usually after an incident — the conversations are reactive and expensive.

Operationally, a named senior leader — typically the CFO, COO, or GM in an SME — needs visibility into:

  • The current top 5 cyber risks and their treatment status.
  • Recent incidents (including near-misses) and what was learned.
  • Status of the five baseline controls (MFA, backups, EDR, IRP, patching).
  • Vendor risk register and any vendor incidents.
  • Insurance position — limit, sublimits, exclusions, renewal date.

For listed companies, NZX continuous-disclosure obligations and FMA expectations add a regulatory layer; for licensed financial advice providers (like FCIB itself), the FMA's operational-resilience expectations apply.

A simple risk register for NZ SMEs

A cyber risk register doesn't need to be complex. A spreadsheet works. Each row captures: risk description, current likelihood, current impact (dollars + operational), treatment in place, residual risk, owner, last reviewed date. Five to fifteen rows covers most NZ SMEs. Review at the executive table at least annually.

The discipline is more important than the tooling. A reviewed-and-discussed spreadsheet beats a sophisticated GRC platform that no-one opens.

Connecting risk management to insurance applications

If you've genuinely done the cyber risk-management work, the insurance application is dramatically easier. The application is essentially asking: have you identified your risks, what controls are you running, and what residual exposure are you trying to insure against?

Businesses that bring a current risk register, an IR plan, and a clean control summary to the application get faster terms, better pricing, and broader cover. Businesses that haven't done this work get slower placements, more questions, and tighter exclusions. The cost of doing the risk-management work pays for itself in lower insurance friction alone — without counting the actual incidents avoided.

Common questions

Is cyber risk management the same as cybersecurity?

No — cybersecurity is the technical layer (controls, tools, training). Cyber risk management is the business discipline of identifying, assessing, treating, and monitoring the risks that cybersecurity is designed to address. Cyber insurance sits inside the 'treating' step, alongside accept / mitigate / transfer.

Who should own cyber risk in an NZ business?

Ultimately the board or owner. Operationally, a senior leader — often the CFO, COO, or GM — needs visibility, not just IT. The pattern that fails is when cyber risk is treated as a tech problem and never makes it onto the executive agenda.

What's a good NZ-relevant framework?

ISO 31000 for the risk-management process, complemented by the CERT NZ Top 11 Cyber Security Risks and Critical Controls publications for NZ-specific threat patterns and controls. The NIST Cybersecurity Framework is also widely used and translates well to NZ contexts.

How often should we review cyber risk?

Annually as a minimum, plus on material change — new system, new vendor, new product line, post-incident, or regulatory change. The annual review usually pairs nicely with insurance renewal because the same information is needed for both.

How does insurance fit into the risk-management process?

Insurance is a treatment — specifically risk transfer. It's used for risks that you can't fully prevent (residual risk after controls), where the financial impact of an event is large enough to threaten the business, and where transferring some of that financial impact to an insurer is more economic than self-insuring. It's not a substitute for controls.

What to do next

If your business doesn't yet have a current cyber risk register and a designated owner, that's the conversation to have at the next executive meeting — and we're happy to send through a one-page template if it's useful. Once the discipline is in place, the insurance conversation gets dramatically easier. Related reading: controls insurers look for · how to choose cover · glossary.

Get a cyber insurance quote

Three quick questions, about 2 minutes. Free, no obligation. Stewart Hunt at FCIB (FSP748591) usually responds within one business day.

Start your quote → Free risk assessment