Cyber Insurance NZ 2026 — Complete Guide with Verified Wordings
Most cyber-insurance guides paraphrase what insurers say they cover. This one shows the actual policy wording, walks through the eight clauses that decide whether a particular claim is paid, and is operated by a licensed Financial Advice Provider (First Commercial Insurance Brokers Ltd, FSP748591).
Five common cyber-insurance situations
Each of these is a scenario where a specific clause decides whether the policy pays. Pick the one that matches your concern; get a quote models your specific exposure.
- Ransomware lockout. Your file servers are encrypted; production is halted. The decision tree on paying vs rebuilding.
- Phishing-driven wire fraud. A staff member transfers a five-figure sum to a fraudster posing as a supplier. The social-engineering clause decides whether it is covered.
- Customer data exfiltration. An attacker exfiltrates a customer database. Privacy Commissioner notification, forensic costs, and credit-monitoring obligations all apply.
- Supply-chain compromise. Your SaaS vendor is breached; your data was on their systems. Whose policy responds, and how.
- Insider incident. A staff member exfiltrates IP on their way to a competitor. Cover for insider acts varies widely.
How cyber insurance fits with the alternatives
Cyber risk has three commercial responses, and the right answer is usually a combination of all three:
- Prevention controls: implementing the CERT NZ Critical Controls — patching, MFA, network segmentation, application allowlisting, backups. Reduces breach probability materially. Free guidance; the spend is on tooling and process.
- Incident-response capability: a tested incident-response plan plus pre-arranged relationships with forensic, legal, and PR specialists. Cuts response time when an incident happens. Cyber insurance bundles much of this as "first response" services (24-hour hotline + panel of pre-vetted forensic firms).
- Cyber insurance: financial transfer of residual risk after controls and response capability are in place. Pays defined incident-response costs, BI losses, and certain liabilities up to policy limits.
Insurance without controls is expensive and increasingly hard to underwrite. Controls without insurance leave you exposed to tail-risk events that exceed your self-fund capacity. Most NZ SMEs above a small revenue threshold need both.
NZ cyber insurance market
The NZ cyber-insurance market has seven main insurers, most underwriting through global parents. Financial-strength ratings below are from each insurer's RBNZ disclosure where available. Wording ingest status is shown — "Data pending" means we have not yet ingested the policy wording for that insurer. To compare NZ cyber insurers side by side, see the plain-English reviews of the six insurers on FCIB's panel.
| Insurer | Underwriting entity | Financial strength | Active products | Review |
|---|---|---|---|---|
 AIG New Zealand | AIG Insurance New Zealand Limited | — | AIG CyberEdge | Review → |
 Chubb Insurance NZ | Chubb Insurance New Zealand Limited | — | Chubb CyberCover Plus | — |
 Delta Insurance | Delta Insurance New Zealand Limited | — | Delta CyberPro | Review → |
 Dual New Zealand | Dual New Zealand Limited | — | Dual NZ Cyber | Review → |
 NZI | IAG New Zealand Limited (NZI brand) | — | NZI Cyber | Review → |
 QBE Insurance NZ | QBE Insurance (Australia) Limited (NZ branch) | — | QBE Cyber | Review → |
 Zurich New Zealand | Zurich Australian Insurance Limited (NZ branch) | — | Zurich Cyber | Review → |
The eight clauses that decide whether you are covered
Cyber wordings diverge in eight specific places. Each of these is where claims get litigated or denied. Understanding what your specific wording says about each is the difference between a smooth claim and a six-figure surprise:
Ransomware cover
Whether the policy pays a ransom demand, the sublimit, the exclusions for state-sponsored attacks, and the negotiated-payment process.
Data-breach response
Forensic investigation, legal notification cost, Privacy Commissioner notification expense, customer credit-monitoring, and PR costs.
Business interruption
Lost revenue during a cyber incident — waiting period before BI kicks in, per-day cap, indemnity period.
Social engineering / wire fraud
Phishing-driven wire-fraud incidents are commonly sublimited or excluded — the clause is the most-litigated in cyber claims.
War / state-actor exclusion
After NotPetya, every cyber policy added or strengthened a war / state-actor exclusion. Wording varies widely between insurers.
Claims-made vs occurrence
Cyber policies are typically claims-made — the claim must be reported during the policy period or run-off cover. Critical for switching insurers.
Retroactive cover date
Whether incidents that began before the policy started are covered, conditional on no prior knowledge.
Sublimit structure
Cyber wordings commonly use aggregate + per-event + per-category sublimits. The headline limit is rarely the limit that pays.
Industry-specific guidance
Cyber exposure differs materially by industry — data sensitivity, regulatory regime, OT/IT footprint, customer-record volume. These pages cover the practical considerations for each:
Healthcare
Privacy-sensitive data + regulatory exposure (Health Information Privacy Code).
Financial services
FMA / RBNZ regulatory exposure + customer-data sensitivity.
Manufacturing
OT/IT convergence; production-line ransomware risk.
Retail
PCI-DSS payment data exposure + customer-record breach risk.
Education
Student-record privacy + research-data exfiltration risk.
Professional services
Client-data confidentiality (legal / accounting / consulting).
Cyber insurance by region
Geography matters less for cyber than for property cover — but local broker presence, sector concentration, and incident-response logistics differ. Our regional pages cover the practical landscape for each main NZ business region:
Twelve things worth knowing before you buy
The honest answers — including the ones a broker might not lead with. The point of this page is for you to make a good decision, not for us to sell a policy.
1. Implement the CERT NZ Critical Controls first — insurance second
NZ's national cyber security agency publishes a free, regularly-updated list of Critical Controls. Implementing them reduces your incident probability and qualifies you for better cyber-insurance pricing. See the CERT NZ Critical Controls. Insurance is the financial backstop; the controls are the prevention.
2. Cyber insurance does not pay for negligence — it pays for events
A common misconception: cyber insurance "pays out if we get hacked." The reality: it pays for defined incident-response costs (forensics, legal, notification, BI loss, ransom) subject to sublimits and exclusions. It does not pay for routine security upgrades, lost productivity beyond the indemnity period, or reputational damage beyond the BI sublimit. Read the schedule before assuming a number is covered.
3. The headline limit is rarely the limit that pays
Cyber policies use aggregate, per-event, and per-category sublimits. A "$1m policy" may have a $250k ransomware sublimit, a $100k social-engineering sublimit, and a $50k BI per-day cap. The marketing headline is the maximum across all categories combined; what your specific incident triggers is often a fraction. Always read the schedule of sublimits, not the headline.
4. Social-engineering / wire-fraud is the most-litigated cyber clause
Phishing-driven wire fraud — where staff are tricked into transferring money to a fraudster — sits in an ambiguous zone between cyber and crime cover. Most cyber policies sublimit or exclude it; most crime policies sublimit it differently. The single most expensive coverage gap for NZ SMEs is assuming both policies cover the same incident and finding neither does in practice.
5. Claims-made cover means the policy that responds is the one in force when you NOTIFY
Almost every cyber policy is claims-made — the claim must be reported during the policy period (or run-off cover after cancellation). If you switch insurers and discover an incident later that began under the old policy, the new insurer can decline. Either keep the old insurer notified before switching or buy a run-off endorsement.
6. Retroactive date defines whether prior incidents are covered
When you start a new cyber policy, the "retroactive date" decides whether incidents that began before the policy commenced (but are discovered during the policy period) are covered. A retroactive date matching the start date excludes all prior events; an earlier retroactive date offers broader cover but typically only if you had continuous cover with the prior insurer.
7. War / state-actor exclusions are now standard and material
After NotPetya (2017), every cyber insurer added or strengthened a war / state-actor exclusion. The wording varies — some exclude "hostilities, whether or not war declared"; others use the LMA5564 model wording with carve-backs for "cyber operations by sovereign states that disrupt civilian infrastructure". Read the specific exclusion and any carve-backs.
8. NotPetya cost $10b+ globally; the question is how your wording responds
Not all attacks are equal. Targeted incidents against your business sit in one risk bucket; collateral damage from state-actor wiper-style attacks (NotPetya, Sandworm) sits in another. The 2024 cyber market has split policies into "standard cyber" and "systemic event" cover; check which applies to large-scale state-attributed events.
9. Business interruption cover has waiting periods, not deductibles
Most cyber-BI cover starts paying after a "waiting period" (commonly 8 or 12 hours). If your systems are restored before the waiting period ends, BI does not pay anything regardless of how much lost revenue occurred. The waiting period is the BI equivalent of a deductible.
10. Privacy Commissioner notification is a legal obligation, not optional
Under the NZ Privacy Act 2020, "notifiable privacy breaches" must be reported to the Office of the Privacy Commissioner and affected individuals. Most cyber policies cover the cost of preparing and sending those notifications, plus the legal advice on what counts as "notifiable". Without insurance, the legal + notification costs alone can run into the low six figures for a sizeable breach.
11. You can buy cyber via a broker or direct — broker is usually cheaper net of advice
Most NZ cyber insurance is broker-distributed. The broker is paid by the insurer (not by you) and has access to multiple insurers' wording. The combination of negotiated pricing and policy-shopping typically beats the direct-to-consumer rate — especially for SMEs where the policy is non-standard. Get a quote compares the FCIB-verified cyber panel.
12. Track the wording — cyber definitions change every renewal cycle
Cyber wordings change faster than any other line of business. Insurers update ransomware exclusions, social-engineering sublimits, war exclusions, and BI waiting periods as the threat landscape shifts. Before renewing each year, ask your broker for the wording-change summary — material changes can shift cover by 30%+ at no change in headline price.
Frequently asked questions
The 24 questions below are the ones NZ businesses actually search for. Answers are factual, sourced where relevant, and link to deeper pages on the technical topics.
1. What is cyber insurance in New Zealand?
A specialty insurance product that covers the financial costs of cyber incidents — ransomware, data breaches, business interruption from cyber attacks, legal and regulatory response, forensic investigation, and certain third-party liabilities. The NZ cyber-insurance market has roughly 7 active insurers (Delta, AIG, NZI, Zurich, QBE, Dual NZ, Chubb), with broker distribution through Member Brokers of Insurance Advisernet NZ Ltd and other licensed FAPs.
2. Do New Zealand SMEs need cyber insurance?
Most NZ SMEs that handle customer data, run online operations, or use cloud-based systems have material cyber exposure. Whether insurance is the right answer depends on: (a) whether the business could absorb a breach-response cost out of cashflow, (b) whether stricter cyber controls (CERT NZ Critical Controls) are already in place, and (c) whether the business is subject to regulatory notification obligations (Privacy Act 2020). For most SMEs above a small revenue threshold, the answer is yes.
3. What does cyber insurance typically cover?
Standard cyber policies cover: forensic investigation, legal counsel and Privacy Commissioner notification costs, customer credit-monitoring, ransomware response (negotiation + payment where legal), business interruption from cyber-caused outages, data-restoration costs, public-relations support, and third-party liability for downstream effects of a breach. Sublimits, exclusions, and waiting periods materially affect what actually pays in each case.
4. What does cyber insurance NOT cover?
Typical exclusions: incidents resulting from failure to maintain reasonable cyber-security standards, prior known incidents (pre-retroactive-date), state-sponsored attacks (war exclusion, varies by wording), criminal acts by senior staff, intellectual-property infringement, and bodily injury / property damage. Social engineering and wire fraud are often sublimited rather than fully covered. Read the specific exclusions in the wording.
5. How much does cyber insurance cost in NZ?
Premiums depend on revenue, industry, data sensitivity, security controls, and prior incident history. We do not publish specific ranges — they vary widely. The most reliable answer is a quote from a licensed broker reviewing your specific business. Get a no-obligation quote.
6. What is the difference between cyber insurance and crime insurance?
Cyber insurance covers incidents originating in a cyber attack (data breach, ransomware, system outage). Crime insurance covers fraud, theft, and employee dishonesty. The overlap is social engineering / wire fraud — where a staff member is tricked into transferring funds to a fraudster. Most cyber policies sublimit this; most crime policies cover it differently. The single biggest gap in NZ SME insurance is assuming the two policies overlap when in practice neither pays.
7. What is the difference between cyber insurance and professional indemnity?
Professional indemnity covers third-party claims arising from professional services (a wrong opinion, a missed deadline). Cyber insurance covers cyber-incident costs (forensics, notification, ransomware, BI). A breach caused by professional negligence may trigger both — which is why business policies often bundle the two with a coordinated wording.
8. Are ransomware payments covered by cyber insurance?
Most NZ cyber policies cover ransomware-incident costs including, in some cases, the ransom payment itself, subject to a defined sublimit and to the payment being legally permissible (sanctions screening). The payment decision is yours — insurers do not require you to pay. Policies cover the costs whether or not the payment is made.
9. Is paying a cyber ransom legal in NZ?
Generally yes, but with caveats. There is no NZ statute prohibiting ransomware payments. However, payments to OFAC-sanctioned entities (some state-sponsored attacker groups) breach US sanctions law if any USD flows are involved, which most do. Specific incidents need legal advice before payment. NZ Police and CERT NZ both publish guidance discouraging payment as a policy stance.
10. Are NZ businesses required to notify the Privacy Commissioner of breaches?
Yes — under the Privacy Act 2020, "notifiable privacy breaches" (where the breach has caused or is likely to cause serious harm) must be reported to the Office of the Privacy Commissioner and affected individuals "as soon as practicable" after becoming aware. Failure to notify is itself an offence. Most cyber policies cover the legal advice + drafting + delivery costs of these notifications.
11. What is the CERT NZ Critical Controls list?
CERT NZ's Critical Controls is a regularly-updated list of essential cyber-security controls (patching, MFA, network segmentation, application allowlisting, etc.) maintained by New Zealand's national cyber-security agency. Implementing them reduces breach probability materially and is usually a prerequisite for cyber-insurance quotes above a small revenue threshold.
12. What is the difference between claims-made and occurrence-based cover?
Claims-made policies respond based on when the claim is reported; occurrence-based policies respond based on when the event occurred. Almost all cyber policies are claims-made — the claim must be reported during the policy period or during run-off cover. This affects what happens when you switch insurers: the new insurer typically does not cover incidents that began under the old policy unless they share the retroactive date.
13. What is a retroactive date?
On a claims-made policy, the retroactive date is the cut-off before which incidents (even if discovered during the policy period) are excluded. If you have had continuous cover, the retroactive date is usually your original inception date. If you are switching insurers, ask the new insurer to match the old retroactive date — otherwise you create a coverage gap for incidents that began before today.
14. Does cyber insurance cover business interruption?
Yes, but with caveats. Cyber-BI cover pays for lost revenue during an outage caused by a covered cyber incident, subject to: (a) a waiting period (commonly 8 or 12 hours) before BI begins paying, (b) a defined indemnity period (commonly 3 to 12 months) capping how long BI continues, and (c) a per-day or aggregate cap. The waiting period is the BI equivalent of a deductible — if you restore systems faster, BI does not pay.
15. What is "social engineering" cover and why does it matter?
Social engineering refers to attacks that trick humans (not systems) into wiring money or releasing data to fraudsters — typically by impersonating senior staff or suppliers via email. NZ businesses lose substantial sums to this each year. Coverage sits in an ambiguous gap between cyber and crime policies; most cyber policies sublimit it (often in the low five-to-six figures), some exclude it entirely. Read the specific clause.
16. What is the war / state-actor exclusion?
After NotPetya (2017), every cyber insurer added or strengthened an exclusion for incidents attributable to nation-state actors or "warlike acts". The wording varies — some exclude any incident attributed to a state, others carve back cover for civilian-infrastructure-targeted incidents. The exclusion matters because most large-scale ransomware and supply-chain incidents are state-attributed by Five Eyes intelligence agencies.
17. How quickly does cyber insurance pay a claim?
For incidents covered by the policy, NZ cyber insurers typically begin paying forensic + legal costs within days of notification — this is the "first response" phase where speed matters most. Larger payments (BI, ransomware) are paid after investigation, typically within weeks. The 24-hour breach-response hotline is the most-valuable practical feature of cyber cover, even before any payout.
18. Can I get cyber insurance if my business has had a prior incident?
Usually yes, but with terms reflecting the history. Prior incidents are typically excluded by name on the new policy; you may also face higher premiums or required controls (MFA, EDR, backup verification). Disclose fully — non-disclosure of prior incidents voids the new policy.
19. Do I need cyber insurance if I am insured for general liability?
General liability (CGL) policies generally exclude cyber events explicitly. NZ business policies that bundle "cyber" cover often have a small sublimit (low five figures) that is insufficient for any material incident. Standalone cyber cover offers materially higher limits and meaningful first-response services. If cyber risk matters to your business, you almost certainly need standalone cover beyond what is bundled in a general business policy.
20. How does cyber insurance interact with ACC?
ACC covers personal injury, not financial loss. Cyber insurance covers financial loss from cyber incidents. The two products do not overlap meaningfully.
21. Is cyber insurance tax-deductible for NZ businesses?
Generally yes — cyber insurance premiums for a business are deductible as a business expense. Speak to your accountant for the specifics of your structure.
22. What is the difference between a broker and going direct?
Most NZ cyber insurance is sold through brokers — licensed Financial Advice Providers (FAPs) who hold agency agreements with multiple insurers. The broker is paid by the insurer, not by you. For SMEs, broker placement typically beats direct-to-consumer because brokers can shop the market, negotiate pricing, and tailor wordings. CIQ is operated by First Commercial Insurance Brokers Ltd (FSP748591), a Member Broker of Insurance Advisernet NZ Ltd.
23. What happens if I do not renew?
Cyber insurance is claims-made — when the policy ends, cover for any future claims ends too. To preserve cover for incidents that began during the policy period but are discovered after expiry, buy "run-off" cover (sometimes called tail cover). Most NZ insurers offer run-off for an additional premium at the time of cancellation.
24. How do I know if my insurer has recently changed the policy wording?
Cyber wordings change every year. When you renew, ask the broker (or insurer if going direct) for a wording-change summary — what altered since last year, dated to the day. Most material risk shifts (ransomware sublimit drops, war-exclusion broadening, social-engineering carve-outs) happen at renewal. If the section higher up this page titled "Recent policy changes" is visible, those are the latest revisions across the cyber wordings we track.
Deep-dive guides
Five guides that go deeper on the regulatory and threat-landscape context behind this page — each cited to the primary NZ source (CERT NZ, NCSC, OPC, FMA, RBNZ, ICNZ):
CERT NZ Quarterly Threat Report
What NZ incident data says about cyber insurance — phishing, ransomware, BEC mapped to cover.
Cyber incident response playbook
Hour-by-hour first-72-hours playbook for NZ SMEs, mapped to CERT NZ, NCSC and OPC obligations.
FMA + RBNZ cyber resilience
Cyber-resilience obligations for NZ financial firms, mapped to policy responses.
ICNZ industry context
Fair Insurance Code, industry data, and dispute-resolution paths for cyber cover.
NCSC + NZISM standard
When NZ's higher security standard matters for cyber-insurance underwriting.
Claiming, and what to do when something goes wrong
Cyber claims hinge on speed. Most NZ cyber insurers provide a 24-hour breach-response hotline — the call you make first puts forensic, legal, and PR specialists on the case within hours. Document everything (timestamps, decisions, communications) from the first detection onward; the records support the claim and reduce disputes about scope.
If the insurer declines a claim you believe should have been covered: start with the insurer's internal complaints process. If unresolved, escalate to FSCL (Financial Services Complaints Limited) — the dispute-resolution scheme First Commercial Insurance Brokers Ltd is a member of. FSCL is free to consumers and can make binding decisions up to a published cap.
For the substantive cyber-incident response — notifying the Office of the Privacy Commissioner, contacting affected individuals, reporting to CERT NZ — follow the published procedures from each agency. Your insurer's first-response panel will assist with the legal and procedural aspects.
A five-step selection checklist
- Implement the CERT NZ Critical Controls first. Insurance pricing and quote availability both depend on them. Free; required.
- Quantify your exposure. Revenue, customer-record count, industry-regulated data, supply-chain dependencies. The premium tier maps to these.
- Compare on the three clauses that matter most: sublimit structure (especially ransomware and social-engineering), war / state-actor exclusion, and claims-made retroactive-date treatment.
- Verify the first-response panel. The 24-hour hotline + panel of forensic / legal / PR firms is the most-used feature of a cyber policy. Quality varies widely.
- Place through a licensed broker who can shop the market, negotiate wordings, and provide ongoing advisory.
References and authoritative sources
- CERT NZ — national cyber-security agency; Critical Controls; incident-reporting.
- NCSC — National Cyber Security Centre (GCSB); state-actor incident guidance.
- Office of the Privacy Commissioner — Privacy Act 2020; notifiable-breach guidance.
- Financial Markets Authority — regulator for licensed Financial Advice Providers.
- FSCL — external dispute resolution for First Commercial Insurance Brokers Ltd.
- ICNZ — Insurance Council of New Zealand; Fair Insurance Code.
Operated by First Commercial Insurance Brokers Ltd (FSP748591), a Member Broker of Insurance Advisernet New Zealand Ltd. Last reviewed 16 June 2026.