Reference
Cyber Insurance Glossary
Plain-English definitions of 61 cyber-insurance and cyber-risk terms used by New Zealand businesses, written for non-specialists. General information only — not personalised financial advice.
A
- AAOIFI
- Standards body for Islamic finance — referenced here only because some NZ Islamic-finance clients ask whether cyber cover meets their compliance framework. Cyber policies are conventional; consult an AAOIFI-aware adviser.
- Aggregate limit
- The maximum a policy will pay across all claims in a policy period (usually 12 months). Compare with per-claim sublimits, which cap individual events.
- Annual cyber risk review
- A yearly check of your security posture, claim history, and coverage adequacy. Most insurers expect renewal applications to reflect any material change since the last review.
- API breach
- Unauthorised access through a public or partner application programming interface — increasingly the entry point for SaaS and integration-heavy businesses.
B
- Business email compromise (BEC)
- A social-engineering attack where a criminal impersonates a senior executive or supplier to redirect a payment or extract sensitive data. Cyber policies vary widely on whether BEC losses fall under "cyber crime" or are excluded — check the wording.
- Business interruption (cyber)
- Coverage for income lost while your systems are down following a covered cyber event. Look for the waiting period (typically 6–24 hours) and whether contingent BI (a supplier outage that hits you) is included.
- Backup
- A separate copy of your data, ideally offline or in immutable storage, that lets you recover after ransomware. Most insurers now require demonstrable backups + tested restoration before they'll quote.
- Brick coverage
- Pays to replace hardware that has been bricked (rendered unusable) by a destructive cyber attack — relevant for OT and IoT-heavy businesses.
C
- Cyber liability
- Third-party coverage: pays claims made against you for failing to protect data or systems. Distinct from first-party covers (your own losses).
- Cyber crime cover
- Reimbursement for direct financial loss from fraud, BEC, social engineering, or unauthorised funds transfer. Often a sub-limited extension, not a core policy section.
- Cyber extortion
- Cover for ransom payments and the costs of negotiating with attackers. Insurers typically require their pre-approved negotiator to be involved.
- CERT NZ
- New Zealand's government computer emergency response team. Publishes quarterly reports on incident trends — a primary public source for NZ cyber risk data.
- Compromised credentials
- Usernames and passwords stolen via phishing, breach, or malware. Most ransomware incidents start here.
D
- Data breach
- Loss, theft, or unauthorised disclosure of personal information you hold. Triggers Privacy Act 2020 notification obligations if it causes serious harm.
- Deductible (excess)
- The amount you pay before the policy responds. NZ cyber excesses typically range from $5,000 (SME) to $250,000+ (enterprise).
- Defence costs
- Legal expenses to defend a claim. Some policies pay defence "in addition to" the limit; others pay it "within" the limit (eroding what's available for settlement).
- Distributed denial of service (DDoS)
- An attack that floods your systems with traffic to make them unavailable. Often covered under business interruption.
E
- Endpoint detection and response (EDR)
- Security software on devices that detects and blocks suspicious behaviour. Increasingly a baseline insurer requirement.
- Encryption (in transit / at rest)
- Scrambling data so only authorised parties can read it. Insurers ask whether sensitive data is encrypted both when stored and when moving between systems.
- Event response coverage
- Pays for the immediate post-incident services: forensics, legal, PR, customer notification, credit monitoring.
F
- First-party cover
- Pays your own losses (BI, ransomware payment, restoration costs). Distinct from third-party cyber liability.
- Forensic investigation
- Specialist work to determine how a breach happened, what was accessed, and whether attackers still have access. Insurers usually require their preferred forensics firm.
- FMA
- Financial Markets Authority — the NZ regulator overseeing financial advisers, including insurance brokers like FCIB.
- FSCL
- Financial Services Complaints Limited — a free, independent dispute-resolution scheme for clients of financial advisers. FCIB is a member.
- FSP register
- Public register of all NZ Financial Service Providers maintained by the Companies Office. Search for "FSP748591" to find First Commercial Insurance Brokers Ltd.
H
- Hacker attack
- Casual term covering everything from automated brute-force attempts to targeted intrusions. Insurance language usually distinguishes between malicious access, malware, ransomware, and social engineering.
I
- Incident response plan (IRP)
- A documented, tested plan for what your team does in the first 72 hours of a cyber incident. Insurers often discount premium for businesses with a current, tested IRP.
- Indemnity period
- How long the policy will pay business interruption after a covered event. NZ cyber typically offers 3, 6, or 12 months.
- Insurance Advisernet New Zealand Ltd
- The insurance brokerage network FCIB belongs to as a Member Broker. Provides access to multiple insurer agreements and a back-office claims function.
K
- KAM (Key Audit Matter)
- Auditor-flagged area of significant judgement in a financial statement. Sometimes referenced when underwriters assess listed-company applicants.
L
- Law firm exposure
- Professional services + privileged data + trust accounts make law firms a high-value target. Cyber policies for law firms typically pair with PI for full coverage.
M
- Multi-factor authentication (MFA)
- Requires a second factor (token, app, biometric) beyond a password. Almost universally a baseline insurer requirement for cyber cover in NZ.
- Managed security service provider (MSSP)
- A third party running your security operations. Insurers may ask whether you have one and what their SLA covers.
N
- Network security liability
- Third-party claims from your network being used as a launchpad for an attack on someone else (e.g. malware spread from your servers).
- Notification costs
- Costs to inform affected individuals after a privacy breach — letters, call centres, credit monitoring offers. Mandatory in NZ for serious-harm breaches under Privacy Act 2020.
O
- Operational technology (OT)
- Industrial control systems and SCADA — common in manufacturing, utilities, agriculture. Cyber cover for OT often requires bespoke endorsements.
P
- Phishing
- Email or message designed to trick a user into clicking a malicious link or revealing credentials. The most common ransomware entry point.
- PCI-DSS
- Payment Card Industry Data Security Standard. Compliance is required by card schemes (not by NZ law) but breach response often invokes PCI obligations.
- Privacy Act 2020
- NZ's primary privacy law. Notifiable Privacy Breach requirements apply to incidents likely to cause serious harm — usually within 72 hours of becoming aware.
- Privacy breach (notifiable)
- A breach you must notify the Office of the Privacy Commissioner about under section 114 of the Privacy Act 2020. Cyber policies typically pay the cost of notification and remediation.
- Professional indemnity (PI)
- Cover for claims arising from negligent professional services. Often paired with cyber for tech, legal, accounting, and consulting firms.
R
- Ransomware
- Malware that encrypts your data and demands payment for the decryption key. Modern variants also exfiltrate data and threaten publication ("double extortion").
- Ransom payment
- Money paid to attackers in exchange for decryption or to prevent leak. Some insurers will pay; others won't. NZ has no general legal prohibition but sanctions screening applies.
- Renewal
- Annual review and re-quote of your cyber policy. Premium and terms can change materially based on claim history and changes in your security posture.
- Restoration costs
- Cost of rebuilding data and systems after an incident. Distinct from ransom payments — paid even if you choose not to pay ransom.
- Retention
- See "Deductible (excess)".
S
- Sanctions screening
- Insurers must check that ransom payments don't go to sanctioned entities. Failure to screen can void cover and create criminal exposure.
- Security questionnaire
- The application form insurers use to assess your cyber risk. Modern questionnaires cover MFA, EDR, backups, patching cadence, third-party risk, and incident response.
- Social engineering
- Attacks that manipulate humans rather than systems — phishing, vishing, BEC. A growing share of cyber claims.
- Sublimit
- A cap on a specific coverage section that's lower than the overall policy limit. Common for ransom, BI, and notification costs.
- Supply-chain attack
- An attack that reaches you through a trusted vendor (software update, MSP, payment processor). Contingent BI cover is the standard response.
T
- Tabletop exercise
- A discussion-based simulation of a cyber incident with your leadership team. Insurers like to see one done annually.
- Third-party cover
- Pays claims brought against you by others (customers, partners, regulators). Distinct from first-party covers.
- Threat intelligence
- Curated information about active attackers, malware families, and TTPs. Some insurers provide a feed as part of their cover.
U
- Underwriter
- The person at the insurer who decides whether to offer terms, at what price, and with what conditions. FCIB negotiates with underwriters on your behalf.
- Unauthorised access
- Any access to your systems by a party not authorised to be there — whether an external attacker, insider, or compromised credential. Usually a covered trigger.
V
- Vendor risk
- Risk introduced by your software vendors, MSPs, payment processors, and other third parties. Insurers increasingly assess your vendor due-diligence process.
- Voluntary shutdown
- When you shut systems down to contain a suspected breach. Whether the resulting BI loss is covered varies by policy — read the wording.
W
- War exclusion
- Standard exclusion for losses from acts of war or warlike operations. Recent NZ market wording has been refined to address state-sponsored cyber attacks — read your policy.
- Waiting period
- The time between an incident starting and BI cover beginning. Typically 6–24 hours for cyber.
Z
- Zero-day vulnerability
- A software flaw that's being exploited before the vendor has released a patch. Insurers generally don't exclude zero-day events but may ask about your patching cadence.
Got a term you'd like added?
Email Stewart at First Commercial Insurance Brokers Ltd. We update this page quarterly.
Suggest a term