Why Cyber Attacks Target Small Businesses
The common belief that cyber attackers only target large organisations is outdated and dangerous. New Zealand's National Cyber Security Centre (NCSC) consistently reports that small and medium businesses are the most frequently targeted sector, precisely because they often lack the sophisticated defences of larger organisations while still holding valuable data.
In 2024, the NCSC received over 7,000 cyber incident reports from organisations. A significant proportion involved small businesses — including sole traders, professional services firms, retailers and healthcare providers. The financial and reputational consequences can be devastating for businesses without the resources to recover.
What Cyber Risks Do Small Businesses Face?
Ransomware
Ransomware encrypts your files and demands payment for the decryption key. A single successful ransomware attack can lock your business out of all files, emails and systems for days or weeks. The average ransomware demand received by businesses has increased significantly in recent years, often ranging from $10,000 to $250,000+.Business Email Compromise (BEC)
BEC attacks involve criminals impersonating senior employees or suppliers via email to redirect payments or extract financial information. The New Zealand Police and NCSC have identified BEC as the most financially damaging cyber threat to businesses, with losses routinely exceeding $100,000 per incident.Data Breaches
Any business holding customer names, email addresses, phone numbers, payment information or health records holds data that is valuable to criminals. Phishing emails, credential theft and hacking attacks are common pathways to breaches.Phishing
Phishing emails trick employees into revealing passwords, clicking malicious links or downloading malware. A single employee clicking a convincing phishing email can compromise an entire organisation's systems.Supply Chain Attacks
Attackers target software or services used by many businesses. If a supplier's system is compromised and you connect to it, your business can be affected even if your own systems are secure.The Privacy Act 2020: Your Legal Obligations
Privacy Act 2020 significantly strengthened the obligations of businesses in relation to personal data. Key obligations include:
Mandatory Breach Notification If your business suffers a privacy breach that it is reasonable to believe has caused, or is likely to cause, serious harm to individuals, you must notify the Office of the Privacy Commissioner and the affected individuals as soon as practicable.
Consequences of Non-Compliance The Privacy Commissioner can issue compliance orders, investigate complaints and refer serious cases to the Human Rights Review Tribunal. Fines of up to $10,000 can be imposed, with potential for higher damages through civil proceedings.
What Constitutes "Serious Harm"? Serious harm includes significant financial loss, physical harm, psychological harm and damage to reputation — all outcomes that can follow a data breach. Erring on the side of notification is advisable.
What Cyber Insurance Covers
A comprehensive cyber insurance policy for a small your business typically includes:
First-Party Costs (Your Own Losses):
- Forensic investigation to determine how the breach occurred
- Data recovery and system restoration
- Business interruption losses during system downtime
- Ransomware response — including negotiation support and payment (where legal)
- Notification costs — legal advice, IT support, postal notification
- Credit monitoring for affected customers
- Public relations costs to manage reputational damage
- Legal defence costs for claims by customers or partners whose data was compromised
- Compensation for damages awarded to affected parties
- Regulatory investigation costs and fines under the Privacy Act
- 24/7 cyber incident hotline and response team access
- Cyber extortion support
- Fraud and social engineering cover (for BEC attacks)
What Cyber Insurance Does NOT Cover
- Data breaches you were aware of before taking out the policy
- Deliberate or criminal acts by the insured
- Intellectual property infringement (unless specifically included)
- Physical property damage caused by a cyber event (requires separate cover)
- War and terrorism cyber attacks (typically excluded, though some policies have carve-backs)
How Much Does Cyber Insurance Cost?
Cyber insurance premiums for small businesses are more affordable than many business owners expect:
- Small professional services or retail business (low data sensitivity): $500–$1,500/year
- Small healthcare or financial services firm (sensitive data): $1,500–$4,000/year
- Medium-sized business with significant customer data: $3,000–$10,000+/year
Cybersecurity: Insurance Complements, Not Replaces, Prevention
Cyber insurance is not a substitute for cybersecurity. The best approach combines both:
Essential Cybersecurity Controls:
- Multi-factor authentication (MFA) on all business email and cloud accounts
- Regular, tested, offsite backups — including a backup not connected to your network
- Staff training to recognise phishing and social engineering
- Software and operating system updates applied promptly
- Strong, unique passwords and a password manager
- Endpoint protection software on all devices
Should Your Small Business Get Cyber Insurance?
If your business holds any customer data — even just names and email addresses — cyber insurance is worth considering. If you hold financial data, health records, or store payment information, it is essential.
The question is no longer whether your business could be targeted. In the current threat environment, the question is whether your business can afford the financial consequences of an incident without insurance.
Connect with an insurance adviser through our website to get a cyber insurance quote tailored to your business.
A specialist in commercial insurance for businesses across New Zealand, with expertise in helping SMEs and professional services firms navigate the commercial insurance market.