Cyber Liability Insurance

The New Zealand Cyber Threat Landscape

New Zealand businesses face a growing and evolving cyber threat environment. CERT NZ data shows consistent year-on-year increases in reported incidents, with ransomware, phishing, and business email compromise (BEC) accounting for the majority of financial losses. The 2024 CERT NZ report recorded over 8,000 reported cyber incidents with financial losses exceeding $23 million — and these figures represent only reported incidents.

No sector is immune, and no business is too small. Professional services firms with client data, technology companies with code repositories and customer systems, healthcare providers with patient records, and retail businesses with payment data all carry significant cyber risk.

What Cyber Insurance Covers

A comprehensive cyber policy covers both your own losses (first-party) and claims by others affected by your breach (third-party).

First-Party Coverage: Your Own Losses

Incident Response When a cyber incident occurs, your first costs are response costs — bringing in forensic investigators to identify the cause and scope, engaging specialist legal counsel, and managing crisis communications. These costs begin immediately and can reach $50,000–$200,000 for even moderate incidents before any business interruption or compensation is considered.

Business Interruption If your systems are offline due to a ransomware attack, your revenue stops — but your fixed costs continue. Cyber BI covers the revenue you lose during the period of system downtime. For technology companies whose revenue depends entirely on operational systems, this can be the largest single component of a cyber claim.

Data Restoration Ransomware that encrypts your data, or attacks that corrupt databases, requires expensive data recovery and reconstitution work. Cyber insurance covers the cost of data restoration specialists.

Ransomware Response Ransomware attacks are increasingly sophisticated and targeted. Cyber insurers provide specialist ransom negotiation advisers and, where legally permitted, cover ransom payments. The decision to pay or not is complex and should always be made with specialist counsel — your insurer should be involved from the first notification.

Extortion Response Beyond ransomware, cyber extortion takes many forms — threats to release stolen data, DDoS threats, and supply chain attacks. Cyber insurance covers threat management, negotiation, and response costs.

Third-Party Coverage: Claims by Others

Privacy Liability If your systems are breached and personal data is compromised, affected individuals may claim compensation. Privacy liability covers these third-party compensation claims, subject to the policy limit.

Network Security Liability If a breach originating from your systems spreads to clients or business partners — for example, through a compromised supply chain — those affected parties may claim against you. Network security liability covers these claims.

Regulatory Defence Privacy Commissioner investigations under New Zealand's Privacy Act 2020 are covered by cyber insurance. Defence costs, including legal representation during investigation, are funded by the policy.

Privacy Act 2020: Mandatory Notification and Your Obligations

New Zealand's Privacy Act 2020 introduced mandatory privacy breach notification obligations for all businesses. If your organisation suffers a privacy breach that causes or is likely to cause serious harm, you must:

1. Notify the Privacy Commissioner as soon as practicable 2. Notify affected individuals whose data is involved

Failure to notify carries regulatory and reputational risk. The notification process itself — identifying affected individuals, drafting communications, managing the Privacy Commissioner engagement — incurs significant cost.

Cyber insurance covers all aspects of the mandatory notification process:

• Legal advice on whether notification is required and its scope
• Breach notification letters and communications
• Call centre costs for affected individual enquiries
• Credit monitoring services offered to affected individuals
• Privacy Commissioner liaison and investigation costs

Business Email Compromise: The Highest-Cost Attack

Business email compromise (BEC) is the single most financially damaging form of cyber crime in New Zealand. BEC attacks involve attackers impersonating executives, suppliers, or business partners to trick employees into transferring funds or changing payment details.

Common BEC scenarios:

• Fake CEO instruction to pay an "urgent invoice" to a new account
• Supplier impersonation changing banking details before a large payment
• Fake HR instructions changing payroll bank account details

BEC losses are often not covered by standard crime or fraud policies — and many cyber policies include BEC only up to a sub-limit, or with specific conditions (such as requiring callback verification). Understand your policy's BEC coverage explicitly.

Cyber Security Controls: What Insurers Now Require

The NZ cyber insurance market has hardened significantly. Insurers increasingly require businesses to demonstrate adequate security controls before offering terms:

• Multi-factor authentication (MFA): Required on email, remote access, and critical systems
• Endpoint detection and response (EDR): Next-generation antivirus and monitoring
• Offline, tested backups: Backups that cannot be encrypted by ransomware
• Security patching: Timely application of security updates
• Staff security training: Regular phishing simulation and awareness training
• Privileged access management: Restrictions on administrator-level accounts

Businesses that cannot demonstrate these controls face premium loadings, exclusions, or inability to obtain cover. The good news: implementing basic cyber hygiene reduces your actual risk, improves insurability, and reduces premiums. Technology companies and professional services firms with strong IT teams can typically evidence these controls readily.

Choosing the Right Cyber Policy

Cyber policies vary significantly in coverage triggers, sub-limits, and exclusions. Key questions to ask:

• Are ransomware payments covered, and are there jurisdictional exclusions (some policies exclude payments to sanctioned entities)?
• Is business interruption covered from the first hour of downtime, or is there a waiting period?
• Are social engineering and BEC losses covered, and to what sub-limit?
• Does the policy cover cyber events at cloud providers (contingent BI)?
• Is the retroactive date adequate for your prior risk period?

A specialist broker who understands cyber policy wordings can compare multiple insurers and identify the cover that best matches your business's digital risk profile.

Cyber Insurance for Specific Sectors

Healthcare

Healthcare providers face particularly severe cyber risk. Patient health records are among the most valuable data categories for attackers. A breach of electronic health records triggers Privacy Act 2020 notification obligations and may engage Health and Disability Commissioner scrutiny.

Technology Companies

Technology businesses carry dual cyber exposure: their own systems and the downstream systems of their clients. A breach at a managed service provider can affect hundreds of client businesses simultaneously. Tech PI (professional indemnity) covers client claims arising from your breach; cyber covers your own response costs.

Professional Services

Professional services firms hold commercially sensitive client data — financial information, strategic plans, transaction details. BEC attacks targeting senior staff are common. Mandatory notification under the Privacy Act 2020 applies to any breach of client personal information.

Typical Cyber Insurance Premiums

Premiums for SMEs typically range from $800 to $8,000 annually:

• Small businesses (< $500k revenue, basic data): $800 – $2,500 pa
• Professional services firms ($500k–$5M revenue): $2,000 – $8,000 pa
• Technology companies ($1M–$10M revenue): $4,000 – $20,000 pa
• Healthcare practices: $3,000 – $15,000 pa (data sensitivity loading)

See also: professional indemnity insurance, statutory liability insurance, business interruption insurance, and industry guides for technology companies, healthcare providers, and professional services firms.