Cyber attacks are one of the fastest-growing risks facing New Zealand businesses. From ransomware and data breaches to phishing scams and system outages, a single incident can cost tens of thousands of dollars and damage customer trust. This guide explains what cyber insurance covers, what it costs, and how to protect your business in an increasingly digital world.
Cyber insurance is a type of business insurance designed to help cover the costs that arise when a business suffers a cyber attack, data breach, or other technology-related security incident. It sits alongside other forms of business insurance like public liability and professional indemnity, but it specifically targets digital risks.
Standard business insurance policies typically exclude cyber events. If your business is hit by ransomware, has customer data stolen, or suffers a system outage caused by a hacker, a general policy is unlikely to cover the fallout. Cyber insurance fills that gap.
A cyber policy can cover a wide range of costs - from hiring forensic IT investigators and notifying affected customers, to paying for legal advice, regulatory fines, and lost revenue while your systems are down. Some policies also cover the cost of restoring data and repairing damaged systems.
In New Zealand, the cyber insurance market has grown significantly in recent years. The Insurance Council of New Zealand (ICNZ) has noted rising demand as businesses become more aware of their digital exposure. This growth has been driven by high-profile incidents both in NZ and overseas, as well as stricter privacy laws that now hold businesses accountable for protecting personal information.
Cyber insurance policies vary between providers, but most cover a core set of costs that arise from cyber incidents. These fall into two broad categories - first-party costs (your own losses) and third-party costs (claims from others). Here is a breakdown of the main areas of cover.
Not every policy will include all of these elements, and limits can vary significantly. It is important to read the policy wording carefully and understand exactly what is and isn't included before purchasing cover. The Insurance Brokers Association of New Zealand (IBANZ) can help connect businesses with brokers who specialise in cyber insurance.
One of the key things to understand about cyber insurance is the distinction between first-party and third-party cover. Most comprehensive policies include both, but cheaper or more basic policies may only cover one or the other.
First-party cover protects your own business from direct losses. Third-party cover protects you against claims from other people or organisations that are affected by a cyber incident involving your business. For example, if a hacker steals your customers' credit card details and those customers suffer financial losses, third-party cover would respond to their claims against you.
The table below shows how first-party and third-party cover compare across common cyber incident costs. When comparing policies, check that both categories are included and that the limits are adequate for your business size and the volume of data you handle.
| Cost Area | First-Party Cover (Your Losses) | Third-Party Cover (Claims Against You) |
|---|---|---|
| Forensic investigation | Covered - cost of identifying the breach and securing your systems | Not applicable |
| Data restoration | Covered - restoring lost or corrupted data and rebuilding systems | Not applicable |
| Business interruption | Covered - lost revenue and extra expenses while systems are offline | Not applicable |
| Ransomware payments | Covered - ransom and negotiation costs (where legally permitted) | Not applicable |
| Notification expenses | Covered - notifying affected individuals and regulators | Not applicable |
| Crisis management and PR | Covered - public relations and reputation management costs | Not applicable |
| Customer claims | Not applicable | Covered - claims from individuals whose data was compromised |
| Regulatory actions | Not applicable | Covered - fines, penalties, and defence costs from regulatory bodies |
| Third-party lawsuits | Not applicable | Covered - legal defence and settlement costs |
| Media liability | Not applicable | Covered - claims arising from content published on your digital platforms |
Like all insurance, cyber policies have exclusions and limitations. Understanding what is not covered is just as important as knowing what is. Here are some common exclusions to watch for.
Every policy is different, so always read the policy wording and ask your insurer or broker to clarify anything you're unsure about. The Financial Markets Authority (FMA) has guidance on understanding insurance policy documents, and the Insurance & Financial Services Ombudsman (IFSO) can help resolve disputes.
The short answer is that any business that uses technology or handles personal data faces some level of cyber risk. That said, the level of exposure varies significantly depending on your industry, size, and how you operate. Here are some of the business types where cyber insurance is particularly worth considering.
Even businesses that think they're too small to be targeted are at risk. In fact, small and medium-sized businesses are disproportionately affected by cyber attacks in New Zealand, partly because they often lack the dedicated IT security resources of larger organisations. CERT NZ has reported that small businesses make up a significant proportion of the incidents they respond to.
If your business collects names, email addresses, phone numbers, payment details, health information, or any other personal data, you have obligations under the Privacy Act 2020. A data breach involving that information can trigger mandatory notification requirements and potential complaints to the Office of the Privacy Commissioner. Cyber insurance can help cover the costs of meeting those obligations.
New Zealand may be a small country, but it is not immune to cyber crime. CERT NZ (the government's Computer Emergency Response Team) publishes regular reports on the state of cyber security in Aotearoa, and the numbers paint a clear picture of growing risk.
The types of attacks hitting NZ businesses are consistent with global trends. Phishing and credential harvesting remain the most common attack methods, followed by scams and fraud, unauthorised access, and malware (including ransomware). Ransomware in particular has become a major concern, with attackers encrypting business data and demanding payment for its return.
The Privacy Act 2020 introduced mandatory breach notification rules for New Zealand businesses. If a privacy breach has caused, or is likely to cause, serious harm to affected individuals, the business must notify both the affected people and the Office of the Privacy Commissioner. Failure to do so can result in penalties and enforcement action.
Netsafe also provides useful resources for NZ businesses on staying safe online, including guidance on phishing, password security, and responding to online threats. Meanwhile, business.govt.nz has a dedicated section on IT risk and cyber security with practical steps businesses can take to protect themselves.
Cyber attacks can affect businesses in many different ways. Here are some realistic scenarios that illustrate the types of incidents NZ businesses face, and how cyber insurance could respond.
Scenario 1 - Ransomware hits an accounting firm. A mid-sized accounting practice in Auckland receives a phishing email that an employee clicks on. Ransomware encrypts the firm's client files, tax records, and financial data. The attackers demand $50,000 in cryptocurrency. The firm faces lost revenue while systems are down, costs to hire forensic IT experts, legal advice on whether to pay the ransom, notification costs under the Privacy Act 2020, and the expense of restoring data from backups. Total cost without insurance could easily reach $100,000 or more.
Scenario 2 - Customer data breach at an online retailer. A Wellington-based e-commerce business discovers that a vulnerability in its website has allowed hackers to access 15,000 customer records, including names, addresses, and credit card details. The business must notify all affected customers and the Privacy Commissioner. It also faces potential claims from customers who suffer financial losses, plus the cost of credit monitoring services and a crisis PR campaign.
Scenario 3 - Business email compromise at a construction company. A Christchurch construction firm is targeted by a business email compromise (BEC) scam. An attacker impersonates the company's managing director by email and instructs the accounts team to transfer $85,000 to a fraudulent bank account. By the time the fraud is discovered, the money is gone. Some cyber policies include cover for social engineering fraud of this type.
Scenario 4 - System outage for a SaaS provider. A small software-as-a-service company in Dunedin suffers a distributed denial-of-service (DDoS) attack that takes its platform offline for three days. Clients are unable to access the service and several threaten to cancel their contracts. The business faces both lost revenue and potential third-party claims for breach of service-level agreements.
These scenarios illustrate why cyber insurance is relevant to businesses across a wide range of industries. The costs add up quickly, and for small businesses in particular, an uninsured cyber incident can be devastating.
Insurers assess the level of cyber risk your business presents before setting a premium. Businesses with strong cybersecurity practices are generally viewed as lower risk, which can result in more competitive premiums and broader cover. Improving your security posture is not just good business - it may also help at renewal time.
Here are some of the most effective steps NZ businesses can take. CERT NZ and business.govt.nz provide free, practical guidance on implementing many of these measures.
Cyber insurance pricing varies widely depending on your business size, industry, revenue, the volume and sensitivity of data you handle, your claims history, and the security measures you have in place. There is no one-size-fits-all price.
As a rough guide, small NZ businesses with relatively low cyber exposure (such as trades or retail businesses with limited online operations) may pay in the range of $500 to $2,000 per year for a basic cyber policy. Mid-sized businesses with higher data exposure - such as professional services firms, healthcare providers, or e-commerce businesses - may pay between $2,000 and $10,000 per year. Larger businesses or those in high-risk industries can pay significantly more.
Factors that influence the cost include the cover limit (typically ranging from $250,000 to $5 million or more), the excess amount, the breadth of cover (first-party only vs first-party and third-party), the industry you operate in, and how strong your cybersecurity practices are.
The cyber insurance market in NZ is still maturing, and premiums have been trending upward in recent years as insurers respond to increasing claim volumes. However, competition in the market is also growing, which means businesses that shop around and demonstrate good security practices are more likely to find competitive pricing.
An insurance broker with experience in cyber cover can help you navigate the options. The Insurance Brokers Association of New Zealand (IBANZ) maintains a directory of brokers, and many specialise in commercial and cyber insurance. You can also explore options through Compare.org.nz's business insurance page to get estimates and compare what's available.
Compare cyber and business insurance options for your NZ business. Get estimates from multiple providers and find cover that fits your needs.
Compare Business Insurance