Avoid Cyber Insurance Claim Denials in New Zealand: What Your Policy Requires in 2026

Most New Zealand businesses buy cyber insurance believing they're protected. But there's a significant gap between what businesses assume their policy covers and what insurers require to pay a claim.

That gap is widening. Underwriters are asking harder questions, demanding more evidence, and declining claims more frequently than ever before. If your security controls don't meet current expectations - or if you can't document that they do - you could find yourself facing the full cost of a cyber incident despite paying premiums for years.

This guide explains exactly what New Zealand insurers expect in 2026: which controls are now effectively mandatory, what evidence you need to retain, how incident response documentation affects your claim, and where businesses in industries like legal and financial services face additional scrutiny.

It's based on direct experience working with New Zealand organisations through cyber incidents and insurance assessments - including insights from NSP's CISO Geordie Stewart, who has spent over two decades in security across diverse industries and regularly helps businesses navigate the claims process.

How the NZ Cyber Insurance Market Has Changed

To understand why claims are being denied, you need to understand how dramatically insurer expectations have shifted in the last three years.

"Traditionally, the questionnaires used to be quite high level," Geordie explains. "Sometimes the questions weren't very well structured. What we're seeing now is a need from the underwriters to see a lot more evidence."

Previously, a typical application might ask: "Do you have a firewall?" Answer yes, move on. Today, underwriters ask who manages the firewall, when it was last reviewed, whether you can produce a management report showing it's in good condition, and whether the configuration follows current best practice.

This shift from presence to evidence - from "do you have this control?" to "can you prove it's working effectively?" - is the most important development in the NZ cyber insurance market.

"We're starting to see more incidents of cover being declined," Geordie notes. And not just at application stage. Claims are being denied when investigations reveal that controls businesses claimed to have either didn't exist in practice or weren't operating effectively.

There's also a fundamental change in insurer philosophy. For years, cyber insurance focused almost entirely on prevention - what controls did you have to stop an attack? Increasingly, insurers accept that breaches will happen and weight recovery capabilities just as heavily.

"Some of the focus shifts to: when it happens, are you ready for recovery?" Geordie says. That means immutable backups, documented incident response procedures, and tested recovery capabilities are now underwriter expectations, not optional extras.

The Controls Insurers Now Treat as Non - Negotiable

Cyber insurance applications in 2026 have a tier of controls that are effectively mandatory for most policies. These aren't nice - to - haves that might improve your premium. Without them, you either won't qualify for cover or will find your claims scrutinised heavily.

1. Multi - Factor Authentication (MFA)

MFA has been security best practice for over a decade. It's now a baseline requirement for cyber insurance eligibility.

"If you don't have multi - factor authentication in place, you're probably going to find it very difficult to get cover," Geordie says. "And if you do get cover offered, it's probably going to be a significant premium."

MFA must be applied to:

• All remote access to corporate systems (VPN, RDP, remote desktop)

• All email platforms (Microsoft 365, Google Workspace)

• All cloud services containing business or customer data

• All privileged or administrative accounts

Applying MFA only to some systems creates the exact vulnerabilities insurers are trying to mitigate. Partial implementation is documented as such when claims are investigated.

The gold standard: device authentication

For organisations handling highly sensitive data - particularly law firms and financial advisers - underwriters increasingly expect what Geordie calls "device authentication": a third factor requiring login from an approved, registered device, not just a password and a PIN.

"In order for somebody to log onto a mailbox, they don't just need a PIN code from their phone and their password - they also need to be logging on from a device which has been approved to log on to that platform," he explains. "So effectively, this becomes three - factor authentication."

This matters because business email compromise (BEC) - where attackers log into corporate email accounts - is by far the most common cyber claim. Organisations in sectors where confidential communications are core to the business face particularly high BEC exposure.

2. Immutable, Isolated Backups

"Not just have backups, but have immutable backups," is how Geordie frames what insurers now require.

Immutable backups cannot be deleted or altered - even by an administrator. This is specifically designed to counter ransomware attacks where attackers routinely delete or corrupt backups as part of their methodology, eliminating the organisation's ability to recover without paying ransom.

Your backup strategy must satisfy three requirements:

Immutability: Backups cannot be modified or deleted once created, including by privileged accounts.

Isolation: Backups are stored separately from your production environment. If ransomware encrypts your entire network, your backups remain untouched.

Tested restoration: You can demonstrate that backups successfully restore within your required recovery timeframes. Backups that exist but have never been tested are treated with significant scepticism during claims investigations.

Many organisations discover during incidents that their backups were connected to the same systems that were encrypted, or that restoration procedures existed on paper but had never been tested. Both failures create serious problems when making a claim.

3. 24/7 Security Monitoring

Attackers don't work business hours. "The challenge for New Zealand businesses is that the attackers work 24/7, but a lot of businesses only have protection during business hours," Geordie points out. "As a result, a lot of attacks happen in the evenings and over long weekends. By the time people come into work on a Tuesday morning, a lot has gone wrong."

Underwriters are increasingly looking for evidence of effective 24/7 monitoring - not just antivirus software that runs on devices, but active monitoring that can detect behavioural anomalies and respond to threats outside business hours.

The distinction matters. Traditional antivirus looks for known malicious code, where modern attacks often don't use malware at all - they use legitimate credentials and tools to move through your environment. Detecting this requires behavioural monitoring that identifies unusual patterns, not just known signatures.

"In the old days, thinking 10 years ago, it was enough just to have antivirus," Geordie notes. "But a lot of the attacks now that happen are more behavioural. They might show up not by malware showing up on a laptop, but by what we call something like a Superman log - on - somebody logs on from Wellington at 10 o'clock and then they log on from Auckland at 11 o'clock."

For SMBs that can't justify an internal security operations team, Managed Detection and Response (MDR) services provide this 24/7 monitoring capability and increasingly satisfy underwriter requirements for continuous monitoring.

4. Patch and Vulnerability Management

Systems with unpatched known vulnerabilities are a frequent finding in claim investigations - and a common basis for denial or reduced settlement.

"It's easy to fall into a false sense of security because Windows now is pretty good at self - updating," Geordie observes. "But the trouble is that sometimes things go wrong with this process. If you're not monitoring it, you might have a device that stopped getting its security updates years ago and is increasingly more and more at risk."

Effective patch management requires:

• Documented patch management policy defining maximum acceptable timeframes (typically 7 - 30 days for critical patches)

• Regular vulnerability scanning identifying unpatched systems

• Evidence of systematic patch deployment, not just best - effort

• Management reporting showing current patch status across your device fleet

The last point is particularly important. "They won't just ask you what type of firewall is running in an organisation," Geordie explains. "They might ask: Can we see some kind of management report that shows that it's been inspected recently and is in good condition?" The same principle applies to patch status.

5. Controls Over Lateral Movement

Once attackers gain access to one system, they attempt to move laterally through the network - escalating privileges, accessing additional systems, and reaching the most valuable data.

Underwriters want to see controls that limit this movement, so a single compromised account doesn't mean everything is compromised.

"A lot of New Zealand businesses have all their information available on the network," Geordie notes, pointing to regulated industries like law and healthcare where data retention requirements sometimes become justification for unrestricted access. "The key difference is you don't need to keep all the information accessible for all staff."

Practical controls include:

• Network segmentation separating different system types

• Least - privilege access ensuring staff only access data required for their role

• Role - based access controls reviewed and updated regularly

• Privileged access management for administrative accounts

6. Incident Response Plan - Documented and Tested

An undocumented incident response plan isn't a plan and an untested plan may not work when you need it.

Insurers are increasingly asking for evidence that an incident response plan exists, that it's been reviewed recently, and that it's been tested - typically through tabletop exercises where key personnel walk through simulated scenarios.

"Companies that prepare and practice incident response tend to have less security incidents," Geordie explains. "And the incidents that they do have tend to be lower in terms of the level of damage that's caused."

Your incident response plan must address:

• Who makes decisions during an incident and what authority they have

• When and how to notify your cyber insurer (critical - more on this below)

• Who is authorised to communicate with customers and the public

• When to engage external incident response experts

• How to preserve forensic evidence

• When and how to notify regulators

The notification requirement is particularly significant. "Companies are very, very focused on: quick, how do we get back to normal operating procedure? And they're not necessarily thinking about their contract with their cyber insurer, which might say you have to contact us within X number of hours of being aware of a breach," Geordie warns.

7. Board - Level Governance and Understanding

Insurers are increasingly asking for evidence that boards understand their cyber risk - not just that an IT administrator is managing things.

"There's been a little bit of a disconnect in the past that boards of companies haven't necessarily understood their cyber risk position," Geordie explains. "There's an expectation now from a lot of the insurers to say they need to see evidence that the board is being informed and managing the cyber risk position. It's not enough to have an administrator that's looking after things. It needs oversight as well."

What good board governance looks like:

• A named board member with responsibility for cyber risk oversight

• Regular reporting to the board on security posture and incidents

• Documented review of independent security assessments

• Board understanding of the specific threat model facing the organisation

• Evidence the board has reviewed and approved the cyber insurance policy

"A well - optimised board is going to have a clear contract and set of accountabilities around cyber," Geordie notes. "There will be a board member responsible for cyber and there will be named people in the organisation with security responsibilities - or an outsourced partner like an MSP that looks after security operations."

The Evidence Problem: Why Controls Aren't Enough

Many organisations have implemented the controls above but still face difficulty at claim time. The reason is documentation - or the lack of it.

The shift Geordie describes from "presence" to "effectiveness" means you need evidence showing not just that controls exist, but that they're operating as intended.

"Whenever claims go to arbitration, typically this will be framed about the effectiveness of the control," he explains. "If you're asking: 'Do you have a firewall?' and the answer is: 'Yes, we've got one in a box in the cupboard and we've never plugged it in' - the technical answer might be yes, but the correct answer from an insurance point of view is: well, no. Because ultimately what an arbiter would look at is what was the industry best practice and were you following it?"

What Evidence to Retain

For each critical security control, you should be able to produce:

MFA and Access Controls:

• Configuration reports showing MFA is enabled across all required systems

• Access review logs showing regular review and updates

• Records of access removal for departed staff

• Reports from identity management systems showing current access state

Backup and Recovery:

• Backup solution configuration and settings

• Backup completion logs showing regular successful backups

• Recovery test records showing successful restoration with dates and results

• Recovery time and recovery point objective documentation

Patch Management:

• Patch management policy (documented, dated, approved)

• Vulnerability scan reports showing current patch status

• Patch deployment records showing systematic approach

• Exception management records for systems unable to be patched immediately

Security Monitoring:

• Evidence of 24/7 monitoring capability (service agreement with MDR provider, or internal capability documentation)

• Security event and alert logs

• Evidence of alert investigation and response

Incident Response:

• Written incident response plan (dated, version - controlled)

• Tabletop exercise records with dates and participants

• Any previous incident records showing response process followed

Independent Assessment:

• Penetration test reports (typically expected annually for higher - value policies)

• Security audit reports from qualified third parties

• Management summaries from assessments shared with your board

"It's quite common for the insurer or the underwriter to say: can we have a copy of the executive summary from your most recent pen test report or your most recent audit of your IT partner?" Geordie notes. "A well - functioning board within an optimised company would have regular metrics about how their security processes are performing, clear accountabilities and job descriptions, a contract in place with an IT partner, and these management summaries of independent audits."

Why Claims Are Denied: The Five Most Common Failures

Understanding the specific reasons claims fail helps you address them before an incident occurs.

Failure 1: Control Warranties Breached

When you apply for cyber insurance, you make representations about your security controls. If an investigation reveals those representations were inaccurate - even if unintentionally - insurers can deny claims on the basis that the policy was issued on false premises.

"Companies will often have contracted services to manage elements of their security," Geordie explains. "And then in the event of a claim, when that service is under the microscope, companies find out that actually they weren't getting the service that they thought they were getting, or it was ineffective in some kind of way."

This often happens when businesses outsource security to IT providers who are MSPs (Managed Service Providers) rather than MSSPs (Managed Security Service Providers). The distinction matters enormously:

MSP (Managed Service Provider): Manages your IT systems - servers, devices, software, connectivity. Focuses on availability and performance. Security is typically not a core specialisation.

MSSP (Managed Security Service Provider): Specifically focused on security operations - threat detection, incident response, security monitoring, compliance. Security is the core offering, not a feature.

Many NZ businesses believe they have strong security because they have an MSP managing their IT. When a claim is investigated, it emerges that the MSP's contract didn't include the security monitoring, threat detection, or incident response capabilities the business assumed were in place.

If you've represented to your insurer that you have "managed security services," ensure your provider is actually an MSSP with documented security operations capabilities - not an MSP that includes basic security tools as part of general IT management.

Failure 2: Late or Missing Breach Notification

Cyber insurance policies typically require you to notify your insurer within a specific timeframe after becoming aware of a breach - often 48 - 72 hours, sometimes as short as 24 hours.

In the chaos of responding to an incident, this contractual requirement gets overlooked. Businesses focus on restoring operations and managing immediate impact. Days pass. When they eventually notify their insurer, they're told the notification clause has been breached.

"Some of the forensic information is lost and some of the information that a cyber insurer might want to retain as evidence is lost," Geordie notes. "Cyber insurers are taking a more robust line saying it's a breach of contract if you haven't honoured the notification provision and that is a widespread problem."

Your incident response plan must include immediate notification to your cyber insurer as a specific step, with the notification timeframe, contact details, and required information documented. This process needs to be followed regardless of what else is happening during the incident.

Failure 3: Forensic Evidence Destroyed

During incidents, organisations often take actions that inadvertently destroy forensic evidence insurers need to evaluate the claim and understand the breach.

Common examples:

• Reimaging compromised systems before forensic analysis is completed

• Deleting logs that might explain how the attacker gained access

• Restoring systems from backup without preserving the compromised state

• Allowing staff to use potentially compromised systems before investigation

Your incident response plan should specify that forensic preservation takes priority alongside business recovery - not after it.

Failure 4: Exclusions Not Understood

"We're also seeing challenges where people don't understand their exclusions," Geordie says. This typically flows from boards not understanding their risk position well enough to evaluate whether a policy's exclusions create significant uninsured exposure.

Common exclusions that catch organisations by surprise:

Nation - state exclusions: Some policies exclude attacks attributable to state - sponsored actors. Given NCSC's finding that a significant proportion of NZ incidents involve state - affiliated actors, this exclusion can be material.

Prior incidents: If you experienced an incident before the policy period that you didn't disclose, related claims may be excluded.

Systems covered: Older policies may not explicitly cover cloud systems, SaaS applications, or OT systems - a problem as businesses increasingly operate in these environments.

Reputational damage: "Cyber insurance can help you recover to where you were before the incident, but it can't recover reputation," Geordie notes. For professional services firms where trust is fundamental to the business model, this limitation is particularly significant.

Geordie uses what he calls "risk optics" to illustrate: "You could be a chain of veterinary clinics and have a cyber incident. It's not ideal, but people aren't going to think you're any less caring with animals if you've had a cyber breach. I'd contrast that with a law firm or a highly regulated firm where competence around privacy and cybersecurity is much closer to your value proposition."

For law firms and financial advisers, reputational damage from a cyber incident can significantly exceed the direct financial costs covered by insurance. This should inform both your security investment decisions and your insurance coverage evaluation.

Failure 5: Under - Coverage

"There are a number of organisations that we do cyber insurance reviews for, and we find that actually the types of cover that they're covered for are much more narrow than their risk profile suggests," Geordie observes. "And sometimes their level of cover is underneath what an actual incident might cost."

Coverage limits set several years ago may no longer reflect current incident costs. Forensics, legal advice, and incident response costs have increased significantly. Coverage that seemed adequate may now leave you substantially under - covered.

"Sometimes until you've been through an incident, you don't necessarily realise how complicated and how expensive it's going to be, especially when it comes to legal advice and forensics, which can get very expensive," Geordie notes.

Annual coverage reviews should assess not just whether controls still satisfy policy requirements, but whether coverage limits still reflect realistic incident costs for your organisation and industry.

The Maturity Shift: From "Do You Have It?" to "How Mature Is It?"

The most significant upcoming change in cyber insurance underwriting is the shift toward maturity - based assessment.

"We're much more seeing providers move towards a position where they're not talking about the presence or not of a control," Geordie explains. "They're talking about the maturity of a control and increasingly, we're seeing providers starting to adopt standardised ranges where, instead of giving a free text answer, they're inviting applicants to pick a maturity position from within a continuum."

This matters because it changes what "adequate" means. It's no longer enough to have MFA - you need MFA at an appropriate maturity level for your risk profile. Not just backups, but backups at a maturity level that means they reliably work when you need them.

Geordie anticipates this development will also affect independent assessment requirements: "By this time next year, depending on the type of cover and level of cover that people are applying for, they may find that some kind of independent review is compulsory or very heavily priced in."

A risk assessment that evaluates your controls against maturity frameworks - rather than just presence - gives you an honest view of where you stand and where investment is most needed.

Specific Considerations for Law Firms and Financial Advisers

Law firms and financial advisers warrant specific attention because they face higher exposure across multiple dimensions simultaneously.

Why the exposure is greater:

The information held by legal and financial services firms is among the most valuable to attackers. Client trust account details, personal financial information, confidential legal matters, transaction details, and corporate intelligence are all high - value targets.

"If you think of financials or law firms, sometimes the best way in isn't directly, it's via a supplier like a cleaning company because they tend to be an easier target," Geordie explains, describing supply chain attacks where professional services firms are the ultimate target but accessed through easier third - party entry points.

Business Email Compromise is your primary threat:

BEC is the most common cyber claim overall, but professional services firms face disproportionate exposure. Attackers access email accounts and send fraudulent payment instructions to accounts payable or clients. Law firm trust accounts are a frequent specific target.

"There are so many companies out there that would just transfer large amounts of money because of an e-mail from the CEO with no process or purchase order or verification of any other type," Geordie notes. With AI - generated deepfakes making it increasingly possible to create convincing video of executives or partners instructing urgent payments, this risk is growing.

Robust financial controls - verification procedures for payment instructions regardless of communication channel, dual authorisation for significant transfers, out - of - band confirmation for unusual requests - are both security controls and insurance requirements for this sector.

Reputational consequences are more severe:

As Geordie's "risk optics" concept describes, professional services firms have more to lose reputationally from cyber incidents than many other businesses. "Competence around privacy and cybersecurity is much closer to your value proposition and your presentation to the market, which might rely a lot more centrally on trust."

This means cyber insurance - while important - cannot be your primary risk management strategy. Insurance returns you to your financial position before the incident. It cannot restore the trust that professional services clients place in firms handling their most sensitive matters.

Regulatory obligations add exposure:

Law firms operating under Law Society regulations and financial advisers under the Financial Markets Authority face regulatory consequences for data breaches that extend beyond immediate incident costs. Fines, licence implications, and mandatory client notifications create additional exposure that your insurance coverage should explicitly address.

Data retention creates liability:

Many professional services firms hold data for extended periods - sometimes indefinitely - either from habit or from a conservative interpretation of professional obligations. "A lot of businesses just seem to be hanging on to data which isn't necessarily a lot of value to the business, but is a huge liability," Geordie observes.

Review data retention policies. Holding client data longer than required creates exposure without benefit. If a breach exposes records for clients you haven't worked with for a decade, managing the aftermath - notification obligations, reputation with former clients, regulatory scrutiny - is significantly more complex than if you'd followed appropriate retention and deletion practices.

A Step - by - Step Pre - Renewal Checklist

Geordie recommends a mini - audit three months before renewal to identify and address issues before they affect eligibility or pricing. Use this checklist as a starting framework:

Security Controls

• MFA enabled on all email platforms, remote access, cloud services, and privileged accounts 

• Device authentication (Conditional Access) implemented for high - sensitivity access

• Immutable backups configured and isolated from production environment

• Backup restoration tested successfully in the last 6 months (documented)

• 24/7 security monitoring in place (MDR provider or documented internal capability)

• Patch management policy documented with defined timeframes

• Vulnerability scanning running regularly with results reviewed

• Access controls reviewed in the last 3 months

• Departed employee access revoked systematically and promptly

• Lateral movement controls in place (network segmentation, least - privilege access)

Documentation and Evidence

• Management reports available showing key control status (firewall, patching, access)

• Independent security assessment completed in the last 12 months

• Penetration test report available (executive summary for insurer if requested)

• Evidence of regular backup completion logs

• Access review records documenting who has access to what and why

Incident Response

• Written incident response plan (reviewed and updated in last 12 months)

• Tabletop exercise conducted in the last 12 months (records kept)

• Cyber insurer notification timeframe documented and known to response team

• Insurer contact details immediately accessible during incidents

• Forensic evidence preservation steps included in response plan

• Clear authority documented: who makes decisions, who communicates externally

Board and Governance

• Named board member with cyber risk responsibility

• Board receives regular security reporting

• Board has reviewed and understands current insurance coverage and exclusions

• Board can articulate the key threat model facing the organisation

• Independent assessment findings reported to board

Insurance Coverage Review

• Coverage limits reviewed against current realistic incident costs

• Exclusions understood and any significant gaps identified

• Policy explicitly covers cloud systems, SaaS applications used

• Nation - state exclusion understood and coverage implications assessed

• MSP/MSSP arrangements match what was represented in application
  
  

The Role of a vCISO in Insurance Readiness

For SMBs without internal security expertise, a Virtual CISO (vCISO) provides the executive - level security leadership that both insurers and boards increasingly expect - without the cost of a full - time hire.

A vCISO can:

• Conduct the pre - renewal assessment described above

• Present security posture to the board in terms they understand

• Provide the independent view of risk position that insurers want to see evidenced

• Develop and maintain the incident response plan

• Oversee tabletop exercises

• Communicate with insurers and respond to underwriter queries

"A well - optimised board will have a clear contract and set of accountabilities around cyber. There will be a board member responsible for cyber and there will be named people in the organisation with security responsibilities or an outsourced partner," Geordie explains.

For organisations where a named internal person with genuine security expertise isn't practical, a vCISO engagement provides that oversight and accountability in a form insurers recognise.

Conclusion: The Gap Between Coverage and Protection

New Zealand's cyber insurance market has matured significantly. The questionnaires are harder. The evidence standards are higher. The investigations at claim time are more thorough. And the denials are more frequent.

Organisations that treat insurance as a substitute for adequate security controls - that assume the policy will cover what their controls don't prevent - are operating on a misunderstanding that will become very expensive when tested.

"Sometimes there's a temptation for some clients to think: we've got cyber insurance in place, so that means we don't need to worry quite so much about our internal controls because we're insured," Geordie observes. "The first challenge is that if controls slip and they're material to eligibility of cover, the client could easily find themselves in a place where they're denied coverage. The other piece is that insurance doesn't fully cover the impact of a cybersecurity event."

Insurance is an important component of cyber risk management - but only if your controls are adequate, your documentation is maintained, and your incident response is prepared. Without those foundations, you have a policy that may not pay out when you need it most.

The businesses that navigate cyber incidents successfully are those that built their defences before they needed them, maintained the evidence that those defences were working, and had practiced their response before the real test arrived.

That preparation happens before the incident - not during it.

Assess Your Insurance Readiness Before Renewal

If you're approaching renewal and uncertain whether your controls, documentation, and incident response preparation meet current insurer expectations, a cyber risk assessment provides the independent view insurers want to see and the clarity you need to address gaps.

NSP's team - including our CISO Geordie Stewart - regularly works with New Zealand organisations preparing for cyber insurance applications and renewals, responding to underwriter queries, and building the security posture that supports coverage and claim success.

We provide:

• Cyber risk assessments evaluating control maturity against insurer expectations

• vCISO services providing executive security governance for boards and insurers

• Managed Detection and Response satisfying 24/7 monitoring requirements

• Incident response planning and tabletop exercises ensuring your team is prepared

• Vulnerability management and patch management demonstrating systematic security practice

• Pre - renewal documentation reviews helping you retain the evidence insurers require

Book a cyber risk assessment consultation to understand your current position and address gaps before renewal - or call 0508 010 101 to speak with our team directly.

We serve organisations throughout New Zealand including law firms, financial advisers, and professional services businesses who need security that satisfies both operational requirements and insurance expectations.

The content in this article draws on NSP CISO Geordie Stewart's presentation to IBANZ members on cyber insurance in 2026, combined with practical experience working with New Zealand organisations through insurance assessments and cyber incidents. You can watch our latest Webinar on this here: IBANZ Webinar - YouTube