Most cyber insurance claims fail because the business didn't understand what they'd actually signed up for.
That's a problem worth talking about - especially in New Zealand, where cyber insurance has become one of the most misunderstood parts of a company's risk strategy.
We recently featured in an IBANZ webinar - the Insurance Brokers Association of New Zealand - covering exactly this. Our CISO, Geordie Steward, covered where businesses are getting caught out, what insurers are actually looking for, and what's coming next.
A few years ago, getting cyber cover was relatively painless. Fill in a questionnaire, answer a few high-level questions, get your policy. Most underwriters took your word for it.
That era is over.
Underwriters have gotten a lot smarter and a lot more demanding. They're no longer asking whether you have certain security controls. They're asking whether those controls are actually working. That's a different question, and the gap between those two answers is where a lot of NZ businesses are getting caught.
Think of it this way. If someone asked "do you have a lock on your front door?" you'd say yes. But if they asked "is your front door actually locked, right now, and has it been tested recently?" - that's a harder question to answer confidently.
That's the shift that's happened in cyber insurance underwriting and if your business hasn't caught up with it, you may be paying for cover that won't pay out when you need it.
Let's be direct about this:
Having a control isn't the same as having an effective control.
This is the most common reason cyber claims fail. When you apply for cyber insurance, the questions are usually about the presence of controls - do you have a firewall, do you have antivirus, do you have multi-factor authentication? And businesses answer yes.
But when a claim goes to arbitration, the question changes entirely. Arbitrators aren't asking whether you had the control. They're asking whether it was deployed and operating in line with industry best practice. A firewall that hasn't been configured properly, or a backup system that's never been tested, won't count. The claim fails.
Missing the notification window.
Most cyber policies require you to notify your insurer within a specific timeframe of becoming aware of a breach. When something goes wrong, the instinct is to fix it first and deal with everything else later. That's understandable. But if you miss the notification window, your insurer has grounds to decline the claim entirely - regardless of whether the breach would otherwise be covered.
Not understanding your exclusions.
This sounds basic. but it's remarkably common. Boards approve cyber insurance policies without a clear understanding of what's actually excluded. The policy gets filed away, then something happens and it turns out the specific type of incident isn't covered.
Assuming your supplier's insurance covers you.
We hear this one regularly. "Our IT provider has cyber insurance, so we're covered." You're not. You have no visibility into whether their policy is valid, whether their controls meet the requirements of that policy, or whether a claim on their policy would extend to cover your losses. It won't. Get your own cover, and understand what it says.
Here's a useful way to look at it. Eighty percent of cyber risk comes from about twenty percent of the controls. Underwriters know this, so while there's a long list of things they'll ask about, there's a shorter list they actually care most about.
Multi-factor authentication (MFA) - This is the big one. MFA means that logging into your systems requires more than just a password - it also requires a second factor, like a code sent to your phone. If you don't have this in place across your critical systems, you'll either struggle to get cover or pay a significantly higher premium. The gold standard now is device authentication - where the login also requires an approved device, not just a code. That makes it much harder for someone to access your systems even if they have your password and your PIN.
24/7 monitoring - Attackers don't work business hours. A lot of NZ businesses have IT support from 8am to 5pm on weekdays. That leaves every evening, every weekend, and every public holiday as an open window. Underwriters want to see that someone - or something - is watching your systems around the clock, not just when the office is open.
Immutable backups - Backups that can't be deleted, even by an administrator. This matters because ransomware attackers figured out years ago that deleting backups is part of the attack. Immutable backups mean there's always a clean copy that can't be touched. It's the difference between paying a ransom and restoring from backup and being operational within hours.
Incident response readiness - This is one that surprises people. Insurers have found that businesses which prepare and practice their incident response not only have fewer incidents - they also suffer less damage when incidents do occur. So underwriters are increasingly asking for evidence that a plan exists and has been tested. Not a 100-page document. Just a clear answer to: who's in charge when something goes wrong, who calls the insurer, who talks to customers, and who contacts regulators.
Board-level understanding - This keeps coming up because insurers keep asking for it. A board that can articulate its cyber risk position - who the threats are, what they're after, and how the company is protected - is a very different risk from a board that has delegated everything to an IT person and has no visibility. Independent reviews, clear accountability, and regular reporting to the board are all things underwriters want to see evidence of.
It helps to understand what you're actually protecting against. The mental image of a cyber attack - hooded figure, glowing screens - is not what's causing losses in New Zealand businesses right now.
Business email compromise is the number one claims driver - This is when someone gains unauthorised access to an email account - usually because MFA isn't enabled - and uses it to commit fraud. The most common version is straightforward: they get into a mailbox, find financial information and relationships, manufacture a convincing invoice, and send it to the accounts payable team with a message to pay it urgently. Because it comes from a trusted email address, it often just gets paid. The money disappears into a network of accounts and is rarely recovered.
Banking smishing is rampant and underreported - Over the last 12 months in New Zealand, there has been a significant wave of SMS phishing targeting business bank accounts. People receive a text purportedly from their bank, urgency is created, and they're tricked into handing over login credentials or installing remote access software. This is happening far more often than it's being reported.
Cloud misconfiguration is a leading cause of NZ incidents - As businesses move more of their operations to cloud environments, the security of those environments needs active management. A lot of cloud setups were done quickly, security settings weren't configured properly, and attackers know exactly where to look.
Supply chain attacks are increasing - Sometimes the easier route into a well-protected business is through a supplier. A law firm might have solid security. Their cleaning company or stationery supplier might not. Attackers go for the easier target and use that access as a stepping stone. This is now a mainstream attack pattern, not an edge case.
Cyber insurance will help you recover financially from an incident. It can cover forensics, legal fees, emergency support, call centre costs, and notification expenses. That's genuinely valuable - those costs add up fast.
What it can't do is restore your reputation.
And this is where a lot of businesses underestimate their real exposure.
Not every business faces the same reputation risk from a breach. A vet clinic that has a data incident will face some customer frustration but nobody's going to question whether the vets are still competent at treating animals.
A law firm is a different story. Client confidentiality isn't just a feature of what they do - it's the entire basis of the relationship. A breach doesn't just expose data. It calls into question the firm's fundamental ability to protect what clients trusted them with. Insurance can cover the financial costs. It can't rebuild that trust.
The same logic applies to financial advisers, healthcare providers, accountants, and anyone else whose clients came to them because of trust rather than price. The higher your reputation risk, the more important it is to get your security right in the first place - not just to have insurance as a backstop.
This one deserves its own section because it's moving faster than most businesses realise.
Every smartphone already has the capability to clone a voice or generate a convincing video of someone else using publicly available footage. That technology is not experimental, it's in your pocket.
The current wave of business email compromise works because a fake email from a known address is convincing enough for a lot of people. AI spoofing is that same attack - except instead of a text email, it's a video of your CEO or a voice note from your manager or a call that sounds exactly like someone you work with.
We're already struggling to manage the text-based version of this problem. Most businesses still don't have robust financial verification processes - payments get authorised on the basis of a single email or a quick call. When AI-generated fraud becomes the delivery mechanism, that vulnerability becomes much more serious.
The fix isn't a technical one, it's a process one. No payment above a certain threshold should be authorised through a single channel, regardless of how convincing it looks or sounds. Two-person sign-off, and out-of-band verification - meaning you confirm through a completely separate channel before acting. These are straightforward process controls, and most businesses don't have them.
The role of a broker in cyber insurance has changed significantly. The market has matured to the point where placing cover isn't the whole job anymore.
Your clients need someone who can help them understand what insurability looks like today and what it will look like at their next renewal. They need someone who can spot the gap between "we have that control" and "that control is actually working." They need a trusted adviser, not just a policy processor.
A practical approach: do a review with your clients three months before renewal. Check that nothing material has changed in their security position. Give them time to fix anything that needs fixing. The worst-case scenario - discovering a problem the week before renewal - is entirely avoidable with a bit of lead time.
The businesses that work with brokers who take this advisory role seriously end up with better cover, better premiums, and no nasty surprises at claim time. That's a strong value proposition. It's worth leading with.
To make this practical - here's the checklist of what genuinely prepared looks like from both a security and insurability standpoint.
MFA on everything that matters - email, remote access, financial systems, cloud environments. Actively managed, not just switched on.
Device authentication on email - so that even stolen credentials can't be used from an unknown device.
Immutable, tested backups - backed up in a way that can't be deleted, and actually restored in a test at least once a year.
24/7 behavioural monitoring - not just antivirus. Something that spots unusual patterns, odd login times, unexpected data access.
Limited access by need - not everyone needs everything. Old data archived, not live. One compromised account shouldn't mean full compromise.
A board that can explain its cyber risk position - named accountability, independent reviews, regular reporting.
A practised incident response plan - short, clear, tested. Who does what, who calls who, in what order.
Robust financial verification processes - two-person authorisation, out-of-band confirmation, no single-channel approvals for significant payments.
None of these are exotic. Most are straightforward to implement but across New Zealand, a significant number of businesses are missing several of them and don't know it until they need to make a claim.
Cyber insurance is worth having. For the things it covers, it earns its place in a risk strategy. But it works best as the last line of defence behind genuinely good security - not as a substitute for it.
The market is actively rewarding businesses that treat security seriously. Better controls mean better premiums, broader coverage, and a much smoother experience if you ever need to claim. The businesses treating cyber insurance as a tick-box exercise are paying for a safety net that may not catch them when they fall.
The threats are real. The incidents are happening across New Zealand right now - most just don't make the news. The question isn't really whether your business is a target. It's whether you're ready.
NSP is a New Zealand-owned cybersecurity provider operating a local Security Operations Centre. We work with businesses across insurance, legal, finance, healthcare, and manufacturing to get their security posture in genuinely good shape.
This blog draws on insights from our recent IBANZ webinar, Cyber Insurance in 2026: What Gets Covered, Denied, or Priced Out - presented by NSP Chief Information Security Officer Geordie Stewart. Watch the full webinar here.
Want to know where your business stands? Talk to our team.
Watch full webinar here: IBANZ Webinar