Cyber insurance feels like a sensible safety net. You pay the premium, something goes wrong, the insurer covers the damage. That's the deal or so most business owners assume.
Here's what's actually happening: nearly one in four cyber insurance claims globally are being denied. In some analyses of 2024 and 2025 data, that figure climbs above 40%. Businesses that paid their premiums on time, disclosed their details honestly, and genuinely believed they were covered are finding out after an attack that the payout isn't coming.
The reason, almost universally, isn't fine print trickery. It's this: the business didn't maintain the security controls the policy assumed they had.
Cyber insurance is not a replacement for cybersecurity. It's a contract that assumes you're running a basic security programme and can prove it. If you can't prove it when the claim lands on the underwriter's desk, the claim fails.
For NZ businesses, this matters more than ever. The Privacy Act 2020 has raised the legal cost of a data breach. The NCSC recorded $26.9 million in direct financial losses across NZ cybercrime in 2024/25. And underwriters - the people who actually price and approve your policy - have gotten significantly smarter about what they're buying when they insure your business.
This post covers exactly what that security baseline looks like, why each control matters, and how to know whether your business actually has it - or just thinks it does.
To understand what the baseline needs to look like, it helps to understand what changed.
A few years ago, cyber insurance was relatively accessible. Application forms were short. Questions were general. Underwriters had limited ability to verify what businesses were actually running. Premiums were modest and claims were largely paid.
Then the losses started mounting. Ransomware attacks became more frequent, more damaging, and more expensive to remediate. Insurers started paying out significantly more than they'd modelled. The response was predictable: tighten the underwriting standards, raise the evidence bar, and enforce the policy conditions more rigorously at claims time.
The result is the environment NZ businesses are operating in now. Underwriters are no longer asking whether you have security controls. They're asking whether those controls are working, documented, and maintained. And they have increasing capability to verify what you've told them - including through post-breach forensic investigation that will reveal exactly what your environment looked like before the attack.
The shift, as NSP's Chief Information Security Officer Geordie Stewart described it at the IBANZ webinar in April 2026: "Having a control isn't the same as having an effective control. That's the most common reason cyber claims fail."
If your MFA isn't deployed everywhere it needs to be, your backups haven't been tested, or your patches aren't being applied on a defined schedule - the insurer may have grounds to deny your claim entirely, even if those gaps had nothing to do with how the attacker got in.
That's not a technicality. That's the deal you signed when you took out the policy.
Here's what NZ underwriters are looking for in 2026. It's the baseline that most reputable cyber insurers will ask about on the application form and verify at claims time.
MFA is the single most scrutinised control in cyber insurance underwriting. It is, as one NZ insurance adviser put it, "almost universally required as a baseline." Saying "we're working on it" is not an answer underwriters will accept for email access and applying MFA only partially is almost as dangerous as not having it at all.
Why? Because a single unprotected login path is enough. If an attacker gains access through one account that wasn't covered by MFA, the insurer can argue that you failed to maintain the security standard the policy assumed. The $18.3 million ransomware claim filed by the City of Hamilton was denied for exactly this reason - MFA hadn't been rolled out completely across all departments. The insurer had recommended the rollout two years earlier. The claim was still denied in full.
MFA needs to be deployed on: email, remote access tools, VPNs, RDP, admin and privileged accounts, backup consoles, and cloud applications. Not most of those things. All of them.
Document where MFA is enabled. Keep that documentation current. If you make changes to your environment, update the record. This is the evidence you'll need if a claim is investigated.
The question underwriters ask isn't "do you have backups?" It's "are your backups tested, immutable, and isolated?"
These are three distinct requirements and each one matters.
Tested means you've actually run a restoration exercise and confirmed that your data can be recovered to a functional state within an acceptable timeframe. Running backups that have never been restored is not the same as having a working backup. You're assuming they work. That assumption has been the expensive lesson for a lot of businesses.
Immutable means backups that can't be deleted or modified - not even by an administrator. This matters because ransomware attackers routinely target and destroy backups as part of the attack. If your backups can be deleted by anyone with admin access, attackers with those credentials can eliminate your recovery options before you even know you've been hit.
Isolated means your backups are not directly accessible from your main network environment. Connected backups are vulnerable backups. Offline or air-gapped copies are your true last line of defence.
Keep logs of backup runs and, critically, logs of restoration tests. Insurers will ask for them. Frequency matters too - daily backups are the standard most underwriters expect.
"Antivirus" as a concept has largely been replaced in underwriting conversations by EDR - Endpoint Detection and Response. The distinction is meaningful.
Antivirus looks for known threats based on signatures. EDR monitors behaviour across your endpoints and can detect threats that haven't been seen before - including the fileless malware and living-off-the-land techniques that modern ransomware groups routinely use to evade signature-based detection.
Most NZ cyber insurance application forms will now ask specifically about EDR deployment, not antivirus. Partial deployment - some endpoints covered, some not - is a gap that underwriters will note, and that will affect both your premium and your coverage terms.
EDR needs to be deployed across all endpoints: workstations, servers, and laptops. Coverage gaps are coverage risks.
Unpatched systems are documented, publicly listed vulnerabilities. When a security patch is released, the window between release and exploitation by attackers can be days. Businesses without a structured patching process leave that window open indefinitely.
The insurance requirement isn't perfection - it's process. Underwriters want to see that patches are applied on a defined schedule (monthly as a minimum), that critical patches are prioritised and applied quickly, and that you have records showing when patches were applied.
The Cottage Health case is instructive: their cyber insurance claim was denied after a breach because post-incident investigation revealed that security patches hadn't been regularly maintained. That failure was explicitly referenced in their policy conditions as grounds to void coverage.
Keep patching logs. Record when patches are applied, to which systems, by whom. This isn't bureaucratic overhead - it's the documentation that protects your claim.
This one surprises a lot of business owners. Having an incident response plan - a written document that defines what happens in the first hours of a cyber incident - is increasingly required by underwriters, and businesses that have one and have practiced it genuinely recover faster and with less damage.
The threshold isn't a 50-page document that lives in a folder no one can find. It's a written plan that names who calls whom in the first four hours, where the backups are, which lawyer you call, how you notify clients, and how you communicate with your insurer.
Speaking of insurers: most cyber policies require notification within 48 to 72 hours of discovering a potential incident. Not 48 hours after you've figured out what happened - 48 hours after you first suspected something was wrong. Seventeen percent of all cyber insurance claim denials in 2025 happened because the business reported too late. The instinct to manage it internally first, to figure out what's happening before calling anyone, is completely understandable. It also voids a lot of claims.
Your incident response plan should include your insurer's claims line number and the instruction to call it early, even before the picture is clear.
Some insurers offer a discount for businesses that have run a tabletop exercise in the last 12 months - a facilitated simulation of a cyber incident that stress-tests your plan and reveals the gaps before a real event does. If your plan hasn't been tested, it hasn't been validated.
Attackers don't work business hours. Most cyberattacks happen outside of the typical 9-to-5 window - evenings, weekends, public holidays. An IT team that goes home at 5pm leaves the environment unmonitored for the other 16 hours of the day.
Underwriters are increasingly looking for evidence that systems are being watched around the clock, not just during business hours. This doesn't necessarily mean hiring overnight IT staff - it means having monitoring tools or a managed service with 24/7 coverage that will detect and alert on suspicious activity regardless of when it occurs.
For NZ SMEs, Managed Detection and Response (MDR) is typically the most practical way to achieve this. It provides continuous monitoring without requiring a business to build or staff a security operations capability internally.
This is the nuance that catches most businesses out. When you apply for cyber insurance, the questions on the form ask about the presence of controls. Do you have MFA? Do you have backups? Do you have an incident response plan?
The temptation is to answer yes based on partial implementation. MFA is deployed on email, so you say yes. Backups run overnight, so you say yes. There's a rough plan somewhere, so you say yes.
The problem surfaces at claims time, when forensic investigation reveals the actual state of your environment. MFA was only on email - not on the cloud applications the attacker accessed. Backups were running, but they were connected to the same network the ransomware encrypted. The incident response plan hadn't been reviewed in two years and named a staff member who left the company.
The insurer's position: you misrepresented your security posture on the application. Even if unintentionally. The claim fails.
This is why a cyber insurance readiness assessment is valuable before you apply for or renew coverage - not after an incident. It maps the gap between what you think you have and what you actually have, so you can answer the application form accurately and address the gaps before they become expensive.
Cyber insurance in New Zealand operates against a specific regulatory backdrop that affects both what you need to disclose and what a breach actually costs you.
The Privacy Act 2020 introduced a Notifiable Privacy Breach regime. If your business experiences a breach involving personal information that is likely to cause serious harm to affected individuals, you are legally required to notify both the affected individuals and the Privacy Commissioner. Doing this poorly - or failing to do it - is increasingly visible in the Privacy Commissioner's annual reports and creates legal exposure that compounds the direct financial damage of the breach.
Third-party cyber liability coverage - which covers legal costs and damages arising from your breach affecting others - is increasingly relevant as supply chain attacks grow. If your business is a service provider to larger organisations, a breach in your environment that exposes their data creates liability on both sides. Your cyber insurance policy needs to reflect this exposure.
The NCSC's Minimum Cyber Security Standards, published in October 2025, establish a framework for cybersecurity practice that - while currently mandated only for public sector agencies - represents the direction of travel for what "reasonable security" looks like in a NZ context. Private sector businesses that can demonstrate alignment with these standards are in a stronger position with underwriters and in a stronger legal position if their security practices are ever scrutinised.
Before you apply for cyber insurance - or before you renew - work through this honestly.
MFA
Is MFA deployed on email for all staff?
Is MFA deployed on remote access tools, VPNs, and RDP?
Is MFA deployed on admin and privileged accounts?
Is MFA deployed on cloud applications?
Is MFA deployed on backup consoles?
Is there documentation of where MFA is enabled?
Backups
Are backups running daily?
Are backups immutable - unable to be deleted even by admins?
Are backups stored offline or in isolated cloud storage?
Have backups been tested with a successful restoration in the last 12 months?
Are backup test logs retained?
Endpoint Protection
Is EDR deployed on all endpoints (workstations, servers, laptops)?
Is EDR coverage complete - no devices without it?
Patching
Is there a defined patching schedule (monthly minimum)?
Are critical patches applied promptly?
Are patching logs maintained?
Incident Response
Is there a written incident response plan?
Does it name specific people for specific roles?
Does it include the insurer's claims line and the instruction to notify early?
Has the plan been reviewed in the last 12 months?
Has a tabletop exercise been run in the last 12 months?
Monitoring
Is there 24/7 monitoring of your environment?
Will you be alerted to suspicious activity outside business hours?
If you have gaps in this list, you have two options: fix them before you apply, or disclose them accurately on the application form and accept that they may affect your coverage terms and premium.
What you shouldn't do is answer yes when the honest answer is "partially" or "we think so." That's the path to a denied claim when you need the cover most.
A practical benefit of getting the security baseline right before you apply: it directly affects what you pay.
Underwriters price premiums based on risk. A business with documented MFA across all systems, tested immutable backups, EDR on every endpoint, a maintained patching programme, and a practiced incident response plan represents a materially different risk profile than one without those controls. That difference shows up in both the premium and the coverage terms available to you.
Businesses that demonstrate a strong security posture also have more options. Insurers compete for well-secured risks. Businesses with weak postures may find coverage limited, heavily exclusioned, or simply unavailable at a price that makes sense.
The security work you do to be properly insurable isn't just the cost of buying the policy. It's also what reduces the likelihood of ever needing to make a claim in the first place.
If you're not sure where your business stands against the baseline described in this post, a cyber insurance readiness assessment is the most direct way to find out.
NSP runs these specifically for NZ businesses. We map your current security controls against what NZ underwriters are looking for, identify the gaps, and give you a clear priority list for what to address before you apply or renew. We also run tabletop exercises that test your incident response plan against realistic scenarios - the kind of preparation that both reduces your risk and demonstrates to insurers that you take this seriously.
The goal isn't to make the application form look good. It's to make the security posture genuinely good - so that if something does go wrong, your claim is the last thing you have to worry about.
Do I need to have all these controls in place before I can get cyber insurance?
Not necessarily - but gaps will affect your coverage terms, your premium, and potentially your ability to make a successful claim. Some insurers will quote with conditions or exclusions where controls aren't in place. Others won't quote at all. The stronger your posture, the more options you have and the more favourable the terms.
What happens if I answer the application form inaccurately?
If a post-breach investigation reveals that your application contained inaccurate information - even unintentionally - the insurer may have grounds to deny the claim or void the policy entirely. This is one of the most common and most avoidable reasons claims fail. If the honest answer to a question is "partially" or "with some exceptions," say so and provide detail. Transparency protects you at claims time.
How quickly do I need to notify my insurer after a breach?
Most NZ cyber policies require notification within 48 to 72 hours of discovering a potential incident. The clock starts when you first suspect something is wrong - not when the investigation is complete. Report first, investigate simultaneously. Delayed notification is one of the most common reasons claims are denied.
Is cyber insurance worth it if my security posture isn't strong yet?
Getting the security fundamentals right and getting cyber insurance aren't sequential — they're parallel. You can buy cover while improving your posture, but be accurate on the application form about where you are. A cyber insurance readiness assessment will give you a clear picture of both what to prioritise and what to disclose.
What does cyber insurance actually cover?
Typically: forensic investigation costs, legal fees, notification costs under the Privacy Act, emergency IT support, ransom negotiation support, business interruption losses, and regulatory defence. What it doesn't cover automatically: social engineering and wire fraud (usually requires a specific endorsement), losses from pre-existing breaches you knew about, and incidents where you failed to maintain required security controls. Read your policy wording, not just the summary.
How is cyber insurance different from other business insurance?
Most business insurance covers physical events - fire, theft, property damage. Cyber insurance covers digital events - data breaches, ransomware, business interruption from cyber incidents, and the legal and regulatory consequences that follow. Standard business insurance policies typically exclude cyber events, and that exclusion has been increasingly enforced as cyber claims have grown. If you don't have a specific cyber policy, you likely have no cover for these events.
What's the link between good security and a lower premium?
Direct and significant. Underwriters price based on risk. A business with strong, documented, maintained security controls is a lower risk than one without. Better posture means more insurer options, more favourable coverage terms, and lower premiums. The security investment pays back in multiple ways - reduced likelihood of an incident, better claim outcomes if one occurs, and reduced insurance cost.
There's a meaningful difference between those two questions. Most businesses are focused on the first. The second is where claims succeed or fail.
A cyber insurance readiness assessment with NSP covers both: where your security posture actually stands, and whether it matches what your policy assumes.
If you're applying for the first time, renewing, or simply not sure whether you'd survive a claims investigation, this is the conversation to have before something goes wrong.
Most businesses find out they weren't when it's too late.
A free security consultation with NSP takes 30 minutes. We look at where your gaps are and what to prioritise first.
Or call us directly: 0508 010 101