What Cyber Insurance Covers in NZ | NSP

Dayna-Jean Broeders

14 July 2026

13 min

Read

What a Cyber Insurance Claim Costs NZ Businesses - And What Your Policy Won't Cover

 

Most NZ businesses buy cyber insurance and assume the hard part is done. They've paid the premium, they have a policy number, and if something goes wrong, the insurer will handle it.

Then something goes wrong.

The forensic investigators arrive, the lawyers start billing, the Privacy Act notification obligations kick in, business interruption losses mount by the day and somewhere in the middle of it, someone realises that the claim - the one that was supposed to cover all of this - is either partially paying out, significantly underinsured, or in some cases not paying out at all.

The NCSC's Q1 2026 Cyber Security Insights Report - recorded $5.6 million in direct financial losses across 1,164 incidents in a single quarter. That's a 76% increase from Q4 2025's $3.2 million. Three incidents in Q1 were classified as C2 - "highly significant" - the first at that severity level since the 2021/22 financial year. Forty-two incidents accounted for the overwhelming majority of financial losses, meaning a small number of serious events are driving disproportionate damage. Across the full 2024/25 financial year, NZ businesses reported $26.9 million in direct losses from cyber incidents. Legal, forensic, regulatory, and business interruption costs regularly push total breach costs well above the direct financial loss figures and the gap between what a business assumes their policy covers and what it actually pays is where the damage compounds. 

Here we explain exactly what a NZ cyber insurance claim covers, what it doesn't, what the most common reasons for denial are, and what the numbers look like in practice. If you have a policy, this is worth reading before you need it.

 

What Cyber Insurance Is Covering

A NZ cyber policy typically responds across two categories: first-party costs (your own losses) and third-party liability (claims from people affected by your breach). Most businesses think of cyber insurance as covering the first category. Both matter.

First-Party Cover: Your Own Losses

Event response costs - The immediate costs of responding to an incident - forensic investigators to understand what happened and how far it spread, legal advice on your obligations, public relations support if the breach is significant, customer notification, and credit monitoring services for affected individuals. These costs begin accumulating immediately and are often the first major surprise for businesses going through their first claim. Forensic investigation alone can run into tens of thousands of dollars before the scope of the incident is even fully understood.

Cyber extortion - If ransomware is deployed, the policy typically covers the ransom payment itself - subject to sanctions screening, since paying certain groups is legally prohibited - plus the cost of a ransom negotiation specialist. What it doesn't cover is the operational cost of the downtime while the ransom is being negotiated, recovered from, or refused. That falls under business interruption.

Business interruption - Revenue lost while systems are down, plus reasonable additional expenses incurred to keep the business operating during recovery. This is consistently the largest component of cyber claims - one NZ insurer reported that business interruption costs are the primary driver of total claims cost, and that 70% of uninsured NZ and Australian SMEs that received a ransom demand would not survive into the following year, with business interruption cited as the main factor.

Two things are important to understand about business interruption cover. First, most policies have a waiting period - typically 6 to 24 hours - before business interruption cover kicks in. Revenue lost during that window isn't paid. Second, the cover is capped at the sublimit in the policy, which is often lower than the overall policy limit and may be lower than your actual exposure. A business earning $3 million annually that's down for two weeks faces roughly $115,000 in lost revenue before other costs. Whether the policy covers that fully depends on the sublimit and how it's calculated.

Data restoration costs - The cost of rebuilding data and systems - whether or not a ransom is paid. This includes IT labour, specialist recovery tools, and in some cases the cost of rebuilding from scratch when backups are unavailable or compromised. Policies that have paid a ransom and received a decryption key still face restoration costs, because decryption is rarely clean and systems frequently need rebuilding regardless.

Third-Party Cover: Liability to Others

Network security liability - If your compromised systems are used to attack someone else - malware that spreads to a client's network, for example - this covers the damages claims that follow.

Privacy liability - Claims from individuals whose personal information was accessed or exfiltrated during the breach. In New Zealand, the Privacy Act 2020 gives individuals recourse when their personal information is mishandled. If a breach results in serious harm to affected individuals, you face potential liability alongside the notification obligations.

Regulatory defence - Legal costs associated with Privacy Commissioner investigations and responses. The Privacy Commissioner's enforcement activity has increased since the Privacy Act 2020 came into force, and the cost of responding to a formal investigation - even one that doesn't result in a finding against the business - can be substantial.

 

What Your Policy Probably Won't Cover

This is where most businesses are surprised. Cyber insurance exclusions have tightened significantly over the last three years as insurers responded to rising claim costs with more specific policy language. Understanding the exclusions before an incident is considerably more useful than discovering them during one.

Pre-Existing Breaches

If you were already compromised before the policy inception date and given the median attacker dwell time of 11 days, this is more common than most businesses realise - the insurer can argue the loss arose from a pre-existing condition. This is particularly relevant when an attacker has been in the environment for weeks before anyone noticed, spanning an application or renewal date.

Failure to Maintain Required Security Controls

This is the most common reason claims fail in New Zealand, and it's worth understanding clearly. When you apply for cyber insurance, you answer questions about your security controls. Those answers become representations in the contract. If post-breach forensic investigation reveals that the controls you described weren't actually in place or had drifted significantly from what you described - the insurer has grounds to deny the claim.

As our CISO Geordie Stewart noted in the IBANZ cybersecurity webinar: "Having a control isn't the same as having an effective control. That's the most common reason cyber claims fail." A business that said yes to MFA on the application form but had it partially deployed, or had it disabled for certain accounts, may find that partial deployment treated as a material misrepresentation.

The City of Hamilton case is the most prominent NZ-adjacent example: an $18.3 million ransomware claim was denied because MFA hadn't been fully rolled out across all departments. International Control Services had a ransomware claim denied because MFA wasn't properly in use despite being a stipulated policy requirement. Cottage Health's claim was denied because security patches weren't being maintained - a condition explicitly referenced in the policy wording.

Late Notification

Most NZ cyber policies require notification to the insurer within 48 to 72 hours of discovering a potential breach. The clock starts when you first suspect something is wrong - not when the investigation is complete.

The instinct to manage the situation internally first, to understand what happened before calling the insurer, is understandable and expensive. Seventeen percent of all cyber insurance claim denials in 2025 were attributed to late notification. Geordie flagged this specifically in the IBANZ webinar: "Cyber insurers are taking a more robust line saying it's a breach of contract if you haven't honoured the notification provision - and that is a widespread problem."

Your incident response plan should include the insurer's claims line number as a specific step, with explicit instruction to call it early - before the picture is clear, not after.

Actions That Destroy Forensic Evidence

During a crisis, the instinct is to fix things. Rebuild the server. Wipe the infected device. Restore from backup as quickly as possible. Each of these actions, done without preserving forensic evidence first, can undermine the claim. As Geordie noted: "Some of the forensic information is lost and some of the information that a cyber insurer might want to retain as evidence is lost." Insurers need to understand what happened, how far it spread, and what the root cause was. If that investigation can't be completed because evidence was destroyed in recovery, the claim becomes more difficult to assess and more likely to be contested.

Social Engineering - Unless You Have the Endorsement

Business email compromise - the attack type the NCSC identifies as the most common and costly facing NZ businesses - is frequently excluded from standard cyber policies or covered only at a significantly lower sublimit. The reason: it's categorised as social engineering or funds transfer fraud rather than a direct cyber attack, and requires a specific endorsement to be fully covered.

For NZ professional services firms, law firms, real estate agencies, and accounting practices - all high-frequency BEC targets - this is a critical gap to check. A $250,000 property transaction payment diverted through a compromised email account is exactly the kind of loss a business assumes their cyber policy covers. Whether it does depends on policy wording that most businesses haven't read carefully.

Physical Damage and Bodily Injury

Cyber policies don't cover physical damage to property or bodily injury resulting from a cyber event. For most businesses this is academic, but for manufacturers, utilities, and businesses with operational technology - where a cyber attack could affect physical systems - this is a genuine gap that standard cyber policy won't fill.

Intellectual Property and Patent Infringement

If data exfiltrated in a breach includes intellectual property and that IP is subsequently used or published, cyber insurance doesn't cover the IP loss itself. The forensic and response costs are covered, but the value of the stolen IP is not.

 

The Sublimit Problem: Where Businesses Discover They're Underinsured

Even claims that pay out frequently pay out for less than businesses expected. This is the sublimit problem and it's one of the least discussed aspects of cyber insurance in NZ.

A policy with a $1 million limit sounds comprehensive. But within that policy, each category of cover typically has its own sublimit - a cap on what can be claimed under that specific heading. Business interruption might be capped at $200,000. Extortion response at $150,000. Forensics and legal at $100,000. Regulatory defence at $50,000. These sublimits can add up to less than the overall policy limit, and they can be significantly less than the actual costs of a serious incident.

Coverage that seemed adequate at the time of purchase may no longer reflect current incident costs. As Geordie observed in the IBANZ webinar: "Sometimes until you've been through an incident, you don't necessarily realise how complicated and how expensive it's going to be, especially when it comes to legal advice and forensics, which can get very expensive."

The defence costs position is particularly important: some policies include legal costs within the overall limit, meaning a contested claim or a Privacy Commissioner investigation that runs to $80,000 in legal fees comes directly out of the limit available for everything else. Others have defence costs as additional to the limit. The difference can be six figures on a significant claim.

 

What the Total Costs Look Like

To make this concrete, here's what a moderately serious ransomware incident costs for a NZ SME.

Forensic investigation: $15,000–$40,000. Often the first invoice that arrives and the one that surprises businesses most.

Legal advice: $20,000–$60,000. Privacy Act notification obligations, advice on whether to pay the ransom, contract review for notification obligations to clients, regulatory response if the Privacy Commissioner is engaged.

Ransom payment: Highly variable. Current NZ ransomware demands average in the hundreds of thousands. Whether to pay is a separate decision but the negotiation and facilitation cost is additional regardless.

IT recovery and data restoration: $20,000–$80,000. Rebuilding systems, restoring from backups where available, replacing infrastructure where it's unrecoverable.

Business interruption: Depends entirely on your revenue and how long you're down. A business earning $2 million annually loses roughly $38,000 per week of downtime. Extended outages - common when backups are unavailable or compromised - multiply this significantly.

Notification costs: $5,000–$20,000. Identifying affected individuals, drafting notifications, sending them, managing the response.

PR and reputation management: $5,000–$30,000 if the breach is significant enough to require client or public communication beyond direct notification.

Total for a moderate incident: $150,000–$400,000, before accounting for any ransom payment. The $173,000 NZ average cost masks a wide distribution - straightforward incidents cost far less, serious ones cost significantly more. The average ransomware cost of $207,600 is the direct financial impact; total business impact including operational disruption and longer-term revenue effects is higher.

Against these numbers, the most common cyber insurance sublimits for NZ SMEs become easier to evaluate. A $1 million policy with a $150,000 business interruption sublimit and $100,000 forensics sublimit is a very different product than its headline number suggests.

 

The Cyber Insurance Assessment - Before the Claim

The clearest way to understand whether your cyber insurance actually covers your exposure and whether your security posture will survive a post-breach investigation - is a cyber insurance readiness assessment before an incident, not after.

NSP's cyber insurance assessment maps your current security controls against what NZ underwriters are looking for, identifies the gaps between what your policy assumes and what your environment actually has, and gives you a priority list for what to address. It's also the most direct way to understand whether your current coverage limits and sublimits reflect your actual exposure or whether you're underinsured in ways that will only become visible during a claim.

For businesses with existing policies, a readiness assessment is particularly valuable at renewal. Geordie's observation from the IBANZ webinar holds: the shift in underwriting is from presence of controls to maturity of controls. Businesses that can demonstrate documented, tested, maintained security practices are in a materially different position - on premium, on coverage terms, and on the likelihood of a claim paying out - than those that can only say they think the controls are in place.

The IBANZ webinar itself covered this in depth for NZ insurance brokers and their clients. If you work with a broker, the conversation about whether your current coverage reflects your actual exposure is one worth having at every renewal.

 

Frequently Asked Questions About Cyber Insurance Claims in NZ

What does cyber insurance cover in NZ?

A typical NZ cyber policy covers event response costs (forensics, legal, notification), cyber extortion (ransom and negotiation), business interruption losses, data restoration, network security liability, privacy liability, and regulatory defence costs. The exact scope and limits vary significantly between policies - sublimits within each category matter as much as the overall policy limit.

What are the most common reasons cyber insurance claims are denied in NZ?

Failure to maintain the security controls described in the application - particularly MFA - is the most common reason. Late notification to the insurer is the second most common. Destroying forensic evidence during recovery is the third. Pre-existing breaches that predate the policy are also a consistent basis for denial.

Does cyber insurance cover BEC and payment fraud?

Not automatically. Business email compromise and funds transfer fraud are typically excluded from standard cyber policies or subject to a much lower sublimit. A specific social engineering or funds transfer fraud endorsement is required for full coverage. This is a critical gap for professional services, legal, and real estate businesses where payment diversion is the highest-frequency attack type.

How much does a cyber breach cost a NZ business?

 The NCSC recorded $26.9 million in direct financial losses across NZ cyber incidents in 2024/25, with Q1 2026 alone producing $5.6 million - a 76% increase on the previous quarter. Direct losses understate the real cost: forensic investigation, legal advice, Privacy Act notification obligations, business interruption, and reputational damage compound the direct figure significantly. Serious incidents regularly exceed $300,000 in total cost. Seventy percent of uninsured NZ and Australian SMEs that received a ransom demand would not survive into the following year. 

How quickly do I need to notify my insurer after a breach?

Most NZ cyber policies require notification within 48 to 72 hours of discovering a potential incident. The clock starts when you first suspect something is wrong - not when the investigation is complete. Failing to notify within this window is a common basis for claim denial. Your incident response plan should include the insurer's claims line and explicit instruction to notify early.

What is a sublimit and why does it matter?

A sublimit is the maximum that can be claimed under a specific category within the overall policy limit. A $1 million policy typically has sublimits for business interruption, forensics, extortion, and legal - each of which may be significantly lower than the headline limit. Two policies with the same headline limit can deliver very different recovery outcomes once sublimits are applied. Understanding your sublimits before an incident is considerably more useful than understanding them during one.

How do I know if my cyber insurance is adequate?

A cyber insurance readiness assessment reviews your current coverage against your actual exposure - business size, revenue, data sensitivity, regulatory obligations and identifies gaps between what your policy assumes and what your environment actually has. NSP's cyber insurance assessment is specifically designed for this purpose.

 

Is Your Business Protected?

A 30-minute consultation with NSP gives you an honest picture of whether your current cyber insurance reflects your actual exposure and whether your security posture would survive a post-breach investigation.

Book your free consultation →

Or call us directly: 0508 010 101

 

Related Reading

Let’s stay in touch!

Enter your details below to stay up-to-date with the latest IT solutions and security measures.