| Cyber insurance is a financial safety net that covers the costs of a cyber incident — including recovery expenses, legal fees, notification costs, and business interruption losses. In 2026, the most important thing to understand about cyber insurance is not what it covers. It is what it does not cover — and why many NZ businesses that think they are protected will find their claim denied when they need it most. |
Your business has cyber insurance. You paid the premium. You believe you are covered.
What you may not know is that underwriters have fundamentally changed what they require — not just at the time of application, but at the time of a claim. Having a security control is no longer the same as having an effective one. And that distinction is exactly where NZ businesses are getting caught out.
This guide covers how the cyber insurance market has changed in 2026, what NZ underwriters are now requiring before they will pay a claim, the specific exclusions most businesses do not know about, and the practical steps that ensure your policy is worth the premium you are paying.
| QBE and Atmos NZ insurance claims data 2026: the average data breach costs an NZ business $173,000. Cyber insurance premiums range from $40 to $1,000+ per month depending on business size and sector. A significant proportion of NZ businesses have had claims disputed or partially paid due to security gaps or policy exclusions not understood at the time of application. |
How Cyber Insurance Underwriting Has Changed in 2026
The cyber insurance market was relatively straightforward five years ago. You disclosed your systems, confirmed you had basic controls, and received cover. Underwriters largely took your word for it.
That model is gone. The dramatic increase in ransomware claims through 2022 to 2024 forced underwriters to become significantly more rigorous. They are no longer asking whether you have certain security controls. They are asking whether those controls are actually working — and they are increasingly verifying it rather than accepting self-certification.
The shift is from presence to effectiveness. Think of it this way: if someone asked “do you have a lock on your front door?” you would say yes. But if they asked “is your front door actually locked right now, and has it been tested recently?” — that is a harder question. That is exactly the shift that has happened in cyber insurance underwriting. A business that answers yes to ‘do you have MFA?’ on an application form but has only applied MFA to some accounts will find that gap exploited at claim time. Underwriters will ask which accounts had MFA enabled at the time of the incident. If the compromised account did not have MFA — even if most of your accounts do — the claim can be declined or significantly reduced. Our cybersecurity risk assessment guide covers how to identify and close these gaps before they become claim problems.
What NZ Cyber Insurance Underwriters Now Require
The controls below are no longer optional extras that reduce your premium. They are baseline requirements. Businesses that cannot demonstrate them will either be unable to obtain cover or will hold a policy with conditions that will be used to decline claims after an incident.
| Control | What Underwriters Now Require | Impact on Premium |
| MFA | MFA required on all critical systems — email, remote access, accounting software, cloud platforms, admin accounts. Device authentication (approved device plus code) is becoming the gold standard | 15 to 25% premium discount for MFA across all critical systems. No MFA on email = potential claim denial |
| 24/7 Monitoring | Continuous automated monitoring, not business-hours IT support. Underwriters want evidence that threats are detected outside office hours | No 24/7 monitoring = higher premium and potential exclusion for incidents occurring outside monitored hours |
| Immutable Backups | Tested, restorable backups — not just backups that run. Immutable or air-gapped copies that ransomware cannot reach or delete | Backup gaps are among the top reasons ransomware claims are reduced. Unverified backups do not satisfy this requirement |
| Patch Management | Current patching across all systems — not just servers. Endpoints, software, and cloud platforms must all be included | Known unpatched vulnerabilities at the time of an incident can void cover for that specific attack vector |
| Incident Response Plan | A documented, tested incident response plan. Not a generic template — one specific to your organisation and tested in the past 12 months | Absence of a tested plan is increasingly used to argue contributory negligence in claim disputes |
| Staff Training | Evidence of regular security awareness training. Annual training alone is no longer considered adequate by most underwriters | Training gaps are cited in social engineering and phishing claim disputes where staff actions enabled the incident |
The Most Common Reasons Cyber Insurance Claims Fail in NZ
Understanding why claims fail is more valuable than understanding what policies cover. These are the scenarios where NZ businesses discover their policy does not pay what they expected.
MFA was not applied to the compromised account
This is the single most common claim dispute in 2026. A business has MFA — but it was not enforced on the account that was compromised. Perhaps an older account was overlooked during the rollout. Perhaps a contractor account was excluded. Perhaps a shared service account was considered too difficult to apply MFA to.
The underwriter’s position is consistent: the policy condition was that MFA be in place across critical systems. The compromised account was a critical system. MFA was not in place. The condition was not met.
The security controls stated in the application were not maintained
Cyber insurance applications are completed at a point in time. The controls you disclosed when you applied may not reflect what was in place at the time of the incident — especially if significant time has passed since application or renewal, your IT environment has changed, or staff changes have resulted in controls being applied inconsistently.
Underwriters treat a cyber insurance application as an ongoing representation of your security posture, not a snapshot. If your posture at the time of the incident materially differs from what was disclosed, the claim is at risk.
Social engineering exclusions
Many cyber insurance policies explicitly exclude losses arising from social engineering — where an employee was manipulated into transferring funds or providing access without any technical system being compromised. Business email compromise, where a fraudulent invoice is paid because an attacker impersonated a supplier in email, frequently falls into this category.
This exclusion matters more in 2026 than it ever has, because AI-powered social engineering is now the most common attack vector. If your policy excludes social engineering and your finance team pays a fraudulent invoice generated by an AI-crafted email, you may have no claim.
Our social engineering guide covers the verification protocols that prevent these incidents — and that underwriters are beginning to require as evidence of adequate controls.
Nation-state and war exclusions
Most cyber insurance policies exclude losses arising from nation-state attacks or acts of cyber war. The legal boundary between criminal ransomware groups and state-sponsored attackers is increasingly blurred in 2026 — some of the most active ransomware groups have documented connections to state intelligence services.
If an incident is later attributed to a state-sponsored actor, the underwriter may invoke the war exclusion. This is a genuine risk that cannot be fully mitigated through policy wording alone, but it is worth understanding before an incident occurs. For most NZ SMEs this exclusion is unlikely to be invoked — it is most relevant to businesses in critical infrastructure, government-adjacent sectors, or those with significant international operations.
Failure to notify within the policy timeframe
Most cyber insurance policies require notification within a specific timeframe — typically 24 to 72 hours of becoming aware of an incident, though timeframes vary by insurer and policy. Businesses that delay notification, attempt to contain an incident independently before involving their insurer, or are simply unaware of the notification requirement risk having their claim affected.
This connects directly to the value of a tested incident response plan — one of the first actions in any documented plan should be insurer notification. Our business continuity planning guide covers how notification protocols should be documented before an incident rather than worked out during one.
What Cyber Insurance Actually Covers in 2026
Understanding what is covered — and what is typically excluded — is essential before signing any policy.
What most cyber insurance policies cover
- First-party losses: costs directly incurred by your business following a cyber incident
- Incident response costs: forensic investigation, malware removal, and system restoration
- Business interruption: revenue loss and extra expenses during recovery, usually subject to a waiting period
- Data recovery: costs of restoring or recreating data destroyed or encrypted in an attack
- Notification costs: legally required notifications to affected individuals and regulatory bodies under the NZ Privacy Act 2020
- Legal costs: defence of regulatory investigations and third-party claims arising from a breach
- Ransom payments: covered by some policies subject to legality and insurer approval — never pay without notifying your insurer first
What most cyber insurance policies do not cover
- Pre-existing conditions: incidents that began before the policy was in force
- Preventable losses: incidents where basic required controls were not in place
- Social engineering losses: unless a specific endorsement has been purchased
- Nation-state and war: attacks attributed to state actors or treated as acts of cyber war
- Reputational damage: long-term revenue loss from damaged client relationships is rarely covered
- Infrastructure failures: losses arising from third-party cloud or infrastructure outages rather than a direct cyber attack
- Consequential losses: indirect losses that flow from the incident but are not direct costs of the incident itself
The most significant exclusion for most NZ businesses in 2026 is social engineering — because it covers the most common attack type and many businesses do not realise it requires a separate endorsement to be included.
How to Ensure Your Cyber Insurance Policy Pays
The gap between holding a cyber insurance policy and holding one that will pay when needed is closed by preparation, not paperwork. These are the actions that determine whether a claim succeeds.
Align your security controls with your policy conditions — then maintain them
Read your policy conditions carefully and map them to your actual security posture. Every condition is a potential claim dispute if it is not met at the time of an incident. MFA, patch management, monitoring, backup, and incident response plan requirements should be verified and documented regularly — not just at renewal time.
Understand your exclusions before you need them
Ask your broker to walk through every exclusion in your policy. Specifically ask about social engineering, nation-state attribution, business interruption waiting periods, and the definition of a cyber incident under your policy. Surprises at claim time are avoidable.
Document your security controls continuously
Underwriters will ask for evidence of your security posture at the time of an incident. A managed IT provider that produces monthly reporting on patch compliance, backup success rates, monitoring coverage, and training completion creates exactly the documentation that supports a claim. Verbal assurances and annual reviews do not.
Exodesk’s managed IT services produce regular reporting on the controls that underwriters require, creating a documented record of your security posture over time. Our managed IT services page covers what is included in our standard reporting.
Apply MFA everywhere, not just most places
Given that MFA gaps are the most common reason claims are disputed, the only safe position is universal MFA coverage across all accounts with access to critical systems — including service accounts, shared accounts, contractor accounts, and cloud platforms. Partial deployment leaves gaps that underwriters will find.
Test your incident response plan and notify your insurer promptly
A tested incident response plan ensures that insurer notification happens within the required timeframe. The plan should include the insurer’s contact details, the notification obligation and deadline, and a designated person responsible for making the call. Waiting until the incident is contained before notifying typically violates the policy condition.
Review your policy annually against your current environment
A cyber insurance policy written for your business two years ago may not reflect your current technology environment, staff size, data volume, or risk profile. Annual review against your current posture — not just renewal of the existing policy — is the only way to ensure coverage remains adequate.
Is Your Cyber Insurance Actually Going to Pay?
Exodesk works with South Island businesses in Christchurch and Dunedin to ensure that the security controls required by cyber insurance underwriters are genuinely in place — not just documented on an application form. Our managed IT services include the MFA enforcement, 24/7 monitoring, patch management, backup verification, and monthly reporting that underwriters require and that support claims when they are needed.
If your cyber insurance was renewed without a security posture review, or if your controls have changed since your last application, your cover may not perform as expected. The fastest thing you can do right now is call your broker and ask them to walk through your policy exclusions and the controls required for a valid claim. We offer an honest, no-obligation review of your current posture against your policy conditions.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Cyber Insurance
What is cyber insurance?
Cyber insurance is a policy that covers the financial costs of a cyber incident — including incident response, data recovery, business interruption, legal costs, and notification expenses. In 2026, cyber insurance is considered a baseline component of business resilience for any NZ business that handles personal data, processes payments, or relies on technology to operate. The average data breach costs an NZ business $173,000 — a cost that cyber insurance is designed to absorb.
Why do cyber insurance claims get denied?
The most common reasons cyber insurance claims are denied or reduced in NZ include: MFA was not applied to the compromised account despite being declared on the application, security controls disclosed at application were not maintained at the time of the incident, the incident falls under a social engineering or nation-state exclusion, notification was not made within the required policy timeframe, or the loss is a type that falls outside the policy’s covered events. Understanding these failure modes before a claim is the only way to avoid them.
What do cyber insurance underwriters require in 2026?
NZ cyber insurance underwriters now require MFA across all critical systems including email, remote access, accounting software, and cloud platforms — not just some accounts. They require 24/7 automated monitoring rather than business-hours IT support, tested and restorable backups including immutable or air-gapped copies, current patch management across all systems, a documented and tested incident response plan, and evidence of regular staff security awareness training. The shift has been from checking whether controls exist to verifying they are effective.
Does cyber insurance cover ransomware payments?
Some cyber insurance policies cover ransom payments, subject to legality and prior insurer approval. You must never pay a ransom without first notifying your insurer — paying without approval is a common reason ransom payment coverage is voided. Insurers will assess the legality of the payment, the likelihood of successful decryption, and whether payment is the appropriate response before approving. Many incidents can be resolved without payment if immutable backups are available.
Does cyber insurance cover social engineering attacks?
Social engineering losses — including business email compromise where an employee is tricked into approving a fraudulent payment — are excluded from many standard cyber insurance policies. This exclusion is particularly significant in 2026 because AI-powered social engineering and email impersonation attacks are now the most common attack vector. Before assuming you are covered, specifically ask your broker whether social engineering losses are included and whether a separate endorsement is required.
How much does cyber insurance cost for NZ small businesses?
Cyber insurance premiums for NZ small businesses typically range from $40 to $100 per month for basic cover, with costs rising based on business size, sector, data volume, and the security controls in place. Healthcare, financial services, and technology businesses pay more due to higher risk profiles. The single most effective way to reduce your premium is implementing MFA across all systems — insurers commonly offer premium discounts of 15 to 25% for businesses with comprehensive MFA deployment.
What is the difference between first-party and third-party cyber insurance?
First-party cyber insurance covers losses your business incurs directly — recovery costs, business interruption, ransom payments, and notification expenses. Third-party cyber insurance covers claims made against your business by clients, suppliers, or other parties affected by a breach of their data you were responsible for holding. Most NZ cyber insurance policies include both, but coverage limits and conditions differ between the two. Businesses holding significant volumes of client personal data should ensure their third-party limits are adequate.
Does cyber insurance cover business email compromise?
Business email compromise — where an attacker intercepts or impersonates a legitimate email to redirect payments — may or may not be covered depending on your policy. If the compromise involved technical access to an email system, it is more likely to be covered. If it involved purely social deception — an attacker sending a fraudulent email from an external address that staff were tricked into acting on — it may fall under the social engineering exclusion. Read your policy carefully and ask your broker specifically about BEC scenarios.
What are the NZ Privacy Act obligations after a cyber incident?
The NZ Privacy Act 2020 requires notification to the Office of the Privacy Commissioner when a data breach is likely to cause serious harm to affected individuals. Most cyber insurance policies include cover for the costs of required notifications, including staff time, legal advice, and notification delivery. Your incident response plan should include a clear trigger for Privacy Act notification, a designated contact for regulatory communication, and the insurer notification process — since insurer involvement will be required before significant notification costs are incurred.
How often should I review my cyber insurance policy?
Annually at minimum — but also after any significant change to your business including staff growth, new technology systems, changes to the type of data you hold, a new supplier relationship involving data access, or an actual cyber incident. A policy written for your business two years ago may not reflect your current risk profile. Annual review should compare your current security posture against your policy conditions to ensure no gaps have developed that would affect a claim.
What should I do immediately after a cyber incident?
Notify your cyber insurer immediately — most policies require notification within 24 to 72 hours of becoming aware of an incident. Do not pay a ransom, engage incident response providers, or make public statements without first contacting your insurer. Isolate affected systems to prevent further spread. Document what you know about the incident. Your insurer will typically provide access to incident response specialists, legal advisors, and forensic investigators as part of the claims process.
How does Exodesk help NZ businesses with cyber insurance readiness?
Exodesk ensures that the security controls required by cyber insurance underwriters are genuinely and demonstrably in place for South Island businesses. This includes deploying and maintaining MFA across all critical systems, providing 24/7 automated monitoring, managing patch cycles, verifying backup integrity, producing monthly documentation of security posture, and supporting the development and testing of incident response plans. Our fixed-price managed IT model means these controls are actively maintained — not just configured and forgotten.
