top of page
Search

Cyber insurance in New Zealand: what insurers expect you to do to stay covered

  • Writer: Joseph Rapley
    Joseph Rapley
  • Aug 25, 2025
  • 6 min read

Cyber insurance can save your business when you are dealing with ransomware and the related business interruption, privacy breaches, and incident response costs. But cyber insurance is not a magic fix. Every policy has conditions you must meet, or you risk a reduced payout or no payout at all.

This post explains what New Zealand insurers actually require in practice. The big theme is simple. Do the basics well and prove you do them. That means multi factor authentication, regular patching, tested backups, email and endpoint security, staff training, and regular security testing like penetration testing and vulnerability scanning.

Ransomware attack
Ransomware attack

What NZ cyber insurers commonly expect

These are the controls that show up again and again in New Zealand cyber insurance documents:

  • Multi factor authentication on remote access, administrator accounts, and email. You will see tick-box questions for this on proposal forms. Insurers rely on those answers when deciding to insure you.

  • Patching. Apply monthly updates and apply critical patches quickly. Some forms ask you to confirm monthly patching and immediate critical patches.

  • Backups. Keep regular offline or segregated backups. Test restores. Some forms also ask if backups are protected with MFA or immutability.

  • Endpoint security. Use reputable anti-malware or EDR on all endpoints and servers.

  • Email security. Use filtering and anti-spoofing, and train staff to spot phishing.

  • Remote access over VPN with MFA rather than open RDP on the internet.

  • Access control. Least-privilege access and prompt removal of leavers.

  • Encryption of sensitive information in transit and at rest where possible.

  • Incident response and disaster recovery plans that you test at least annually.

  • Regular security testing. External vulnerability scanning and periodic penetration testing, with prompt remediation of critical issues.

  • Notify fast. Some wordings require notice of a privacy event within a set time and for you to take reasonable steps to protect systems and limit loss.


Highlights by NZ insurer and policy documents

Below are the key items you will see in documents. These are the things underwriters look for and what claims teams can point to after an incident.

Chubb Insurance New Zealand

Short proposal form asks if you have MFA on remote access and backups, EDR on endpoints and servers, email security, phishing training, and whether macros are restricted. These are strong signals of what they expect you to have in place.

QBE New Zealand

Cyber proposal form covers MFA, patching timeframes, backups and testing, privileged access, remote access, and other baseline controls. Expect questions on each control during underwriting.

Vero Liability (Suncorp NZ)

Cyber proposal form asks about monthly patching and immediate critical patches, VPN with two factor for remote access, off-site backups and restore testing, training, and whether you run vulnerability scans or penetration testing.

DUAL New Zealand (Lloyd’s coverholder)

Cyber proposal form uses a detailed control checklist and sector add-ons. It explores MFA, backups, patching cadence, and industry specific risks. DUAL also publishes a NZ cyber policy wording.

Delta Insurance New Zealand

Policy wording and proposal form. Application questions cover core security practices and training. Expect endorsements and conditions tailored to your risks.

NZI (IAG NZ)

Cyber Base policy wording outlines your obligations and warns that extra conditions can be added by endorsement. You must comply with these conditions during the policy or claims can be affected.

Vero Insurance

Policy wording sets out “your obligations” such as reasonable care and compliance with the policy. These general duties sit alongside any security conditions on your schedule or endorsements.

Zurich New Zealand

Security and Privacy Protection policy includes strict notification timelines. For a privacy event you must notify the breach response service as soon as reasonably possible and in any event no later than 72 hours, and take reasonable steps to protect systems and limit business income loss.

Takeaway. The documents differ in format, but the expectations are consistent. If you are doing MFA, patching, tested backups, endpoint and email security, access control, staff training, and regular security testing, you are in the green zone for cyber insurance in New Zealand.

Why honesty on proposal forms matters

Courts have already seen cases overseas where cyber policies were rescinded because the insured said they had MFA when they did not. In Travelers v ICS the parties agreed to void the policy from inception after a ransomware event because the application answers about MFA were wrong. That left the business without cover.

There have also been disputes around minimum required practices clauses, where an insurer argued the insured failed to maintain basic security as promised. The Cottage Health case shows how these endorsements can become central after a breach.

New Zealand policies use the same logic. Your statements on the proposal and your compliance with conditions and endorsements are part of the contract. Keep them accurate and keep evidence.


A practical checklist for NZ businesses

Use this to prepare for buying cyber insurance and to stay covered at claims time. It also doubles as a cybersecurity NZ essentials list.

  1. MFA everywhere sensible - Email, VPN, RDP, admin and privileged accounts, remote access tools, and backups. Document where MFA is enabled.

  2. Patch on a schedule - Monthly patching at minimum. Apply critical patches quickly and record when you did them.

  3. Backups you can restore - Keep offline or immutable copies. Test restores and keep the test logs. Some insurers ask about immutability and MFA on backup consoles.

  4. Endpoint and email security - EDR or strong anti-malware on servers and endpoints. Email filtering and anti-spoofing. Staff phishing training.

  5. Remote access and access control - VPN for remote access with MFA. Remove leavers fast. Use least privilege.

  6. Regular security testing - Run external vulnerability scans and schedule penetration testing. Fix criticals and keep remediation evidence. This is common in NZ proposal forms.

  7. IR and DR plans - Maintain an incident response plan and a disaster recovery plan. Test them yearly and file the results.

  8. Know your notification duties - Some wordings require early notice with strict timelines. Zurich’s wording requires privacy events to be notified within 72 hours and to take steps to protect systems and limit loss. Keep your broker and insurer contacts handy.


Why maintaining requirements matters

Hamilton, Ontario – $18M Setback Over Lack of MFA

In a striking case, the City of Hamilton faced a ransomware attack in February 2024. The city avoided paying the ransom, but when it filed a claim, the insurer refused to pay. The reason? Many departments hadn’t implemented multi-factor authentication (MFA), which the insurer deemed essential security practice. As a result, taxpayers were left covering a staggering $18.3 million recovery cost.

This heartbreaking example underscores how insurers are treating MFA not as a recommendation, but as a condition of coverage.

Cottage Health (USA) – Payout Denied Over Missing Patching

Another case involved Cottage Health, a healthcare provider whose cyber insurance claim for a breach was denied—not because the attack was frivolous but because the hospital hadn’t regularly checked and maintained security patches. This failure, explicitly mentioned in their policy conditions, was enough to void coverage.

International Control Services – MFA Breach Leads to Rejection

In yet another highlight, International Control Services had a ransomware claim denied because they did not properly use multi-factor authentication, which was a stipulated requirement under their policy.


What to prepare before you buy cyber insurance

  • A short security pack that shows your controls and proves they work, for example

    • Screenshots or reports proving MFA coverage

    • Backup architecture, immutability and restore test logs

    • Patch management reports showing monthly and critical updates

    • EDR console overview and policies

    • Email filtering and DMARC policy summary

    • Last penetration test report executive summary and remediation tracking

    • Incident response plan and a record of the latest tabletop exercise

  • Clean and accurate answers on the proposal form. If an answer is true "with exceptions", say so and attach detail. This protects you at claims time.


Cyber insurance is not a replacement for cybersecurity. It is a contract that assumes you run a basic security programme and can prove it. If you keep up with MFA, patching, backups, endpoint and email security, access control, staff training, and regular penetration testing, you are far more likely to get cover at a sensible price and keep it when you need it most. This is the baseline for businesses across New Zealand today.

If you want a quick independent gap check before you renew, we can help with penetration testing, secure configuration reviews, and a practical remediation plan so your cyber insurance application is accurate and strong.


 
 
bottom of page