CyberCover.co.nz
← Back to Blog
Coverage GuideCyberCover Team8 min read28 January 2026

What to Expect When You Make a Cyber Insurance Claim in NZ

When Something Goes Wrong: How Cyber Insurance Claims Work

Most NZ business owners hope they will never need to make a cyber insurance claim. But understanding exactly how the process works before something happens is enormously valuable — both because it helps you respond more effectively in the moment, and because it ensures you have set your business up to meet the policy conditions that trigger coverage.

Step 1: Call the 24/7 Incident Response Hotline — Immediately

The most important thing to know about cyber insurance claims is that you do not wait until you have assessed the full extent of the incident before calling. You call the moment you suspect something has gone wrong — even if you are not yet certain it is a cyber attack. Most cyber policies include access to a 24/7 incident response hotline that connects you immediately to a specialist cyber incident response team.

This team includes cyber forensic investigators, legal advisors specialising in cyber and privacy law, and breach coaches who have managed hundreds of incidents. Their expertise in the immediate hours after an incident is often more valuable than the financial coverage itself — because how you respond in the first 24 hours significantly affects both the scope of the breach and your regulatory obligations.

Step 2: Incident Response and Containment

The incident response team will immediately work to contain the incident — preventing further data exfiltration, isolating affected systems, and preserving forensic evidence. This is not just about fixing the problem: preserving evidence is essential for understanding the full scope of the breach, meeting Privacy Act notification obligations accurately, and supporting any subsequent investigation or legal proceedings.

Do not switch off servers, wipe systems or delete potentially compromised files before specialist advice is obtained — these actions can destroy forensic evidence and complicate your notification obligations.

Step 3: Scope Assessment and Breach Determination

Once containment is achieved, the forensic investigators will assess the full scope of the incident: what systems were affected, what data was accessed or exfiltrated, how the attacker gained access, and what the timeline of the attack was. This assessment typically takes 48–96 hours for a contained incident, but can take longer for complex breaches. The output of this assessment informs your Privacy Act notification decisions.

Step 4: Notification and Regulatory Engagement

Based on the breach scope assessment, your privacy legal advisors will determine whether notification obligations are triggered under the Privacy Act 2020. If notification is required, they will draft notification communications to affected individuals and the Privacy Commissioner, manage the notification process, and handle any follow-up regulatory engagement. All of these costs are covered under your cyber insurance policy.

Step 5: Business Interruption and Recovery

While incident response and notification proceed, your policy's business interruption cover compensates for revenue lost during the period your systems are unavailable. Document your normal revenue carefully — this documentation supports your business interruption claim calculation. System restoration specialists will work to rebuild affected systems as rapidly as possible.

Step 6: Claim Settlement

Unlike property insurance where you wait for a settlement after the event, cyber insurance is a "pay on behalf" product — your insurer pays covered costs as they are incurred throughout the incident, rather than requiring you to pay out of pocket and seek reimbursement. This ensures you can access the specialist resources you need immediately, without cash flow constraints.

Tips to Ensure Your Claim Goes Smoothly

Document your normal IT security controls before an incident — this supports the claims assessment process. Report to your insurer immediately, not days later — late notification can affect coverage. Keep your policy details accessible from outside your main business systems, since a ransomware attack may lock you out of your normal file storage. And brief key staff on the claims process before anything goes wrong — the moment of an incident is not the time to read the policy for the first time.

About the Author

CyberCover Team is part of the CyberCover team — dedicated to making cyber insurance transparent and accessible for NZ businesses of all sizes.

Ready to Get Protected?

Get tailored cyber insurance quotes from licensed NZ brokers. Free advice, no obligation.

Get Your Free Cyber Insurance Quote

Free advice. No obligation. Licensed NZ brokers respond within 1 business day.