The Third-Party Cyber Threat Most NZ Businesses Overlook
Your firewall is updated. Your staff have completed phishing training. Multi-factor authentication is on. So why are you still at risk? Because your cyber security posture is only as strong as the weakest link in your supply chain — and that's often a link you didn't choose and can't control.
How Supply Chain Attacks Work
A supply chain cyber attack occurs when an attacker compromises a trusted third party to gain access to your systems or data. This might be a managed IT provider who has administrative access to your network, a payroll software vendor whose product is used by thousands of NZ businesses, a cloud accounting platform that stores your financial data, or a marketing agency with access to your customer database.
The attacker compromises the third party — often a smaller, less well-defended organisation — and then uses that access as a bridge into all of their clients. From your perspective, the access appears entirely legitimate because it is coming from a trusted system or identity.
Notable Supply Chain Attack Patterns in NZ
While NZ businesses are rarely named in international reporting, New Zealand has been affected by several major global supply chain events. The SolarWinds compromise affected NZ government agencies and their supply chain partners. MOVEit, the file transfer software, exposed data from organisations across sectors when attackers exploited a vulnerability before patches could be applied. NZ-based managed service providers (MSPs) have been specifically targeted by ransomware groups seeking to maximise reach across client bases.
Assessing Your Third-Party Cyber Risk
Start by mapping which third parties have access to your data or systems. For each, consider: Do they have administrative or privileged access? What data do they hold or can they access? What are their own security controls and certification standards? Do they have cyber insurance? What contractual protections do you have if their breach affects your business?
How Cyber Insurance Responds to Supply Chain Incidents
This is where policy wording matters enormously. Most cyber policies cover your first-party costs arising from a third-party breach — the forensic investigation, notification, and business interruption you suffer. However, recovering losses from the third party itself through subrogation or litigation is complex and often not fully covered. Some policies now offer specific third-party service provider failure extensions. Discuss this explicitly with your broker when comparing policies.
Practical Steps to Reduce Supply Chain Risk
Require key suppliers to confirm their security certifications (ISO 27001, SOC 2). Include cyber security obligations in contracts. Limit third-party access to the minimum necessary. Monitor third-party access logs. Ask your insurer what supply chain events they have seen claim under your policy type — this will quickly reveal where your gaps are.
About the Author
CyberCover Team — the CyberCover crew are self-confessed insurance geeks on a mission to make cyber cover simple, accessible and jargon-free for businesses of every size.