Cyber Insurance for Small Businesses

The Cyber Threat Facing Small NZ Businesses in 2026

Small businesses in New Zealand are experiencing a surge in targeted cyber attacks. In 2025, cyber incidents reported to CERT NZ rose significantly, with small and medium businesses accounting for the majority of victims. The misconception that cybercriminals only target large corporations is dangerously outdated — automated attack tools allow criminals to probe thousands of small businesses simultaneously, looking for weak passwords, unpatched software and poorly secured remote access.

The average cost of a cyber breach for a small NZ business is $173,000. For most small businesses, that figure is simply unsurvivable without insurance. And yet only 6% of small NZ businesses currently hold cyber insurance cover — one of the lowest uptake rates in the developed world.

What Makes Small Businesses Attractive Targets

Contrary to popular belief, small businesses are often more attractive to cybercriminals than large enterprises. Large businesses invest heavily in cybersecurity, employ dedicated IT security teams, and maintain sophisticated monitoring systems. Small businesses, by contrast, typically rely on consumer-grade security, have no dedicated IT security staff, and rarely run penetration testing or security audits.

Small NZ businesses commonly hold more valuable data than their owners realise: customer payment details, employee IRD numbers, supplier banking details, confidential pricing information and years of business correspondence. This data has significant value on dark web marketplaces — and once stolen, it is sold and resold multiple times.

The Most Common Cyber Attacks on Small NZ Businesses

Business Email Compromise (BEC)

BEC is the single most common and costly cyber claim across NZ businesses of all sizes. In a BEC attack, criminals impersonate your CEO, a key supplier or your bank — sending convincing emails that request urgent payment transfers or changes to banking details. Staff, believing the request to be legitimate, authorise payments to fraudulent accounts. Losses range from a few thousand dollars to hundreds of thousands.

Ransomware

Ransomware encrypts all of your business files — documents, accounting records, customer data, emails — and demands payment for the decryption key. For small businesses without proper offsite backups, this can mean permanent data loss. Even with backups, restoration typically takes two to four weeks, during which your business cannot operate normally.

Phishing and Credential Theft

Phishing emails trick staff into entering their usernames and passwords on fake login pages. Once attackers have your email or accounting software credentials, they can access years of business data, redirect payments, and impersonate you to your customers and suppliers. Microsoft 365 and Xero accounts are among the most commonly compromised platforms targeting NZ small businesses.

Privacy Act 2020: Your Legal Obligations

If your business holds any personal information about customers, employees or suppliers — and virtually every business does — you are subject to the Privacy Act 2020. This legislation requires you to notify the Office of the Privacy Commissioner and affected individuals when a breach occurs that is likely to cause serious harm. Failure to notify is an offence. The notification process itself — legal advice, customer communications, call centre support, credit monitoring — typically costs $20,000–$80,000 for a small business.

Cyber insurance covers all of these notification costs, as well as the legal advice you need to understand and meet your obligations in the immediate aftermath of a breach.

What Small Business Cyber Insurance Actually Covers

A well-structured cyber insurance policy for a small NZ business includes several key components. First-party coverage pays for your own business losses: IT forensic investigation, data restoration, business interruption losses, ransomware response, crisis communications and regulatory notification costs. Third-party liability coverage responds to claims made against your business by customers or other parties whose data was compromised in the breach.

Importantly, most policies also include access to a 24/7 cyber incident response hotline — so when something goes wrong at 2am on a Saturday, you have immediate access to specialist response teams rather than trying to manage the situation alone.

How Much Does Small Business Cyber Insurance Cost?

For most small NZ businesses, cyber insurance premiums range from $50 to $120 per month — less than most businesses spend on coffee or stationery. Premiums are primarily driven by your annual revenue, the volume and sensitivity of customer data you hold, and the security controls you have in place. Businesses with multi-factor authentication (MFA) on email and accounting software, regular tested backups, and up-to-date software typically pay at the lower end of the range.

Our licensed NZ brokers compare policies from multiple underwriters — including Chubb, AIG, Zurich, Delta Insurance and QBE — to find the right cover at the best available price for your specific business profile.

Practical Steps to Reduce Your Risk (and Your Premium)

While cyber insurance provides the financial protection when something goes wrong, there are practical steps every small business can take to reduce their risk. Enable multi-factor authentication on your email, accounting software and any cloud services. Ensure you have regular automated backups that are stored offsite — ideally with a cloud backup service that maintains multiple restore points. Keep all software and operating systems updated with security patches. Train your staff to recognise phishing emails and verify unexpected payment requests through a separate channel. These measures will reduce both your cyber risk and your insurance premium.