CyberCover.co.nz

Cyber Insurance Coverage Guide

Everything covered by a comprehensive NZ cyber insurance policy β€” explained in plain English.

A comprehensive cyber insurance policy in New Zealand covers two types of loss: first-party losses (costs your business incurs directly from a cyber incident) and third-party liability (claims made against your business by customers, partners or regulators). Below, we break down each coverage component in detail.

Not every policy covers every component β€” and limits, sub-limits and excesses vary significantly between insurers. Our brokers help you identify the gaps before you buy.

πŸ’Ύ

Data Breach Response

When your customer or employee data is exposed

A data breach is one of the most costly and stressful events a business can face. First-party breach response cover activates immediately, funding the specialist resources needed to contain, investigate and remediate.

What's Covered:

  • βœ“IT forensic investigation to determine cause and scope
  • βœ“Legal advice on Privacy Act 2020 notification obligations
  • βœ“Individual notifications to affected customers/employees
  • βœ“Call centre setup to handle enquiries
  • βœ“Credit monitoring services for affected individuals
  • βœ“Public relations and media statement support
  • βœ“Regulatory liaison with the Office of the Privacy Commissioner

Real World Example

A healthcare provider's patient management system is breached, exposing 3,000 patient records. Cyber insurance funds the IT forensic investigation ($25,000), legal advice and notification costs ($35,000), credit monitoring for affected patients ($20,000), and PR support ($8,000).

🦠

Ransomware & Cyber Extortion

When criminals encrypt your systems and demand payment

Ransomware is one of the most disruptive and costly cyber threats facing NZ businesses. Modern ransomware groups combine encryption with data theft, creating a "double extortion" scenario. Expert response is critical.

What's Covered:

  • βœ“24/7 incident response team activation
  • βœ“Specialist ransomware negotiator access
  • βœ“Ransom payment funding (subject to legal guidance)
  • βœ“Decryption key verification and testing
  • βœ“System restoration and data recovery costs
  • βœ“Business interruption losses during recovery
  • βœ“Threat intelligence and post-incident hardening advice

Real World Example

A manufacturing company's production systems are hit by ransomware. Cyber insurance funds the incident response team ($20,000), negotiation resulting in a reduced settlement ($60,000), system restoration ($45,000), and 3 weeks of business interruption losses ($90,000).

⏸️

Business Interruption

Lost revenue when your systems go down

When a cyber attack takes your systems offline, the clock starts immediately on lost revenue. Business interruption cover compensates for income lost during the period your operations are impaired β€” often the largest component of a cyber claim.

What's Covered:

  • βœ“Lost net revenue during the recovery period
  • βœ“Fixed ongoing costs (rent, salaries, loan repayments)
  • βœ“Extra expenses to maintain operations
  • βœ“Dependent business interruption (if a key supplier is attacked)
  • βœ“Cloud service outage cover (on some policies)

Real World Example

A legal firm's case management system is encrypted by ransomware. The firm is unable to operate at full capacity for 18 days during recovery. Business interruption cover pays $140,000 in lost billings and ongoing fixed costs during the period.

βš–οΈ

Third-Party Cyber Liability

When others claim against your business

If your business suffers a breach that exposes customer or third-party data, those affected parties may pursue compensation claims. Third-party liability cover protects your business from these claims.

What's Covered:

  • βœ“Defence costs against privacy breach claims
  • βœ“Compensation and settlement payments
  • βœ“Network security liability (if your systems attack others)
  • βœ“Media liability for content-related cyber claims
  • βœ“Regulatory investigation defence costs
  • βœ“Fines and penalties where legally insurable

Real World Example

A retail business suffers a database breach exposing 8,000 customer credit card records. Twenty customers suffer financial fraud and bring claims. Cyber liability cover funds $180,000 in legal defence and settlement costs.

πŸ“§

Social Engineering & Fraud

Business email compromise and invoice fraud

Social engineering fraud β€” particularly business email compromise (BEC) β€” is the most common cyber claim in New Zealand. It requires no hacking: criminals impersonate trusted parties to trick businesses into making fraudulent payments.

What's Covered:

  • βœ“Fraudulent payment instructions (CEO fraud)
  • βœ“Invoice fraud via email impersonation
  • βœ“Supplier email compromise losses
  • βœ“Telephone fraud (vishing)
  • βœ“Funds transfer fraud

Real World Example

A construction company receives what appears to be an email from their long-term supplier, advising of changed bank account details. Staff transfer $95,000 to the fraudulent account before the fraud is discovered. Social engineering cover reimburses the loss.

πŸ›οΈ

Regulatory Defence & Fines

Privacy Commissioner investigations and penalties

The Privacy Act 2020 gives the Privacy Commissioner significant investigatory and enforcement powers. If your business suffers a notifiable breach, you may face an investigation β€” and potentially significant penalties.

What's Covered:

  • βœ“Legal costs to respond to Privacy Commissioner investigations
  • βœ“Representation in Human Rights Review Tribunal proceedings
  • βœ“Regulatory fines and penalties (where legally insurable)
  • βœ“Compliance guidance and remediation advice
  • βœ“Mandatory notification costs

Real World Example

An aged care provider suffers a breach affecting resident health records and is investigated by the Privacy Commissioner. Regulatory defence cover funds $45,000 in legal representation and compliance costs.

πŸ“£

Crisis Management & PR

Protecting your reputation when it matters most

A significant cyber incident can permanently damage your business reputation. Crisis management cover funds specialist PR and communications support to manage your public response and protect customer trust.

What's Covered:

  • βœ“Specialist PR firm fees
  • βœ“Media statement drafting and management
  • βœ“Customer communication strategy
  • βœ“Social media monitoring and response
  • βœ“Reputational harm assessment
  • βœ“Brand recovery campaigns

Real World Example

A retail business suffers a high-profile data breach that attracts media coverage. Crisis management cover funds a specialist PR firm ($35,000) to manage media enquiries, customer communications and brand recovery activity.

Coverage FAQs

What does cyber insurance cover in New Zealand?β–Ύ
Cyber insurance in New Zealand typically covers first-party losses (your own business costs) and third-party liability (claims made against you by others). First-party cover includes: data breach response costs, ransomware extortion payments, business interruption losses, system restoration, crisis communications and legal fees. Third-party cover includes: privacy liability claims from affected customers or employees, network security liability, and regulatory investigation defence under the Privacy Act 2020.
Does cyber insurance cover ransomware attacks?β–Ύ
Yes β€” most comprehensive cyber insurance policies in NZ include ransomware extortion cover. This typically includes: payment of the ransom (subject to legal guidance), negotiation support from specialist cyber incident responders, data recovery and system restoration costs, and business interruption losses during the recovery period. Some policies have sub-limits on ransomware payments, so it's important to check this with your broker to ensure the limit is adequate for your business size.
Is data breach response covered?β–Ύ
Yes. Data breach response is one of the core components of cyber insurance. Cover typically includes: IT forensic investigation to determine the cause and scope, legal advice on notification obligations under the Privacy Act 2020, notification costs to affected individuals, credit monitoring services for affected customers, public relations and crisis communications, and regulatory liaison with the Office of the Privacy Commissioner.
Does cyber insurance cover business interruption?β–Ύ
Yes β€” most policies include business interruption cover for losses arising from a cyber incident. This covers lost revenue and ongoing fixed costs during the period your systems are unavailable or impaired following a covered cyber attack. Some policies have a waiting period (typically 8–12 hours) before business interruption cover kicks in, and there may be a maximum indemnity period. Your broker will help you select limits appropriate to your business's revenue and recovery time.
What is business email compromise (BEC) and is it covered?β–Ύ
Business email compromise (BEC) is a type of cyber fraud where criminals impersonate a trusted party (a supplier, colleague or executive) via email to trick your business into making a fraudulent payment. It is the most common type of cyber claim in New Zealand. Cover varies by policy β€” some include cyber crime (social engineering fraud) as standard, while others offer it as an optional add-on. Given BEC is NZ's most common cyber loss, we strongly recommend ensuring your policy explicitly includes this cover.

Get Cover Tailored to Your Business

Our brokers will match you with the right policy for your specific risk profile β€” not just the cheapest option.

Free advice. No obligation. Licensed NZ brokers.

βœ“ Free adviceβœ“ Licensed NZ brokersβœ“ No obligationβœ“ Reply within 1 business day