Cybersecurity in New Zealand

Cyber security incidents are an area of business risk where it is vital to coordinate your response. Your IT provider, your cyber insurer’s claims handler, first response consultants and the legal experts need to work hand- in-hand to manage the response and ensure that your business complies with its insurance policy, its privacy obligations and its contractual obligations.

Currently in New Zealand the uptake of cyber cover is still low, and certainly far less than what we see in Australia. That is understandable given that Australia has had its mandatory privacy breach reporting obligations in place since 2018. In NZ our mandatory reporting has only been in place since 2020.

With cyber cover still reasonably priced the main driver behind the slow uptake in cover seems to be driven by a lack of awareness of what your business vulnerabilities are and the types of losses that might occur from a cyber attack. The types of loss from an attack for an SME can be extensive with the majority of claims running into at least the tens of thousands.

What type of costs or losses are usually covered?

Cyber cover in NZ does vary quite significantly, however it is usual for the policies to cover the costs arising out of a network security
breach (computer attack), a privacy breach as well as a confidentiality breach.

The policies are generally intended to cover the direct losses to respond to a breach including:

  • first party costs (i.e. IT consultants) and PR costs incurred;
  • loss of income (for a specified period of time or until the network is restored);
  • costs to restore the network;
  • loss caused by cyber crime (i.e. where there has been a misuse of a businesses identity). There is often cover for the cost of reimbursing customers for financial loss from the fraudulent communications or loss of other income caused by cyber crime.
  • claims from customers or other affected parties against a business for failing to prevent the security or privacy breach (i.e. claims of negligence); and
  • the payment of fines or penalties for a privacy breach.

But what isn’t covered by cyber insurance?

Cyber insurance will not cover anything that is not a direct cause of the cyber breach or a direct cost of responding to a cyber breach. For example, generally cyber policies would only respond to the cost to restore the system to the same functionality as prior to the attack. It will not cover any betterment or upgrading required to the network. Cyber policies also generally will not cover loss or damage to physical property (i.e. the hardware) nor will they cover any loss caused by a failure in the design of any network or the failure to maintain any network, computer or software.

In addition to these practical exclusions, the policies also generally exclude cover for any act of terrorism. It pays to check carefully the definitions of these acts which are not covered vs cyber terrorism which is.

“Your insurance will generally cover the core nuts and bolts of
responding to a cyber attack. There are a lot of nuances around what is covered and what isn’t.”

Current trends:

  • Significant increase in the number of notifications and claims that insurers are receiving.
  • More targeted and ambitious.
  • Significant increase in frequency and severity of Ransomware attacks.
  • Premiums and excesses will be increasing. Decrease in the cover available and lower limits.
  • The mandatory reporting obligations which took effect from 2018 in Australia triggered the growth of the uptake of cyber insurance. New Zealand will likely follow the Australian trend. 

Special thanks to Partner Tanya Wood for preparing this article. For further information, or to discuss further please contact Tanya or one of our cyber or insurance specialists.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.

Related insights

Find an expert