If someone told you there was a 1-in-5 chance your business would suffer a significant financial loss this year from a single type of risk, you'd insure against it immediately. Yet most small businesses still don't have cyber insurance — despite cyber attacks now affecting more businesses than any other crime type.
Let's cut through the jargon and give you a clear picture of what cyber insurance is, what it covers, and whether your business needs it.
What cyber insurance actually covers
Cyber insurance is designed to help businesses survive a cyber incident. It's not primarily about stopping attacks — it's about paying for the response and recovery. Key covers typically include:
*First-party costs (your own losses):* - Forensic investigation to determine what happened and how - System restoration and data recovery - Business interruption losses while systems are down - Ransomware extortion payment and negotiation (where legally permitted) - Customer and staff notification costs after a data breach - PR and crisis communications management
*Third-party liability (your legal obligations to others):* - Compensation to customers whose data was breached - Defence costs in privacy or data breach litigation - Regulatory investigation costs and fines (where insurable)
The Privacy Act 2020 connection
The Privacy Act 2020 created mandatory notification obligations for serious privacy breaches — meaning if your business suffers a data breach affecting customer information, you're legally required to notify the Privacy Commissioner and potentially the affected individuals.
Notification costs alone — letters, credit monitoring services for affected customers, legal review — can run to tens of thousands of dollars for even a modest-sized breach. Cyber insurance covers these costs.
What a ransomware attack costs an SME
Based on CERT NZ data and industry research, the average cost of a ransomware attack on an SME is $50,000-$200,000, including: - $10,000-$50,000 in IT recovery costs - $20,000-$100,000 in business interruption losses - $5,000-$30,000 in data recovery - $10,000-$50,000 in lost productivity and staff time
The ransom itself (if paid) is often smaller than the recovery costs.
What cyber insurance costs for SMEs
For a typical small business with $1-5m revenue: - Basic cyber cover ($1m limit): $1,500-$3,000/year - Mid-tier cover ($2-3m limit): $3,000-$6,000/year
Premiums depend on your sector (healthcare, finance, and professional services typically pay more), the nature and volume of personal data you hold, your security posture (multi-factor authentication, regular backups, and patching reduce premiums), and your turnover.
Is it worth it?
Calculate it simply: if a cyber incident would cost your business $100,000 or more in recovery and lost business, and the probability of an incident in any given year is 5-20% (which is within CERT NZ's reported range), then the expected cost is $5,000-$20,000 per year. Cyber insurance at $2,000-$4,000 per year is excellent value against that exposure.
The short answer for most SMEs: yes, it's worth it — especially if you hold customer personal data, rely on digital systems for operations, or process significant online payments.
How to get cyber insurance
DUAL NZ offers cyber insurance directly through their WebRater platform for 500+ occupations. NZI, Delta Insurance, and other insurers are available through brokers including Marsh NZ. For a market comparison and tailored advice, submit a quote request through our form.