Do small businesses need cyber insurance?

Yes — cyber attacks affect businesses of all sizes, and SMEs are often targeted because they have valuable data but weaker security than large corporates. A ransomware attack on a small business can cost $50,000-$500,000 to resolve. Cyber insurance is now one of the most important and underutilised forms of business insurance for SMEs.

How does the Privacy Act 2020 affect cyber insurance?

The Privacy Act 2020 requires businesses to notify the Privacy Commissioner and affected individuals of serious privacy breaches. This can trigger significant costs — notification letters, credit monitoring for affected customers, legal fees, and reputational management. Cyber insurance typically covers these breach response costs, making it particularly relevant after the Privacy Act came into force.

Business Insurance Guide

Cyber Security Insurance

Protect your business from the financial impact of cyber attacks, data breaches, and ransomware.

Get a Quote →

What is Cyber Insurance?

Cyber insurance is now essential for businesses of all sizes. A cyber attack or data breach can result in significant costs: forensic investigation, system restoration, business interruption losses, regulatory fines, legal liability to affected customers, and PR/crisis communications. Insurers including DUAL, NZI, and Delta Insurance offer cyber products up to $10m in cover.

There has been a dramatic rise in cyber attacks on businesses — from ransomware attacks on critical infrastructure to spear-phishing campaigns targeting SMEs. CERT NZ reported thousands of cyber incidents in 2024-2025. The Privacy Act 2020 also creates mandatory breach notification obligations and potential fines, making cyber insurance not just commercially important but legally relevant.

Written by FraudInsurance.co.nz Editorial Team·Updated May 2026

Key Risks This Covers

Ransomware attacks encrypting your business data
Data breaches exposing customer personal information
Business email compromise and wire fraud
Phishing attacks targeting staff credentials
Supply chain cyber attacks

What Cyber Insurance Covers

First-party incident response and forensic investigation
System restoration and data recovery costs
Business interruption losses from a cyber event
Ransomware extortion payments and negotiations
PR, crisis management, and customer notification costs
Third-party liability to affected individuals
Regulatory defence and fines (where insurable)
Social engineering fraud add-on (select policies)

Who Needs Cyber Insurance?

Any business that stores customer personal data

E-commerce businesses processing online payments

Professional services firms with sensitive client data

Healthcare providers under Privacy Act obligations

Financial services businesses with high-value transactions

Any business dependent on digital systems for operations

Typical Premium Range

Cyber insurance premiums for SMEs typically start from $1,500-$4,000 per year for $1-2m cover. Larger corporates can access $5-10m limits. Premiums depend on revenue, data holdings, security posture, and industry sector.

What is Cyber Insurance in New Zealand?

Cyber insurance — also called cyber liability insurance or cyber security insurance — is a specialist policy designed to cover the financial consequences of cyber attacks, data breaches, and related digital threats. It is one of the fastest-growing insurance categories globally and is rapidly becoming standard for businesses of all sizes in New Zealand. The policy covers two broad categories of cost. First-party costs are those you incur directly: forensic investigation to understand what happened, restoring your systems and data, business interruption losses while your systems are down, and crisis management. Third-party costs are those you become liable to pay: compensation to customers whose data was breached, regulatory fines, and legal defence costs. What cyber insurance does not typically cover is equally important to understand. Standard cyber policies generally do not cover: losses from employee embezzlement or dishonesty (fidelity insurance territory), physical damage to property from a cyber event (covered under property insurance in some cases), losses where the business deliberately caused the incident, and war or state-sponsored cyber attacks (an exclusion that has been the subject of significant litigation globally). The key distinction from commercial crime insurance: cyber insurance focuses on the cyber event itself and its financial consequences, whereas commercial crime insurance focuses on the criminal act and the direct financial loss. A ransomware attack that causes business interruption is a cyber insurance claim. An employee who steals funds using their authorised system access is a fidelity insurance claim. These are different policies for different risks — and businesses increasingly need both.

The Cyber Threat Landscape for NZ Businesses 2026

The cyber threat environment for businesses has intensified dramatically over the past three years, and shows no sign of abating. CERT NZ (the government's Computer Emergency Response Team) received thousands of incident reports from NZ businesses in 2024-2025, representing significant financial and operational losses across the economy. Ransomware remains the dominant threat by financial impact. Organised criminal groups deploy ransomware — software that encrypts business data and systems, demanding a ransom for the decryption key — against businesses of all sizes. SMEs are increasingly targeted because they often have valuable data but weaker cybersecurity than large corporations. The average cost of a ransomware recovery (including IT restoration, business interruption, and ransom payments where made) ranges from $50,000 for small businesses to $500,000+ for mid-market organisations. Business Email Compromise (BEC) is the fastest-growing threat by volume and continues to cost businesses tens of millions annually. BEC attacks involve criminals compromising or spoofing email accounts to redirect payments or extract sensitive information. AI-generated phishing messages are now virtually indistinguishable from authentic communications, significantly lowering the detection rate. The Privacy Act 2020 creates a regulatory overlay that makes cyber incidents more expensive than before. Serious privacy breaches must be notified to the Privacy Commissioner and affected individuals. Failure to notify appropriately can result in investigation, adverse findings, and reputational damage — in addition to the direct costs of the breach. Supply chain attacks — where criminals target a supplier's systems to gain access to that supplier's customers — are growing. A small business may have excellent security but be compromised through a software provider or managed service provider. This emerging threat is covered by cyber insurance but often overlooked in businesses' risk assessments.

First-Party vs Third-Party Cyber Cover

Cyber insurance policies are typically structured around two categories: first-party cover (your own losses) and third-party cover (your liability to others). Understanding this distinction is essential when comparing policies and ensuring you have appropriate protection. First-Party Cover includes: Incident Response and Forensic Investigation: The immediate costs of responding to a cyber incident — engaging specialist cybersecurity firms to investigate what happened, how the attacker got in, and what data or systems were affected. These costs can run to tens of thousands of dollars even for modest incidents. System Restoration and Data Recovery: The technical costs of restoring systems, recovering data from backups (or rebuilding data where backups are absent or affected), and returning to operational status. Often the most significant direct cost category. Business Interruption: Lost revenue and increased operating costs arising from the period your systems are down or impaired following a cyber attack. For businesses dependent on digital systems — which is now nearly all businesses — this can dwarf the technical recovery costs. Ransomware Extortion Payments and Negotiation: If you choose (or are advised) to pay a ransom, cyber insurance can cover the payment subject to legal requirements. Insurers now provide specialist ransomware negotiators to engage with criminals, often significantly reducing the demanded amount. Customer and Staff Notification: The Privacy Act 2020 requires notification of serious breaches. The cost of drafting, printing, and mailing notification letters, providing credit monitoring services to affected individuals, and managing the customer communication process is covered. Third-Party Cover includes liability to customers, regulatory investigation costs and fines (where legally insurable), media liability (for defamation or breach of privacy arising from the incident), and professional liability arising from a breach of client data.

Cyber Insurance Providers in New Zealand

The NZ cyber insurance market has matured significantly over the past five years, with several strong options available for businesses at different size and risk profiles. DUAL NZ: DUAL is a specialist underwriter that offers online cyber insurance through their WebRater platform — businesses in 500+ occupations can get an indicative quote online in minutes. Their cyber policy is one of the most accessible in the NZ market for SMEs. A key feature is the optional social engineering fraud add-on, providing up to $250,000 coverage for BEC and related losses. This makes DUAL a strong starting point for SMEs seeking combined cyber and social engineering protection. NZI Cyber Base and Cyber Ultra: NZI (part of IAG, the largest general insurer in NZ and Australia) offers a tiered cyber product — Cyber Base for smaller risks and Cyber Ultra for businesses needing broader cover and higher limits. Available through NZI's broker network and well-suited to businesses already in the NZI ecosystem. Delta Insurance: Delta is a NZ-based specialty insurer with a strong reputation in the cyber space. Their products are available through the broker market and tend to offer flexibility in coverage terms. Delta is a good option for businesses with specific coverage requirements or risk profiles that standard products don't accommodate. Chubb Electronic and Computer Crime (ECC): Chubb's ECC product sits at the intersection of cyber and commercial crime, covering computer-enabled fraud as well as broader cyber risks. Suited to financial services and other businesses where the computer crime/cyber overlap is significant. AIG CyberEdge: AIG's global cyber platform, CyberEdge, is available in NZ through their local operations and broker partners. CyberEdge is a comprehensive product suited to mid-market and corporate businesses, with access to specialist incident response resources globally. How to Compare: The most important comparison points are: coverage triggers (what events activate the policy?), sublimits (are any covers capped at a lower amount?), social engineering inclusion or exclusion, and incident response quality (who do you actually call when you have an incident?).

Does Your Business Need Cyber Insurance?

Most businesses do need cyber insurance — the question is what level of cover is appropriate. The following framework can help assess your exposure. Revenue threshold: Any business with more than $500,000 in annual revenue faces cyber exposure that justifies insurance review. Below that threshold, basic cyber policies still make sense if the business holds customer data. Data-holding businesses: If your business holds personal information about customers, employees, or third parties — addresses, dates of birth, financial information, health data — the Privacy Act 2020 creates mandatory notification obligations on breach. The notification and response costs alone justify insurance. Healthcare providers, professional services firms, and any business with a customer database are in this category. Regulated sectors: Financial services providers, healthcare organisations, and other regulated businesses face heightened obligations around data security. Regulators increasingly expect cyber insurance as part of a comprehensive risk management approach. Supply chain exposure: Businesses that are part of significant supply chains — as either supplier or buyer — face exposure both from their own systems and from attacks that enter through supply chain partners. This is increasingly relevant as attack methods become more sophisticated. The honest assessment: If your business would face costs of more than $50,000 from a significant cyber incident — and for most businesses with any IT dependency, this is a reasonable estimate — then cyber insurance at $1,500-$4,000 per year is excellent value. Businesses without cyber insurance: You remain responsible for all incident response costs, system restoration, business interruption losses, regulatory compliance, and third-party liability. A single significant incident could be financially devastating for an SME.

How to Make a Cyber Insurance Claim

The first 24 hours after discovering a cyber incident are critical — both for containing the attack and for protecting your insurance claim. The order of operations matters enormously. Step 1 — Notify Your Insurer BEFORE Taking Major Action: This is the most important instruction. Contact your insurer (or their 24/7 incident hotline) before making any significant decisions — including paying a ransom. Most cyber policies include access to specialist incident response firms, and using insurer-approved responders is typically required for coverage. Acting without notifying the insurer first can jeopardise your claim. Step 2 — Engage the Incident Response Team: Your insurer will connect you with specialist cyber incident response professionals. These are specialists in cyber forensics, ransomware negotiation, legal obligations, and PR management. Their involvement is typically covered under the policy. Step 3 — Forensic Investigation: A forensic investigation determines how the attacker got in, what they accessed, how long they were in your systems, and whether data was exfiltrated. This is essential both for remediation and for regulatory notification decisions. Step 4 — Legal Notification Assessment: Your legal and insurance team will assess whether the incident triggers Privacy Act notification obligations. If notification is required, the process, timing, and content must be managed carefully. Step 5 — PR and Customer Communication: Significant incidents typically require customer communication. Cyber policies often include PR crisis management support to manage the reputational aspects alongside the technical recovery. Common claim mistakes to avoid: paying a ransom without notifying the insurer, deleting or overwriting systems before forensic investigation, failing to document decisions and costs during the incident, and not notifying the insurer promptly (most policies have strict notification timeframes).

Cyber Insurance Costs for NZ Businesses

Cyber insurance premiums in New Zealand have increased over the past three to four years as claims frequency and severity have risen — but for most SMEs, cover remains accessible and competitively priced relative to the exposure. Indicative Premium Ranges for 2026: - Small businesses ($1-2m revenue, basic data holdings): $500-$2,000 per year for $1m cover - Medium businesses ($2-10m revenue, significant customer data): $2,000-$5,000 per year for $2-5m cover - Professional services firms (law, accounting, finance): $3,000-$8,000+ per year for $2-5m cover - Healthcare providers: $4,000-$10,000+ per year due to elevated data sensitivity - E-commerce businesses with payment card data: $3,000-$8,000+ per year Key Factors Affecting Your Premium: - Annual revenue: Higher revenue = more at risk from business interruption - Industry sector: Healthcare, financial services, and legal sectors carry higher premiums - Data holdings: Volume and sensitivity of personal data held - Security posture: Multi-factor authentication (MFA), endpoint protection, and regular patching all reduce premium - Backup practices: Regular, tested, offline backups significantly reduce ransomware risk — and premium - Prior claims: Prior cyber incidents will affect premium meaningfully How to Reduce Your Premium: - Implement MFA across all systems (this alone can reduce premium by 15-30%) - Demonstrate regular, tested, and offline backup practices - Apply security patches promptly - Conduct regular staff phishing awareness training - Have an incident response plan in place The ROI calculation: if a ransomware attack costs your business $100,000-$300,000 to resolve, and the annual probability of such an event is 5-15%, then the expected annual cost is $5,000-$45,000. Cyber insurance at $2,000-$5,000 per year transfers most of that risk at a fraction of the expected cost.

Frequently Asked Questions

Standard cyber insurance focuses on external attacks (hacking, malware, data breaches). Social engineering fraud — where criminals trick employees into transferring funds — is often available as a separate endorsement or add-on. DUAL NZ, for example, offers a social engineering fraud add-on with up to $250,000 sublimit. Always check the specific policy wording.

Related Insurance Types

Commercial Crime Insurance

Comprehensive cover for both internal and external criminal acts affecting your business.

Fidelity (Employee Dishonesty) Insurance

Protect your business from the financial devastation of employee fraud, embezzlement, and theft.

Social Engineering Fraud Cover

When criminals manipulate your staff into authorising fraudulent payments or transferring funds.

Get a Tailored Quote

Complete our brief form and a licensed adviser will contact you with options for Cyber Insurance.

Start Free Quote →

Key Providers

Chubb NZInsurer

DUAL NZInsurer

NZIInsurer

Delta Insurance NZInsurer

AIG NZInsurer

View all providers →

By Business Sector

small business →finance banking →professional services →nonprofit charity →All sectors →

This page provides general information only. Insurance needs vary by business. Always consult a licensed insurance adviser before purchasing. Our quote form connects you to licensed advisers only.

Protect Your Business from Cyber Security Insurance

Get a tailored quote from a licensed insurance adviser — no obligation, no pressure.

Get a Free Business Quote →