Cyber Insurance for NZ SMEs: It’s about Risk, Not Perfection
If you’ve looked at a cyber insurance form recently, you might’ve seen questions like:
Have you done a cyber security assessment in the last year?
Do you train your staff on cyber risks?
Are you using MFA, backups, patching, endpoint protection?
It can feel like if you can’t tick every box you’ll be turned away. But in reality, it’s not that black and white.
You Don’t Need to Be Perfect
Cyber insurance in New Zealand isn’t about having a flawless setup. You don’t have to show an audit from a top-tier consultant or a full set of formal documents just to get cover. Even if your business is still getting started on the cyber front, there’s a good chance you’ll still be able to get a policy.
If you’ve got good basics in place, things like MFA, regular staff training, data backups, you’re showing that you take cyber seriously. That usually means lower risk for the insurer, which often leads to sharper pricing and better terms. And, answering "no" to some of the questions doesn't necessarily mean you're ineligible for cover.
But here’s the real insight - the more security gaps you have when applying for a Cyber Policy, the more you’ll likely pay in premiums as insurers assess the level of risk based on your current cyber security measures.
What Insurers Actually Expect
To cut through the confusion, we talked to Rothbury Insurance Brokers, a local insurance specialist. Here's what they told us about some of the common requirements.
Cyber assessments: Great to have and highly recommended but not usually mandatory. For businesses with a prior cyber event or claim, insurers will usually want to see evidence of remediation efforts, which is fair. But typically, insurers do not require formal audits as a condition for offering insurance cover.
Staff training: It matters, as human error causes a lot of incidents. But in most cases, it’s not a mandatory requirement. Insurers usually ask about training frequency, and that will influence the premium.
Core security controls: Insurers will ask about key controls (eg MFA, patching, backups) but none are mandatory for smaller businesses (under $25m turnover). Again, the amount of controls in place will affect the premium.
Evidence and Documentation: Again, great practice, and it’s helpful to have these in place. While Business Continuity and Incident Response Plans are important, they're typically only requested or prioritized once a business has reached a certain level of growth.
To explain the approach to cyber insurance, they compare it to insuring a physical building. A cyber policy protects your digital assets in much the same way a property policy protects a building. If a building has minimal security, it can still be insured, but not all insurers may offer cover, and the premium could be higher due to the increased risk. Similarly, with cyber insurance, the stronger your security measures - such as multi-factor authentication (MFA) and offsite backups, the more favourable the terms and pricing are likely to be.
So, What Should You Do?
You don’t need to have it all nailed down, but every step you take to improve your cyber security puts you in a better position and may help reduce your insurance cost. The more “yes” boxes you can tick, the lower your risk looks to insurers. The more you can show (even just a one-pager or checklist), the easier it is to secure decent cover. And if your IT partner is proactive and helping you stay ahead, you’re in great shape.
Need Help Filling in the Gaps?
Cyber insurance is just one part of the puzzle, but it’s a useful safety net. If you're unsure where your business stands, we can help.
We help businesses build practical, right-sized security that ticks the boxes without overcomplicating things. If you’d like to strengthen your cyber posture or just be better prepared for your next cyber insurance renewal, let’s talk.
We talked to our insurers at Rothbury Insurance Brokers in creating this article.