Cyber Insurance Is No Longer a Rubber Stamp
The short version: Cyber insurers are no longer rubber-stamping applications — they are asking five specific questions about your security controls, and the difference between approval and decline comes down to evidence. If you can answer these five questions convincingly, you are in a strong position. Book a free security health check to find out where your answers are strong and where they are weak. Read on for the full breakdown.
Two years ago, getting cyber insurance in New Zealand was straightforward. Fill in a form, pay a premium, done. That era is over.
Insurers across NZ and Australia have been hit with a wave of claims — ransomware payouts, business interruption losses, regulatory defence costs. In response, underwriters have tightened their requirements dramatically. Applications that would have sailed through in 2023 are now being declined, deferred, or quoted at significantly higher premiums.
The good news: if you can answer the right questions convincingly, you are in a strong position. Here are the five questions every cyber insurer in New Zealand is asking — and what good answers look like.
1. Do You Have Multi-Factor Authentication Everywhere?
What they ask: Is MFA enabled on email, VPN, remote access, and all administrative accounts?
What good looks like: MFA is enforced (not just available) across all external-facing services and every account with administrative privileges. You can provide configuration evidence showing MFA is mandatory, not optional.
Common gaps: MFA is enabled for email but not for VPN or cloud admin portals. Legacy applications bypass MFA. Service accounts lack additional authentication controls.
2. Do You Have Endpoint Detection and Response?
What they ask: Is an EDR solution deployed across all endpoints, with active monitoring?
What good looks like: A recognised EDR platform is installed on every endpoint — workstations, laptops, and servers. Alerts are monitored and responded to, not just logged. You can demonstrate deployment coverage and recent response activity.
Common gaps: Traditional antivirus is in place but not EDR. EDR is deployed on workstations but not servers. No one is actively monitoring the alerts.
3. What Is Your Backup Strategy and Do You Test It?
What they ask: Do you maintain offline or immutable backups? When did you last test a full restore?
What good looks like: Critical data is backed up following the 3-2-1 rule (three copies, two media types, one offsite). At least one backup copy is offline or immutable — meaning ransomware cannot encrypt it. You have tested a full restore within the last 12 months and can document the results.
Common gaps: Backups exist but are all online and connected to the network. No one has tested a restore in years. Backup coverage does not include all critical systems.
4. Do You Have an Incident Response Plan?
What they ask: Is there a documented incident response plan? Has it been tested?
What good looks like: A written incident response plan that covers detection, containment, eradication, recovery, and notification. The plan includes contact details for key personnel, legal counsel, and your insurer's breach response line. It has been tested through a tabletop exercise within the last 12 months.
Common gaps: No written plan exists. The plan was written three years ago and never updated. Key contacts are out of date. No one has practised the response.
5. Do You Run Security Awareness Training?
What they ask: Do all staff complete regular security awareness training, including phishing simulations?
What good looks like: All staff complete security awareness training at least annually, with new starters trained during onboarding. Phishing simulations run quarterly, with results tracked and repeat clickers receiving additional coaching. You can provide completion records and simulation results.
Common gaps: Training was done once but is not ongoing. Phishing simulations are not run. No records exist to prove training occurred.
Why Documentation Matters More Than Implementation
Here is the insight most businesses miss: insurers do not just want you to have these controls in place. They want you to prove it. An MFA policy is good. A screenshot of your MFA enforcement configuration, attached to a completed security baseline assessment, is what gets your application approved.
The difference between a declined application and a competitive premium often comes down to documentation quality. A strong readiness process produces structured evidence packs — configuration screenshots, policy documents, test records, and supporting notes that speak the language underwriters expect.
Get Ahead of Your Next Renewal
If your cyber insurance renewal is approaching, now is the time to assess your readiness. A security baseline assessment identifies exactly where you stand against these five questions and produces the documented evidence you need.
Book a free security health check to get a clear view of where you stand — and what it takes to get to "yes" from your insurer.