The Renewal Landscape Has Shifted
The short version: ANZ businesses now need a minimum of six security controls to qualify for cyber coverage, and 87% of insurers require email security controls before they will even quote. If you go into your 2026 renewal with the same security position you had in 2024, you risk a declined application or an uneconomical premium — but a readiness assessment identifies your weak answers in weeks. Review My Renewal Readiness to find out where your application stands. Read on for the full breakdown.
If your cyber insurance renewal is approaching in 2026, you are walking into a fundamentally different market than the one you navigated two or three years ago. The days of ticking a few boxes on an application form and receiving a competitive quote are finished. Underwriters across Australia and New Zealand have recalibrated their expectations, and the bar for coverage has moved sharply upward.
This shift has not happened overnight. According to the Kordia 2025 NZ Business Cyber Security Report, 59% of New Zealand businesses experienced a cyber attack or incident in 2024. One in ten businesses that were compromised by a cyber incident paid a ransom or extortion demand, and 22% of incidents caused operational disruption. Those are not abstract statistics for insurers — they are claims.
Consider what a single claim looks like from the insurer's side. When the Waikato District Health Board was hit by ransomware in May 2021, the insurance claim reached NZD $16.5 million — and exceeded the policy limit. The DHB's cyber insurance premium subsequently jumped from $400,000 to $1.3 million per year, a 225% increase (Reseller News; Te Whatu Ora). Across the Tasman, Latitude Financial's 2023 data breach — 14 million customer records compromised — resulted in a full-year loss of AUD $158.5 million (Business News Australia, 2023). These are the claims that reshaped the underwriting models you are now being assessed against.
Every ransom paid, every week of disrupted operations, and every regulatory notification feeds directly into those models. The premiums and requirements you face in 2026 are a direct consequence of the claims insurers have paid out since 2021.
The result is a market where insurers have moved from asking general questions about your security position to demanding specific, verifiable evidence of capable controls. As Marsh NZ has reported, insurers continued to scrutinise organisations' cyber controls throughout 2024 and into 2025, with underwriters prioritising robust cyber risk management as a prerequisite for coverage. If you are still relying on the same security position that got you through your last renewal, you need to understand what has changed — and you need to act before your renewal date arrives.
What Underwriters Are Demanding in 2026 That They Were Not in 2024
The most significant shift in the ANZ cyber insurance market is the expansion of mandatory security controls. According to Insurance Business Magazine, ANZ businesses now require a minimum of six security controls to qualify for cyber insurance coverage, compared with a global average of five. That one additional control may sound minor, but it represents a meaningful increase in the baseline that underwriters expect from every applicant.
Two areas have seen the most dramatic change.
Email security has become a near-universal requirement. Insurance Business Magazine reports that 87% of ANZ insurers now require email security controls, compared with a global average of 66%. This means that if your business does not have advanced email filtering, DMARC enforcement, and anti-phishing controls in place, you are likely to face questions you cannot answer satisfactorily during the application process.
Identity and access management (IAM) has followed a similar trajectory. According to Insurance Business Magazine, 84% of ANZ insurers now require IAM controls, compared with a global average of 53%. This goes well beyond basic password policies. Underwriters expect to see multi-factor authentication enforced across all critical systems, role-based access controls, privileged access management, and regular access reviews.
These are not optional enhancements. They are prerequisites. If you cannot demonstrate these controls during your renewal, you face three possible outcomes: a declined application, a significantly higher premium, or coverage with restrictive exclusions that leave you exposed when you need protection most.
The Six Controls Every NZ Business Needs Before Renewal
Based on current underwriter expectations and the ANZ market data from Insurance Business Magazine, the minimum control set that every New Zealand business should have in place before approaching a cyber insurance renewal includes the following six areas.
1. Multi-Factor Authentication (MFA)
MFA must be enforced — not merely available — across all external-facing services, email platforms, VPN connections, cloud administrative portals, and any account with elevated privileges. Underwriters will ask for evidence of enforcement, not just enablement. If your users can opt out of MFA, that is a gap.
2. Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient. Underwriters expect a recognised EDR platform deployed across all endpoints, including servers, with active monitoring and demonstrated response capability. You should be able to show deployment coverage statistics and evidence of recent alert investigation and response.
3. Email Security and Anti-Phishing Controls
With 87% of ANZ insurers requiring email security controls according to Insurance Business Magazine, this is effectively a universal requirement. Your business needs advanced email filtering, DMARC enforcement at a policy of quarantine or reject, anti-spoofing protections, and ideally a security awareness training programme with phishing simulations to address the human element.
4. Identity and Access Management
The 84% requirement rate from ANZ insurers according to Insurance Business Magazine makes IAM the second most emphasised control category. Underwriters expect role-based access controls, regular access reviews (at minimum quarterly), privileged access management for administrative accounts, and documented processes so that access is revoked when staff change roles or depart.
5. Backup and Recovery
Immutable or offline backups remain a cornerstone requirement. Your backup strategy should follow the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offsite or in an immutable state. Critically, you must be able to demonstrate that you have tested a full restore within the last 12 months. Untested backups are, from an underwriter's perspective, equivalent to no backups at all.
6. Incident Response Planning
A documented, tested incident response plan is expected. The plan must cover detection, containment, eradication, recovery, and regulatory notification obligations under the Privacy Act 2020. It should include current contact details for key personnel, legal counsel, your insurer's breach response line, and any third-party incident response providers. Underwriters increasingly ask when the plan was last tested through a practice run — "we have a plan but have not tested it" is no longer an acceptable answer.
Why "We Have Antivirus" Is No Longer Enough
The evolution from basic security controls to the thorough security position that underwriters now expect reflects a fundamental change in how insurers assess cyber risk. Several years ago, having antivirus software, a firewall, and regular backups was generally sufficient to satisfy most cyber insurance applications in New Zealand.
That baseline has been rendered obsolete by the threat landscape. The Kordia 2025 NZ Business Cyber Security Report found that 59% of New Zealand businesses experienced a cyber attack or incident in 2024. Modern threat actors routinely bypass traditional antivirus through fileless malware, living-off-the-land techniques, and social engineering. Underwriters have absorbed these lessons through their claims experience and adjusted their requirements accordingly.
The shift is not only about which controls you have. It is about the capability of those controls and your ability to prove they are functioning. An antivirus product that is installed but not centrally managed, not reporting to a dashboard, and not being monitored for alerts is a control that exists in theory but fails in practice. Underwriters have become adept at distinguishing between controls that are genuinely operational and controls that merely appear on an asset register.
This is why documentation has become as important as implementation. In practice, the gap between having a control and being able to evidence that control to an underwriter's satisfaction is often the difference between approval and decline. A security baseline assessment that produces structured evidence — configuration screenshots, policy documents, test results, coverage statistics — speaks directly to what underwriters need to see.
Premiums, Capacity, and What the Market Looks Like
For businesses that are prepared, the premium environment in 2026 is more favourable than it has been in several years. According to Marsh NZ, cyber insurance pricing in New Zealand increased by 5 to 10 percent in 2023, but rates stabilised in 2024 with rollover at renewal being the norm for businesses that maintained or improved their security position.
This stabilisation is significant. It means that the punitive premium increases that characterised the 2022 and 2023 market have largely abated for well-prepared organisations. The global market remains robust, with Swiss Re estimating that global cyber premiums will reach US$16.4 billion in 2026, up from US$15.6 billion in 2025 according to S&P Global Ratings. That growth is driven primarily by expanding coverage uptake and broadening policy scope rather than by across-the-board rate increases.
However, the stabilisation in pricing applies specifically to businesses that can demonstrate the controls underwriters require. The market has effectively split into two tiers. Businesses with strong cyber hygiene — those that can evidence the six controls outlined above — are seeing competitive premiums, broader coverage, and more willing capacity from insurers. Businesses that cannot demonstrate those controls are facing the opposite: higher premiums, restrictive exclusions, sub-limits on key coverage areas, and in some cases outright declinations.
The implication for your renewal is clear. Investment in security controls and the documentation to evidence them is not just a security decision. It is a direct financial decision that affects your insurance costs, your coverage breadth, and your ability to transfer risk effectively.
How to Prepare in the Next 30 Days
If your renewal is within the next quarter, the following 30-day timeline will position your business to meet underwriter expectations.
Days 1 to 5: Conduct a Gap Assessment
Review your current security controls against the six areas outlined above. For each control, answer two questions: is the control in place and operational, and can you produce documented evidence of its effectiveness? Be honest about gaps. Identifying a gap now gives you time to address it. Discovering it during the application process does not.
Days 6 to 10: Address Critical Gaps
Prioritise MFA enforcement and email security, as these are the two controls with the highest requirement rates among ANZ insurers. If MFA is not enforced across all critical systems, make that change immediately. If your email domain does not have DMARC at enforcement (quarantine or reject), begin the implementation process. These two controls alone address the most common reasons for application complications.
Days 11 to 20: Build Your Evidence Pack
Compile the documentation that underwriters will request. This includes MFA enforcement configuration evidence, EDR deployment coverage reports, email security configuration records (SPF, DKIM, DMARC), access control policies and recent review logs, backup configuration and restore test results, and your incident response plan with the date of the most recent practice run.
Days 21 to 25: Test and Validate
Run a backup restore test if you have not done so in the last 12 months. Conduct a brief practice run against your incident response plan. Verify that your EDR coverage matches your actual endpoint inventory. These activities produce evidence and close gaps simultaneously.
Days 26 to 30: Engage Your Broker
Present your evidence pack to your insurance broker before they approach the market on your behalf. A well-documented submission gives your broker the material they need to negotiate the best possible terms. Underwriters respond positively to organised, well-documented applications — it signals that you take cyber risk seriously and that you are a lower-risk prospect.
Get Ready Before Your Renewal
Most NZ cyber insurance policies renew in Q2 or Q3. If your renewal falls in that window, the preparation clock is already ticking — a readiness assessment and improvement cycle takes four to six weeks, and underwriters will not wait for you to catch up.
The market you are walking into is not the same one you navigated last time. Insurers are declining applications that would have been approved in 2023. If you go into your 2026 renewal with the same security position you had in 2024, you risk a declined application or a premium that makes coverage uneconomical.
A readiness assessment identifies exactly where your weak answers are — the specific controls that will trigger a "no" — and produces the evidence and improvement path to fix them before your renewal date.
Review My Renewal Readiness — find out where your application stands and fix the gaps before your renewal window closes.