Insurers Are Saying No — And They Are Getting More Specific About Why
The short version: MFA gaps, untested backups, and unpractised incident response plans are the three controls that get NZ cyber insurance applications declined most often. If you cannot prove they work, your insurer treats them as absent — but these are fixable, and most businesses close the gaps in weeks. Book a free security health check to find out where you stand before your renewal. Read on for the full breakdown.
Fifty-nine percent of New Zealand businesses experienced a cyber attack in 2024, according to the Kordia 2025 NZ Business Cyber Security Report. That is not a fringe risk. That is a majority of the business population encountering real threats — ransomware, phishing, business email compromise, data theft. The result has been a wave of claims that has fundamentally reshaped how insurers assess cyber risk in the ANZ market.
Two years ago, the cyber insurance application process was largely a formality. Today, it is a technical assessment. Underwriters have retooled their questionnaires, brought in dedicated cyber risk teams, and started declining applications that would have been approved without question in 2023. If you are preparing a cyber insurance application or renewal in 2026, the margin for error has narrowed considerably. And while insurers evaluate a broad range of security controls, three specific areas account for a disproportionate share of declined applications. Get these right, and you are well-positioned. Get them wrong, and your application is likely going back with a "no" — or a premium quote that makes the coverage uneconomical.
Control 1: Multi-Factor Authentication — Properly Implemented, Not Just Enabled
Multi-factor authentication has moved from "nice to have" to hard prerequisite. According to Insurance Business Magazine, 84 percent of ANZ insurers now require identity and access management controls, with 87 percent requiring email security controls — both of which centre on MFA as a foundational element. If your MFA implementation has gaps, your application will have problems.
What Insurers Actually Expect
Insurers are not asking whether you have MFA. They are asking where you have it and whether it is enforced. There is a significant difference between MFA being available as an option that staff can enable and MFA being a mandatory requirement that cannot be bypassed. The standard that most ANZ underwriters now require covers all external-facing services (email, VPN, remote desktop, cloud portals), all accounts with administrative privileges (domain admin, cloud admin, database admin, backup admin), all cloud application access (Microsoft 365, Google Workspace, line-of-business SaaS tools), and any remote access pathway into the corporate environment.
Where NZ Businesses Fail
The most common failure pattern is partial implementation. MFA is enabled on email — typically Microsoft 365 — but the VPN still accepts password-only authentication. Cloud admin portals are protected, but legacy on-premise systems are not. User accounts have MFA, but service accounts and shared administrative accounts do not. This creates exactly the kind of gaps that attackers exploit: the Kordia 2025 report found that 43 percent of attacks against NZ businesses involved email phishing, which frequently targets credentials for systems where MFA is absent.
Another failure mode is relying on weak MFA methods. SMS-based one-time codes are better than nothing, but insurers increasingly view them as insufficient due to SIM-swapping and interception risks. Push notification fatigue attacks — where an attacker repeatedly triggers MFA prompts until the user approves one out of frustration — have also become a documented attack vector. What insurers want to see is phishing-resistant MFA: hardware security keys, authenticator applications with number matching, or certificate-based authentication.
What Good Looks Like
A strong MFA implementation means every external-facing login requires a second factor, with no exceptions. Conditional access policies enforce MFA based on risk signals — unfamiliar locations, new devices, impossible travel. Administrative accounts use phishing-resistant methods. Legacy systems that cannot support MFA natively are wrapped behind a reverse proxy or gateway that adds the authentication layer. And critically, you can produce configuration evidence — screenshots, policy exports, audit logs — proving all of the above.
Control 2: Tested Backups — Not Just "We Back Up to the Cloud"
If multi-factor authentication is the front door of your insurance application, backup strategy is the foundation. Ransomware is the single largest driver of cyber insurance claims in the ANZ region, and the Kordia 2025 report found that one in ten NZ businesses paid a ransom or extortion demand. Industry research shows that 78 percent of global ransomware victims are SMBs, and 51 percent of affected businesses experience ten or more days of operational downtime.
The Waikato DHB ransomware attack in May 2021 illustrates the scale of what goes wrong when backup and recovery controls are inadequate. Systems were offline for approximately six months. The insurance claim reached NZD $16.5 million — and exceeded the policy limit. After the attack, the DHB's cyber insurance premium jumped from $400,000 to $1.3 million per year, a 225% increase (Reseller News; Te Whatu Ora). That is the cost of a single ransomware event for a single organisation. Insurers absorbed that claim, learned from it, and recalibrated their underwriting requirements accordingly. The controls they now demand — particularly around backup integrity — are a direct response to claims like this one.
Insurers know these numbers intimately, and they know that the difference between a manageable incident and a catastrophic claim is almost always the quality of the backup programme.
What Insurers Actually Expect
The minimum standard most ANZ insurers require is the 3-2-1 backup rule: three copies of critical data, on two different media types, with one copy stored offsite. But that is the baseline, not the benchmark. In 2026, underwriters are specifically looking for immutable or air-gapped backups — at least one backup copy that ransomware cannot encrypt, delete, or modify even if the attacker gains administrative access to the primary environment. They want to know that backup coverage extends to all critical systems, not just file shares. This includes Active Directory, email systems, line-of-business applications, databases, and system state. And they want evidence that you have tested a full restore within the last twelve months.
Where NZ Businesses Fail
The most common failure is untested backups. Businesses invest in backup solutions, configure them correctly at deployment, and then never verify that a restore actually works. The Kordia 2025 report found that 22 percent of cyber incidents caused operational disruption — and in many of those cases, the disruption was prolonged because backups that were assumed to be working had not been validated.
The second failure is online-only backups. Cloud backup is convenient, but if the backup repository is accessible from the same credentials and network as the primary environment, ransomware that compromises an administrator account can encrypt the backups as well. This is not a theoretical risk. It is the standard response plan for modern ransomware operators: gain administrative access, disable or encrypt backups, then deploy the encryption payload.
The third failure is incomplete coverage. File-level backups exist, but there is no system state backup for the domain controller. Email is backed up, but the financial system is not. The backup covers production data, but not the configurations and application state needed to actually rebuild the environment.
What Good Looks Like
A strong backup programme starts with the 3-2-1 rule and adds immutability. At least one backup copy is stored in a write-once or air-gapped configuration that cannot be modified after creation. Backup scope covers every system needed to resume operations — not just data, but system images, configurations, and application state. Restore tests run at least annually, ideally quarterly, with documented results that include the time required to restore and any issues encountered. Retention policies are defined and aligned to both operational needs and regulatory requirements under the Privacy Act 2020. And the backup monitoring is active: failed backup jobs generate alerts that someone investigates.
Control 3: A Documented, Practised Incident Response Plan
Having a plan and testing a plan are two entirely different things. The Kordia 2025 NZ Business Cyber Security Report found that approximately 50 percent of NZ businesses have not practised their cyber security response plan. That statistic alone explains a significant portion of declined insurance applications. Insurers have learned, through claims experience, that an untested incident response plan fails under pressure — and when it fails, the claim is larger, the downtime is longer, and the regulatory exposure is greater.
What Insurers Actually Expect
An incident response plan that satisfies underwriter requirements covers the full incident lifecycle: preparation, detection, containment, eradication, recovery, and post-incident review. It assigns named roles — who leads the response, who makes containment decisions, who handles communications, who engages legal counsel. It includes current contact details for internal responders, external counsel, forensic investigators, your insurer's breach response hotline, and the Office of the Privacy Commissioner. It defines communication protocols: who is authorised to communicate externally, what channels are used, and how affected parties are notified under the Privacy Act 2020's mandatory breach notification requirements. And it has been tested — through a practice run exercise, simulation, or functional drill — within the last twelve months.
Where NZ Businesses Fail
The first failure is not having a plan at all. The business has never documented an incident response procedure, and when an incident occurs, the response is improvised. Decisions are made under stress without a framework, critical steps are missed, and evidence is destroyed through well-intentioned but uninformed actions.
The second failure is having a plan that exists only as a document. It was written — possibly by a consultant — filed in a shared drive, and never revisited. The contact details are out of date. The notification procedures reference staff who have left the organisation. The plan assumes capabilities that no longer exist, or references tools the business no longer uses.
The third failure, and the one that frustrates insurers most, is the absence of testing. Approximately one-third of NZ businesses do no board-level cyber risk reporting, according to the Kordia 2025 report, which typically means incident response planning receives no executive attention. A plan that has never been tested through a practice run exercise is a plan that will fail in its first real engagement. Staff will not know their roles. Communication channels will break down. Containment decisions will be delayed while people search for the document.
The Kordia 2025 report also found that 16 percent of incidents resulted in the compromise or theft of personally identifiable information. Under the Privacy Act 2020, a breach involving PII triggers mandatory notification obligations. An untested incident response plan dramatically increases the risk of mishandling that notification — notifying too late, notifying the wrong parties, or failing to notify at all. For insurers, this compounds the claim: the original incident plus regulatory penalties plus reputational damage.
What Good Looks Like
An effective incident response programme starts with a written plan that is reviewed and updated at least annually. The plan includes current contact information for all key personnel, external advisors, and regulatory bodies. A practice run exercise runs at least annually, bringing together the incident response team — including a senior executive — to walk through a realistic scenario. The exercise tests not just the technical response but the decision-making process: when to contain, when to notify, when to engage legal counsel, when to contact the insurer. Exercise results are documented, lessons learned are incorporated back into the plan, and the cycle repeats. This is the standard that underwriters expect, and it is the standard that separates approved applications from declined ones.
The Documentation Trap
Here is the uncomfortable truth that catches many NZ businesses off guard: having these controls in place is necessary but not sufficient. You must be able to prove it. Insurance applications are assessed on evidence, not assertions. Checking "yes" on a form is the beginning of the conversation, not the end.
When an underwriter asks about MFA, they want to see conditional access policy exports, deployment coverage reports, and authentication method configurations. When they ask about backups, they want restore test reports with dates, outcomes, and scope. When they ask about incident response, they want the plan document, the most recent practice run exercise report, and evidence of plan updates.
The businesses that get declined often have the controls in place. What they lack is the documentation to demonstrate it. And when an insurer cannot verify a control, they treat it as absent. From an underwriting perspective, an undocumented control is indistinguishable from a missing control.
ANZ insurers now require a minimum of six security controls to qualify for coverage, compared to a global average of five, according to Insurance Business Magazine. That higher bar means the evidence standard in this market is more demanding than most other regions. If your documentation is incomplete, you are competing for coverage in one of the most rigorous insurance markets in the world without the evidence to back up your position.
This documentation requirement also has implications for ongoing coverage. Insurers increasingly reserve the right to request evidence of controls at renewal, and some policies include conditions that void coverage if declared controls were not actually in place at the time of a claim. A ransomware event that triggers a forensic investigation can expose gaps between what was declared on the application and what was actually implemented. The consequences of that gap extend well beyond a declined claim.
What a Successful Application Looks Like
The businesses that secure competitive cyber insurance premiums in the current market share a common profile. They do not just have controls — they have a documented, evidenced security programme that they can present to an underwriter with confidence.
A successful application demonstrates MFA enforced across all external access points and administrative accounts, with configuration evidence. It demonstrates a backup programme following the 3-2-1 rule with at least one immutable copy, tested within the last twelve months, with restore test documentation. It demonstrates a written incident response plan with current contacts, tested through a practice run exercise within the last twelve months, with exercise documentation. It demonstrates a broader security programme that includes endpoint detection and response, security awareness training, vulnerability management, and board-level cyber risk reporting.
The application itself is supported by an evidence pack: policy documents, configuration exports, test results, training records, and assessment reports. The evidence is current, specific, and structured in a way that an underwriter can review efficiently.
This is not an unreachable standard. It is a structured security programme, documented and maintained. For businesses that have the controls but lack the documentation, the gap is often smaller than expected. For businesses that have gaps in the controls themselves, the path forward is clear — and addressing these three controls first delivers the greatest return on investment, both for insurance outcomes and for actual security position.
Frequently Asked Questions
Will fixing these three controls guarantee my application is approved?
No. Insurers assess a range of factors beyond MFA, backups, and incident response. But these three controls are the ones that most frequently cause outright declines. Closing these gaps removes the most common reasons for rejection and puts you in a significantly stronger position.
What if our MSP says they already handle all of this?
Your MSP may manage the technical implementation — deploying MFA, running backups, installing EDR. But insurers ask whether controls are enforced, tested, and documented. If your MSP has not tested a full restore recently, or if your incident response plan has never been exercised, the gap is in evidence and governance, not infrastructure.
How long does fixing these gaps typically take?
For most businesses, the critical gaps in these three areas can be closed within four to six weeks. MFA enforcement is often a configuration change. Backup testing requires scheduling and documenting a restore. Incident response plan testing means running a practice run exercise. These are achievable, practical steps.
Get Your Application Ready
With most NZ cyber insurance policies renewing in Q2 and Q3, the window to prepare is closing. Fixing gaps and gathering evidence takes four to six weeks — starting the week before your renewal is due means starting too late. Every gap you discover before your insurer does is a gap you can fix on your terms, with evidence ready.
A cyber insurance readiness assessment identifies exactly where you stand against the controls underwriters evaluate, highlights the gaps most likely to result in a declined application, and produces the structured evidence documentation that speaks the language insurers expect.
For many NZ businesses, the gap between current controls and underwriter expectations is smaller than it first appears. What matters is closing the evidence and governance gaps: configuration evidence, restore-test documentation, and incident-response materials that an underwriter can review with confidence.
Book a free security health check — find out precisely where you stand on these three critical controls before your renewal window closes.