Cyber Insurance & Risk Posture: How Prepared Are You?

Published: September 2025

As cyber threats evolve, insurers are adjusting their expectations — especially in New Zealand, where CERT NZ reported a record number of small-business incidents in the past year. Today, cyber insurance isn’t just about premiums; it’s about whether your business meets a rising bar for maturity and resilience.

Why Cyber Insurance Is Tougher Now

Underwriters are increasingly rigorous. They demand clear evidence of:

• ✅ Multi-Factor Authentication (MFA) across critical systems
• ✅ Isolated, tested backups — not just “cloud-based” ones
• ✅ Incident response plans and documented roles
• ✅ Evidence of patching, endpoint protection, and vulnerability scanning

Common Myths That Can Hurt Your Policy

• “My MSP handles everything.” — Most insurers want visibility into your responsibility model, including internal accountability.
• “We have antivirus, we’re covered.” — Antivirus is no longer considered sufficient. EDR, SIEM, or 24x7 monitoring is increasingly expected.
• “We’ve never had an incident.” — That may be luck, not posture. Insurers care about preparedness, not history alone.

How to Improve Your Risk Profile

Before applying or renewing, run a readiness assessment. Use our Cyber Insurance Readiness Checklist to verify your gaps. Prioritise:

• 🛡️ MFA for remote and admin access
• 🔁 Offsite or immutable backups, tested monthly
• 📈 Security awareness training (ongoing)
• 📝 Documented response plans and playbooks

NZ Snapshot: Trends We’re Seeing

Across Aotearoa, businesses under 100 seats are being asked for more detail during underwriting. We’ve seen local cases where lack of MFA or unclear responsibility models led to denied claims or 30–50% premium hikes.

Eduardo Wnorowski is a Technologist and Director.
With over 30 years of experience in IT and consulting, he helps organisations reduce risk and improve resilience through practical, tailored strategies.
LinkedIn Profile