Cyber Insurance NZ 2026: What Insurers Now Demand (and How to Pass)

If you're renewing cyber insurance in New Zealand in 2026, you've probably noticed the questionnaire has tripled in length and your broker is asking you to attach things like "policy documents" and "screenshots from your Microsoft 365 admin centre." This isn't your imagination — and it isn't going away. Here's what's happening, why, and exactly what you need to have in place to renew on reasonable terms.

Why Cyber Insurance Got Hard

NZ insurers paid out heavily on cyber claims through 2022-2024, primarily on business email compromise, ransomware, and funds-transfer fraud against SMEs. The market re-priced and re-underwrote. By 2025 most NZ insurers had moved from "fill in this short form" to detailed control-based questionnaires. By 2026, the questionnaire is the policy — what you have in place determines your premium, your excess, and what's actually covered.

The good news: the controls insurers want are the same controls you should have anyway. The bad news: if you don't have them, you may pay a 30-100% premium, accept a $25,000+ excess, or be declined outright.

The Core Controls Every Insurer Asks About

1. Multi-Factor Authentication (MFA)

What they ask: Is MFA enforced for all users on email, remote access, and admin accounts? What method (SMS, app, hardware key)?

What they want to see: MFA enforced on Microsoft 365 / Google Workspace for every account, with phishing-resistant methods (Microsoft Authenticator with number matching, or hardware keys) for admin and finance staff. SMS-only MFA is increasingly considered inadequate.

Why it matters: MFA stops the majority of credential-theft attacks. No MFA, no policy.

2. Endpoint Detection & Response (EDR)

What they ask: What endpoint protection runs on every device? Is it centrally managed? Does it include behavioural detection, not just signatures?

What they want to see: A modern EDR product (Microsoft Defender for Business, CrowdStrike, SentinelOne, Sophos, etc.) deployed on 100% of devices, centrally managed, with alerts routed to someone who responds. Built-in Windows Defender on its own is increasingly insufficient.

3. Backups (Independent, Tested)

What they ask: Do you have backups of email, files, and critical systems? Are they immutable (can't be deleted by an attacker)? When did you last successfully restore?

What they want to see: Third-party backup of Microsoft 365 or Google Workspace (separate vendor from your cloud provider), immutability protection, and evidence of a successful restore test in the past 12 months. Native cloud "retention" isn't a backup in their book.

4. Patching Discipline

What they ask: How quickly do critical security patches get applied? Do you have an asset inventory?

What they want to see: Centrally managed patching for Windows, macOS, browsers, and third-party apps with critical patches deployed within 30 days (faster for known-exploited vulnerabilities). Asset inventory in your RMM tool.

5. Email Security

What they ask: Do you have advanced email filtering? SPF, DKIM, DMARC records?

What they want to see: Advanced email security (Microsoft Defender for Office 365, Mimecast, Proofpoint) and DMARC at p=quarantine or p=reject on your sending domains. Default M365 filtering on its own often isn't enough.

6. Security Awareness Training

What they ask: Is there ongoing phishing simulation and user training? When was the last simulation?

What they want to see: Regular (at least quarterly) phishing simulations with measurable click-rate trends, plus short refresher training. Once-a-year tick-box training doesn't cut it.

7. Incident Response Plan

What they ask: Do you have a written incident response plan? Has it been tested?

What they want to see: A documented plan with named roles, contact lists, communication templates, and at least one tabletop exercise per year. Insurers often require notification within a fixed window (24-72 hours) — your plan needs to make that achievable.

8. Privileged Access Controls

What they ask: How many global admins do you have? Are admin accounts separate from daily-use accounts? Are they MFA-protected with phishing-resistant methods?

What they want to see: Two to three Microsoft 365 global admins, all with separate non-email admin accounts, all with hardware-key or phishing-resistant MFA. No shared admin accounts. No "we just use the owner's account for admin."

What's Newly On The List for 2026

Three areas that weren't standard a year ago but are now in most NZ insurer questionnaires:

• Vendor risk management — do you assess the security of your IT supplier(s), your accounting software vendor, your cloud providers?
• Email banking-detail change controls — when a "supplier" emails to say their bank account has changed, what's the process? (This is the #1 NZ funds-transfer fraud vector.)
• AI usage policy — what's your policy on staff use of ChatGPT, Claude, and other AI tools with company data?

What a "Pass" Looks Like in Practice

For a typical 20-person NZ SME, the controls that make insurance straightforward to renew at competitive terms cost $50-$80 per user per month in security tooling and management — covering EDR, backup, patching, training, monitoring, and the documentation evidence pack. For most businesses, the difference between this spend and the premium reduction (plus the lower excess and broader coverage) is at worst break-even, and often a net saving.

Common Failure Patterns

The five most common reasons NZ SMEs get loaded premiums or declined coverage:

1. MFA missing on admin accounts. "We have it for everyone else" doesn't help — admin compromise is the highest-impact event.
2. No independent backup. Relying on the recycle bin in SharePoint.
3. No phishing simulation history. Insurers want to see trended click rates, not training certificates.
4. No documented incident response plan. "We'd just call our IT guy" isn't a plan.
5. Bank-detail change process is informal. The single biggest NZ fraud vector.

What to Do Now

If your renewal is more than 90 days away, you have time. Pull a copy of last year's questionnaire from your broker, walk through each control honestly, and start closing the gaps that affect the biggest risk categories first (MFA, backups, EDR, training). Document what you've done — insurers want evidence, not assertions.

If your renewal is sooner, focus on the controls that are easiest to put in place and most visible to insurers: MFA enforcement, EDR deployment, third-party backup, and a written incident response plan. Even partial improvement helps.

At Tryzee, we run cyber insurance readiness reviews for NZ SMEs — going through the questionnaire alongside you, identifying gaps, and providing the evidence pack your broker needs. If your renewal is on the horizon and you'd like a no-obligation conversation, get in touch.