CYBER LIABILITY INSURANCE

Cyber Liability Insurance protects you against liabilities arising from data protection laws, management of personal data and the consequences of losing information. For individuals this includes credit card numbers, medical records, birth dates, passport numbers and other private personal information which can be stolen and used inappropriately. Equally the loss of corporate information such as intellectual property and proprietary information could severely disadvantage a business.

BUSINESS INTERRUPTION

includes net profit or loss and extra expenses as a result of a network attack on an insured’s network

THIRD PARTY LIABILITY

related to privacy, personal information; corporate information; Media and Social Media (including defamation, intellectual property rights and plagiarism)

HACKER THEFT COVER

fraudulent or erroneously paid funds

COSTS TO RESTORE

research, replace, restore or recollect software and any electronic data due to a network attack

BREACH CONSULTATION SERVICES

legal, forensic and public relations assistance

BREACH RESPONSES SERVICES

Notification Services, Call Centre Services, Credit Monitoring Services and Identity Theft Resolution services

NETWORK EXTORTION COVERAGE

costs to avoid, defend or preclude extortion as a result of a network security failure

DATA FORENSIC EXPENSES

costs incurred to investigate, examine and analyze a computer network

Client Advisory: Cyber Liability Insurance and Exposure to Digital Risks (2024 Update)

Why Cyber Liability Insurance Is Essential

Cyber threats are now a daily reality for New Zealand organisations of all sizes and sectors. Ransomware, data breaches, and business email compromise can cause severe financial, operational, and reputational harm. The Delta Insurance white paper highlights that demand for cyber insurance is at an all-time high, but so are the requirements for robust risk management. Cyber Liability Insurance is a critical part of a modern risk strategy, providing financial protection and expert support when a cyber event occurs.

The Evolving Cyber Threat Landscape in New Zealand

Attacks are increasing in frequency and severity. High-profile incidents (NZ Stock Exchange, Waikato DHB, Mercury IT) and countless smaller attacks on SMEs show that no organisation is immune.
Human error remains the biggest vulnerability. Up to 82% of breaches involve a human element—staff training and awareness are essential.
Ransomware and data exfiltration are common. Attackers often steal sensitive data before demanding ransom, compounding the impact.
Supply chain risk is real. Attacks on IT providers can cascade to many clients.
The cost of cybercrime is rising. The average cost of a breach for a NZ business is estimated at$159,000, with global averages much higher.

What Does Cyber Liability Insurance Cover?

A comprehensive cyber policy typically includes:

Incident Response: Immediate access to IT forensics, legal, and PR experts to contain and manage a breach.
Data Breach Costs: Notification, credit monitoring, and regulatory compliance costs.
Ransomware and Cyber Extortion: Ransom payments (where legal), negotiation, and system restoration.
Business Interruption: Loss of income and extra expenses due to system outages.
Third-Party Liability: Claims from customers, partners, or regulators for data loss or privacy breaches.
Digital Asset Restoration: Costs to restore or replace lost/corrupted data and software.
Crisis Management: PR and reputation management support.
Social Engineering Fraud: (Optional) Cover for losses from scams where staff are tricked into transferring funds.

What Insurers Now Expect: Risk Management as a Precondition

Due to the rising cost and frequency of claims, insurers are now highly selective. To secure cover, organisations must demonstrate a strong cyber risk posture, including:

Multi-factor authentication for remote and privileged access
Endpoint Detection and Response (EDR)
Secured, encrypted, and tested backups
Privileged Access Management (PAM)
Email filtering and web security
Patch and vulnerability management
Incident response planning and testing
Cybersecurity awareness training and phishing testing
Hardening of remote access (e.g., RDP mitigation)
Logging, monitoring, and network protections
Replacement or protection of end-of-life systems
Vendor/supply chain risk management

Insurer questionnaires are now detailed and technical. IT teams must be prepared to answer them and may need to remediate weaknesses before cover is offered.

Market Trends: Supply, Demand, and Premiums

Demand for cyber insurance is surging as awareness of risk grows.
Supply is tightening. Some insurers are withdrawing or reducing cover, especially for high-risk sectors or large organisations.
Premiums are rising (up to 74% in 2021), and coverage terms are more restrictive.
State-sponsored attacks are often excluded (e.g., Lloyd’s of London now requires exclusion of catastrophic nation-backed hacks).

Benefits Beyond Insurance

The process of applying for cyber insurance is itself a risk management exercise. Even if you don’t purchase a policy, the assessment can highlight weaknesses and drive improvements.
Having cyber insurance is a “badge of quality.” It signals to clients, partners, and regulators that your organisation meets a high standard of cyber hygiene.

Special Considerations for Incorporated Societies and Charities

Member and donor data: Ensure all personal data is covered.
Volunteer access: Confirm volunteers are included in the definition of “insured.”
Multiple locations and remote work: Ensure all sites and users are covered.

Practical Steps for Organisations and Leaders

Review your current cyber security controls against insurer expectations.
Engage IT and cyber security specialists to address any gaps.
Prepare for detailed insurer questionnaires—start early, as the process can be time-consuming.
Develop and test an incident response plan.
Train all staff in cyber awareness and phishing prevention.
Maintain up-to-date records of systems, data, and security measures.
Notify your insurer promptly of any incident or suspected breach.
Seek professional advice to ensure your cover matches your risk profile and operations.

Summary

Cyber Liability Insurance is now a vital part of any organisation’s risk management toolkit. However, securing and maintaining cover requires a proactive, well-documented approach to cyber security. The insurance market is rewarding those who invest in robust controls and risk management—and is increasingly excluding those who do not.

If you have any questions about your Cyber Liability insurance, want to review your current policy, or need help preparing for the application process, please contact us. We are here to help you navigate these complex issues and ensure you have the right protection in place.

Cyber-Incident Checklist for a Community Pharmacy

Scenario: IT systems locked by hackers; possible compromise of patients’ medical data

Phase

Critical Actions (in order)

1 – First 30 Minutes (Detect & Escalate)

1. Identify incident scope (systems unreachable, ransom note, strange logs). 2. Pull the hard-copy “Cyber/BCP Playbook”; activate the Incident Response (IR) Team (owner / pharmacist-in-charge, IT lead, privacy officer, cyber insurer hotline, external IR vendor). 3. Switch to manual dispensing SOP to ensure patient care continues (paper scripts, EFTPOS fallback, locked cash drawer).

2 – First 2 Hours (Contain & Preserve)

4. Isolate affected devices/networks (unplug network cables, disable Wi-Fi) but do not power off—preserves evidence. 5. Stop all remote connections (VPN, RDP, remote POS). 6. Photograph / capture ransom screens or error messages for evidence. 7. Record timeline, who did what, and which hosts are affected.

3 – First 4 Hours (Notify Core Partners)

8. Call the cyber-insurance emergency number; log claim reference; follow insurer instructions (they often deploy forensic, legal & PR experts). 9. Engage external cyber forensics (via insurer panel or pre-contracted MSSP). 10. Alert in-house / retained privacy counsel for legal privilege and breach-notification guidance. 11. Inform key staff & owners; remind them not to discuss incident publicly or on social media.

4 – Same Day (Regulatory & Law Enforcement)

12. Complete initial impact assessment with forensics: confirm that health information is likely accessed. 13. Notify the Office of the Privacy Commissioner (OPC) of a Notifiable Privacy Breach (required “as soon as practicable” & within 72 hrs). 14. Advise Ministry of Health / District Health Board liaison (Health Information Privacy Code). 15. File report with CERT NZ and, if ransom or extortion, NZ Police High-Tech Crime Group.

5 – Within 24 Hours (Stabilise & Communicate)

16. Activate pre-approved patient & supplier communications templates (reviewed by privacy counsel & PR). 17. Direct patients to phone-in refills; reassure them scripts will be honoured manually. 18. Set up dedicated email/phone hotline for queries; prepare FAQ. 19. Freeze any automatic scripts that might email or text patients from compromised systems.

6 – 48 Hours (Assess & Remediate)

20. Forensics identifies root cause (e.g., unpatched Citrix, stolen credentials). 21. Decide—with insurer & law enforcement—whether to pay ransom; document rationale. 22. Begin eradication: wipe/rebuild servers, reset all passwords, revoke keys, patch vulnerabilities. 23. Verify secure, offline backups before restoration; conduct staged recovery into clean environment.

7 – Within 72 Hours (Patient & Third-Party Notification)

24. Send OPC-compliant breach notices to affected patients: nature of data, dates, mitigation steps, support offered. 25. Offer identity-monitoring or credit-protection services if DOB/NHI numbers exposed. 26. Notify GPs, aged-care partners, wholesalers, and payment providers of potential disruption.

8 – First Week (Business Continuity & Monitoring)

27. Restore pharmacy management/POS in a segmented network; test dispensing accuracy. 28. Resume electronic claims (Pharmhouse / Health NZ) only after clearance by IT & forensics. 29. Implement heightened monitoring (IDS/EDR alerts, log reviews) for reinfection.

9 – Post-Incident (Review & Improve)

30. Hold a formal “lessons-learned” meeting; update the Incident Response Plan and manual-dispensing SOP. 31. Audit security controls: MFA everywhere, zero-trust network, regular vulnerability scans, immutable backups. 32. Conduct staff re-training on phishing and password hygiene. 33. Provide final incident report to insurer, regulators, and board; close claim.

Quick Reference Contacts (populate in advance)

Cyber-Insurance Hotline: _________________________
External IR / MSSP: ______________________________
Privacy Counsel: _________________________________
OPC Breach Line: 0800 803 909
CERT NZ Hotline: 0800 CERT NZ (237 869)
NZ Police (High-Tech Crime): ______________________

Cyber-Incident Checklist for Retail or Trade Businesses

Scenario: IT systems are locked by hackers; possible customer data (e.g., contact details, purchase history, payment info) has been accessed.

Phase

Critical Actions (in order)

1 – Immediate Response (First 30 Minutes)

1. Confirm the incident: Identify which systems are affected (POS, inventory, email, etc.) and whether a ransom note or suspicious activity is present.2. Activate your Incident Response Plan and assemble your response team (owner/manager, IT lead, privacy officer, cyber insurer contact).3. Switch to manual sales and inventory processes if possible (paper receipts, manual stock tracking, cash/EFTPOS fallback).

2 – Containment (First 2 Hours)

4. Isolate affected computers and networks (disconnect from internet/Wi-Fi, unplug network cables) but do not power off devices to preserve evidence.5. Disable remote access (VPN, RDP, remote desktop tools).6. Take photos/screenshots of ransom messages or error screens for evidence.7. Start a log of all actions taken, including times and people involved.

3 – Notification (First 4 Hours)

8. Contact your cyber insurance provider immediately; follow their instructions (they may deploy IT forensics, legal, and PR experts).9. Engage your IT support or a specialist cyber forensics firm (often via your insurer).10. Notify your legal/privacy advisor for guidance on breach notification and compliance.11. Inform key staff and management; instruct them not to discuss the incident publicly or on social media.

4 – Regulatory & Law Enforcement (Same Day)

12. Work with IT/forensics to assess if customer data was accessed or exfiltrated.13. If personal data is likely compromised, notify the Office of the Privacy Commissioner (OPC) as soon as practicable (required by law).14. Report the incident to CERT NZ and, if extortion is involved, to the NZ Police.

5 – Customer & Stakeholder Communication (Within 24 Hours)

15. Prepare customer notifications (with legal/PR review): explain the breach, what data may be affected, and what steps are being taken.16. Set up a dedicated phone line or email for customer queries.17. Pause any automated customer communications from compromised systems.18. Notify suppliers, payment processors, and business partners of potential disruption.

6 – Recovery & Remediation (Within 48 Hours)

19. Forensics to determine the cause (e.g., phishing, unpatched software).20. Decide—with insurer and law enforcement—whether to pay ransom (if applicable); document the decision.21. Begin system clean-up: wipe/rebuild affected devices, reset all passwords, patch vulnerabilities.22. Restore from secure, verified backups; test systems before going live.

7 – Ongoing Notification (Within 72 Hours)

23. Send formal breach notifications to affected customers as required by law.24. Offer support such as credit monitoring if sensitive data (e.g., payment info) was exposed.25. Update business partners and stakeholders on recovery progress.

8 – Business Continuity & Monitoring (First Week)

26. Resume normal operations only after IT/forensics confirm systems are secure.27. Monitor systems for signs of reinfection or further suspicious activity.28. Review and update manual processes used during the outage.

9 – Post-Incident Review & Improvement

29. Hold a debrief with your team and external advisors; document lessons learned.30. Update your Incident Response Plan and staff training based on what happened.31. Strengthen security controls: enable multi-factor authentication, regular backups, staff cyber awareness training, and vulnerability scanning.32. Provide a final incident report to your insurer, regulators, and management.

Quick Reference Contacts (fill in before an incident)

Cyber Insurance Hotline: _________________________
IT Support / Cyber Forensics: _____________________
Privacy/Legal Advisor: ___________________________
OPC Breach Line: 0800 803 909
CERT NZ: 0800 CERT NZ (237 869)
NZ Police (Cyber Crime): _________________________

Tip: Print and keep this checklist with your business continuity plan, and rehearse it with your team at least once a year.

GET IN TOUCH

7 Turvey Street, Pegasus, New Zealand

offfice@campbellinsurance.co.nz

021521651