关于亚洲业务Make a claimPay onlineBecome a clientJoin the Team
Rising tide of cyber risk

Rising tide of cyber risk

< Back

2025 October 06

Cyber risk is no longer a distant or theoretical threat – it is a daily reality for New Zealand businesses of all sizes.

Kordia’s 2025 Cyber Security Report stated that a staggering 56% of New Zealand businesses surveyed had reported experiencing a cyber incident, which underscores how prevalent and persistent these threats have become. Nearly half of these attacks targeted small and medium sized enterprises (“SMEs”), with the average cost of a cyber breach now estimated to be $173,000.

For SMEs, the stakes are particularly high, as a single cyber event can disrupt operations, erode customer trust, and result in significant financial losses. As business continues to evolve alongside the digital world, with more business being conducted online coupled with increased use of IT and AI tools, the opportunities for cybercriminals continue to grow. In this environment, understanding your cyber risk and how to manage it has never been more important.

The evolving cyber threat landscape

The threat landscape, both in New Zealand and globally, continues to evolve as cybercriminals deploy increasingly sophisticated tools and techniques. With greater prevalence and advancements of AI (such as ChatGPT), social engineering cyber-attacks that involve impersonating a customer, supplier, or even an employee, are increasingly more deceptive. Consequently, these cyber-crime and social engineering losses are the most common a New Zealand business will face, with the average cost of these losses being between $40,000 - $70,000.

Supply chain disruptions have also become a significant and growing threat for New Zealand businesses, regardless of size or sector, with Kordia reporting that over 25% of New Zealand businesses have suffered from disruptions due to vulnerabilities in their third-party suppliers. This means that a quarter of all reported incidents were not direct attacks, but rather breaches or downtime that originated from partners or vendors with inadequate security controls.

Claims examples

Whilst we typically only hear about the big cyber breaches in the media, the reality is that hackers and cyber criminals are becoming more creative and increasingly targeting smaller businesses, as they typically have less sophisticated cyber security measures and training. Below are some examples we have been aware of in the past year alone:

Phishing/social engineering

An employee of a South Island panelbeater received an email from an existing supplier with new bank accounts. They did not confirm the updated details over the phone, so were unaware that a cyber-criminal had accessed their supplier’s email and sent them an invoice with their own bank account details. The panel beater paid an invoice of $24,000 which was not recoverable by the bank.

Ransomware attack

A manufacturing SME was hit with ransomware which locked them out of their systems and halted their production. The attackers demanded a six-figure ransom for the manufacturer to regain access to their systems, data, and ultimately to resume production. A cyber policy would cover the manufacturer’s costs to either regain access themselves or negotiate with the cybercriminals and pay the ransom (if applicable), as well as any loss of revenue from disruption to production and/or increased cost of working, plus expenses to restore data and systems.

Data breach and notification

A retailer’s customer database was compromised, exposing thousands of customer records. The Privacy Commissioner was notified, and the company was required to inform the affected customers and offer credit monitoring. Their cyber policy covered the notification costs, credit monitoring, associated legal costs, and regulatory fines.

Supply chain disruption

A law firm’s IT provider suffered a cyber-attack, causing their systems to go offline for several days. The firm’s cyber insurance policy covered lost billings and extra expenses under the contingent business interruption extension.

Practical cyber security measures

Whilst a businesses’ greatest cybersecurity vulnerability is, and will very likely remain, human error, there are a number of measures your business can implement to mitigate the risk of becoming a target:

  • Multi-factor authentication (MFA): By requiring users to verify their identity through multiple methods, MFA helps protect sensitive business data and reduces the risk of data breaches, even in the event that a password is compromised.
  • Staff training: Regularly educating employees about phishing, password hygiene, social engineering, and safe online practices.
  • Incident response plan: Develop and regularly test a plan so that everyone knows what to do if a cyber incident occurs.
  • Keeping software updated: Regularly updating operating systems, applications, and security tools ensures known vulnerabilities are patched, reducing the risk of exploitation by cybercriminals. It’s a simple but critical defence against malware and ransomware.
  • Maintain secure backups offline: Regularly backing up critical data to a server disconnected from the rest of your business is vital for SMEs as it ensures that data can be quickly restored after a cyberattack, hardware failure, or accidental deletion. Reliable backups minimise downtime, protects against data loss, and are a fundamental safeguard for business resilience and regulatory compliance.
  • Purchase cyber insurance: This is designed to help businesses recover from the financial and operational fallout of a cyber event, and is the ultimate backstop for when (not if) savvy cybercriminals manage to break through all your other defenses. Implementing the above steps within your business would also help you obtain more favourable cyber insurance pricing, terms, and conditions. Read our separate article for more details on specific coverage aspects here.

Conclusion

Cyber risk is now a core business risk for all New Zealand organisations, from one person bands to multinational organisations. With more than half of local businesses reporting cyber incidents in the previous year, it is clear that robust cyber resilience, including adequate insurance, is essential.

Questions?

The team at ICIB Brokerweb has deep expertise and strong relationships within the cyber insurance market and will be happy to assist businesses in ensuring that they are properly covered for any costs that may arise from a cyber-attack or incident.

If you have any questions, please reach out to our Liability specialists on liability@icib.co.nz.