Let's make sure you qualify and that your policy pays out when you need it.
NZ insurers are asking tougher questions, declining more applicants, and paying out less when the controls weren’t in place. NSP’s cyber insurance assessment shows you exactly where your gaps are, what your insurer is looking for, and how to close the gaps before they become your problem.
What does getting cyber insurance involve?
Cyber insurance proposal forms are more detailed than most businesses expect. They ask specific questions about MFA, patching, backups, incident response plans, and security training and wrong answers can void your policy at claim time, even if an incident wasn’t related to those controls.
NSP helps you understand what each question is actually asking, verify that your controls are in place before you answer, and prepare documentation that supports what you claim. We don’t replace your broker – we give them the technical foundation to submit a strong application.
-
Application Support: Get Your Application Right First Time
-
Cyber Insurance Readiness Assessment: Know Where You Stand Before Insurers Do
-
Strategic Cybersecurity Roadmap: A Plan That Fixes the Right Things First
-
Enhanced Risk Controls: Implement What Insurers Check For
-
Robust Documentation: Build the Evidence Trail That Protects You at Claim Time
-
Periodic Cyber Risk Assessments: Stay Covered Beyond Your First Application
How NSP Helps You Get and Stay Covered
Step 1: Readiness Assessment
We assess your current security controls against the specific requirements NZ underwriters are checking for right now – not a generic framework review. You see exactly where you meet requirements, where the gaps are, and what needs to change before you apply or renew.
Step 2: Gap Remediation
If the assessment uncovers gaps, we build a prioritised roadmap and help you close them. Every item maps to a specific insurer requirement – MFA, patching, backups, incident response, access controls – so every improvement you make strengthens both your security and your coverage position.
Step 3: Application Support
We help you understand what each question on the proposal form is asking, verify your controls are in place before you answer, and prepare the documentation that supports what you claim. We work alongside your broker – we provide the technical foundation, they manage the insurer relationship.
Step 4: Renewal Readiness
Qualifying once is not enough. Insurers review controls at renewal and some require ongoing evidence of active security management throughout the policy period. NSP keeps your posture current, your documentation up to date, and your renewal conversations straightforward.
What NZ Insurers Are Checking
Multi-Factor Authentication
MFA on email, VPN, remote access tools, admin accounts, and backup systems. This is the control insurers check first. If it is not deployed across all critical accounts, most NZ underwriters will either decline or significantly restrict coverage.
Patching on a Documented Schedule
Insurers want evidence that you apply security patches on a defined schedule – not just when you remember. A documented patching policy with audit logs showing compliance is the standard they look for.
Tested Backups with Offline Copies
Backups that have never been tested are not backups. Insurers require evidence of regular backup testing and offline or immutable copies that cannot be encrypted by ransomware even if your live environment is compromised.
Endpoint and Email Security
Endpoint detection and response (EDR) and email security controls including anti-spoofing and filtering. These are the two most common attack vectors in NZ – underwriters treat their absence as a material gap.
Incident Response Plan (Tested)
A documented incident response plan that has been tested – ideally via a tabletop exercise – within the last 12 months. “We would figure it out” is not an acceptable answer on a proposal form.
Staff Security Training Records
Evidence of regular phishing simulation and security awareness training for staff. Insurers want to see that your people – your biggest vulnerability – are actively trained, not just told to be careful.
Where Applications Go Wrong
Most NZ businesses that have a cyber insurance problem do not find out until they try to make a claim. By then, it is too late.
The most common mistakes NSP sees:
- Answering yes to MFA questions when MFA is only deployed on some accounts, not all critical systems. Insurers interpret partial deployment as non-compliance.
- Claiming a tested incident response plan exists when the document has never been reviewed, let alone exercised.
- Describing backups as “offline” when they are cloud-connected and accessible from the same network. Ransomware operators specifically target connected backups.
- Answering patching questions based on intent rather than evidence. Insurers want logs, not assurances.
- Not reading the policy exclusions. Some NZ policies exclude incidents caused by unpatched known vulnerabilities, regardless of how the claim is otherwise presented.
NSP’s application support is specifically designed to prevent each of these.
Staying Covered - What Changes at Renewal
Insurer Requirements Change
What satisfied your insurer 12 months ago may not be sufficient at renewal. NZ underwriters are tightening requirements annually. NSP tracks what insurers are currently asking for so your posture keeps pace.
Your Environment Changes
New staff, new systems, new cloud services, staff who have left. Each change can introduce gaps that did not exist when you last applied. A pre-renewal assessment catches them before your insurer does.
Documentation Needs to Stay Current
Patch logs, backup test records, MFA deployment evidence, training records – insurers expect this documentation to be current, not historical. NSP helps you maintain it throughout the policy period, not just at renewal time.
Claims Start with Documentation
When something goes wrong, your insurer will ask for evidence that your controls were in place at the time of the incident. If your documentation is six months out of date, that conversation becomes significantly harder.
NSP and Your Broker - How It Works
Insurance brokers manage the relationship with the insurer. NSP manages the technical side. The two roles are complementary and when they work together, applications are stronger.
What your broker does: selects the right policy for your risk profile, negotiates terms and pricing, manages the insurer relationship, and advises on coverage.
What NSP does: assesses your actual security controls against what underwriters are checking for, helps you close the gaps before you answer the proposal form, prepares the technical documentation that supports your application answers, and keeps your posture current at renewal.
Your broker submits a stronger application, you have fewer gaps your insurer has better evidence and everyone is in a better position.
NSP works with a number of NZ insurance brokers directly.
Optimise your cyber insurance investment
Your Question Answered
1. WHAT IS A CYBER INSURANCE ASSESSMENT?
A cyber insurance assessment reviews your business’s security controls against what NZ insurers require before they’ll underwrite or renew a policy. NSP’s assessment identifies gaps that could affect your eligibility for coverage or your ability to make a successful claim and produces the documentation that supports your application.
2. WHAT DO NZ CYBER INSURERS LOOK FOR?
NZ insurers consistently check for multi-factor authentication on critical systems, a documented patching schedule with evidence of compliance, tested backups with offline or immutable copies, endpoint and email security controls, VPN with MFA for remote access, staff phishing training records, and an incident response plan that has been tested. Requirements vary between insurers but these controls appear across most NZ proposal forms.
3. WHY DO CYBER INSURANCE CLAIMS GET DENIED?
Most denials come down to controls that were stated in the application not actually being in place when the incident occurred or policies not being actively maintained throughout the coverage period. Insurers have voided policies where application answers about MFA or patching were inaccurate, even when the breach wasn’t directly related to those controls. NSP’s assessment and documentation service is specifically designed to prevent this scenario.
4. DO I NEED A CYBER INSURANCE ASSESSMENT BEFORE APPLYING?
Not always but it significantly improves your chances of being accepted and reduces the risk of a claim being denied later. An assessment verifies your controls are actually in place and produces documentation that supports your application answers. Without it, you’re relying on your own judgement about controls that insurers will scrutinise carefully.
5. CAN NSP HELP WITH THE ACTUAL INSURANCE APPLICATION?
Yes. NSP provides application support – helping you understand what each question is actually asking, prepare accurate and defensible answers, and avoid the mistakes that lead to declined applications or voided policies. We work alongside your broker to give them the technical foundation they need to present a strong submission to underwriters.
6. HOW IS A CYBER INSURANCE ASSESSMENT DIFFERENT FROM A STANDARD SECURITY ASSESSMENT?
A standard cyber security assessment looks at your overall risk exposure across all areas. A cyber insurance assessment is specifically scoped to what NZ underwriters are currently checking for – it maps your controls to insurer requirements, identifies what affects your insurability, and produces documentation in a format that supports your application and any future claim.
7. WHAT MAKES NSP'S CYBER INSURANCE ASSESSMENTS DIFFERENT IN NEW ZEALAND?
NSP is a cybersecurity provider, not a broker or insurer. We work alongside your broker to provide the technical verification they can’t do themselves – confirming your controls are actually in place, documenting the evidence, and fixing the gaps before they affect your coverage. Our NZ-based team has direct knowledge of what local underwriters are asking for, and we can refer you to our vCISO service if your assessment reveals broader security leadership gaps.
8. How long does it take to get cyber insurance in NZ?
The application itself can be submitted in a day, but the preparation time depends on where your controls currently sit. If your MFA, backups, patching, and documentation are already in order, the process is straightforward. If there are gaps to close first, the realistic timeline is four to eight weeks. NSP’s readiness assessment at the start of the process gives you a clear picture of what is needed and how long it will take.
9. What happens if I answer a cyber insurance question incorrectly?
Incorrect answers on a cyber insurance application can void your policy at claim time, even if the incident was not directly related to the inaccurate answer. NZ insurers have declined claims where MFA or patching questions were answered based on partial deployment or intent rather than actual implementation. NSP’s application support is specifically designed to prevent this – we verify your controls before you answer.
10. Do I need cyber insurance if I already have business interruption insurance?
Business interruption insurance covers loss of income when your business cannot operate. Cyber insurance covers the costs specific to a cyber incident – forensic investigation, regulatory notification, legal liability, ransomware response, data recovery, and reputational damage management. Standard business interruption policies typically exclude cyber incidents unless a specific cyber extension has been added. The two types of coverage serve different purposes and most NZ businesses that face meaningful cyber risk need both.
11. How often should I review my cyber insurance coverage?
At a minimum, at renewal but ideally every six months or whenever there is a significant change to your environment. New systems, new staff, a cloud migration, or a change in how you handle personal data can all affect your coverage position. NSP’s periodic assessment service is designed to keep your posture current between renewals so there are no surprises when your insurer asks questions.
12. Is cyber insurance worth it for a small business in NZ?
Yes and smaller businesses are often more exposed than they realise. The average cost of a data breach for a NZ SME includes incident response, regulatory notification under the Privacy Act 2020, downtime, and reputational damage. Cyber insurance does not prevent incidents, but it significantly reduces the financial impact when one occurs. NSP can help you assess whether your current risk profile justifies the investment and what coverage level makes sense for your business.
13. Can my insurance broker do what NSP does?
No – the roles are different. Your broker manages the insurer relationship, selects the right policy, negotiates terms, and advises on coverage. NSP provides the technical layer: assessing whether your controls actually meet insurer requirements, helping you close gaps before you apply, and preparing the documentation that supports your answers. Brokers who refer clients to NSP for pre-application assessments submit stronger applications and have fewer claim complications. NSP and your broker work together – they do not compete.
View more
Learn More About NSP's Cybersecurity Solutions
Penetration Testing
Prove your defences hold up
Many NZ insurers ask about regular security testing. An NSP pen test gives you a documented, professional result you can reference directly in your insurance application.
Email Security Service
Lock down your most-targeted entry point
Email filtering, anti-spoofing, and threat detection - the controls NZ insurers check for under email security, implemented and documented by NSP.
vCISO
Ongoing security leadership
If your assessment reveals structural gaps in your security programme, a vCISO provides the ongoing leadership to close them and keeps your posture current for every renewal.
Incident Response
Be ready before something goes wrong
Insurers want to see a tested incident response plan. NSP helps you build, document, and test yours and if an incident does occur, we're the team you call first.
Cyber Security Assessments
If the insurance assessment uncovers broader security gaps, a full cyber security assessment gives you the complete picture - across maturity, technical risk, cloud, identity, and SOC readiness.
Managed Detection & Response
24/7 monitoring is one of the controls NZ insurers increasingly require. NSP's MDR service provides continuous threat detection and response and produces the monitoring evidence your insurer needs.
Top Headlines With The Latest News
Stay up to date with our latest resources on cybersecurity.
Cloud
What Is Microsoft Entra ID: Why Does It Matter for NZ Businesses | NSP
What Is Microsoft Entra ID and Why Does Every NZ Business Using Microsoft 365 Need to Understand It? If your business runs on Microsoft 365, you're already using Microsoft Entra ID. You may not know it by that name. You may not know it's running at all. But every time one of your staff logs into Outlook, opens a Teams meeting, or accesses a SharePoint file, Entra ID is the system deciding whether to let them in.
June 22, 2026
Cloud
Cloud Drift Management: Why Security Doesn't Stay Fixed in the Cloud
Your Cloud Was Secure Six Months Ago. Is It Still?
June 22, 2026
Culture
NSP Turns 24 | 24 Years of Secure Futures for NZ Businesses
NSP Turns 24: More Than Two Decades of Building Secure Futures for New Zealand
June 14, 2026
Managed Detection & Response (MDR)
SOC vs MDR vs In-House Security: What New Zealand SMBs Need in 2026
SOC vs MDR vs In-House Security: What New Zealand SMBs Need in 2026
June 8, 2026
Cyber Insurance
Avoid Cyber Insurance Claim Denials in NZ in 2026
Avoid Cyber Insurance Claim Denials in New Zealand: What Your Policy Requires in 2026
June 1, 2026
Let’s stay in touch!
Enter your details below to stay up-to-date with the latest IT solutions and security measures.