New Zealand’s cyber risk story is no longer about the occasional headline‑grabbing hit on an airline or multinational. It is about thousands of small firms quietly fielding scam emails, malware and account‑takeover attempts every week.
A December report from the Bank of New Zealand (BNZ) underlined just how exposed the SME sector has become. Nearly two‑thirds (64%) of SMEs say scam activity targeting their business has increased over the past year, yet 45% do not treat cyber education as a key priority. Research from the National Cyber Security Centre (NCSC) and The Research Agency (TRA) showed that more than half of New Zealand’s SMEs encountered cyber threats in just a six‑month period.
So the real cyber crisis is not just the occasional big‑ticket breach; it is the volume of under‑prepared small businesses that still wrongly assume they are too small to target. But as Jono Soo (pictured), head of cyber specialty in New Zealand for Marsh puts it: “For cyber criminals, small business is big business.”
For brokers, there is now cyber pressure coming from every direction. Rising incident numbers mean more notifications and calls to incident hotlines and, ultimately, more stress on loss ratios across cyber, crime and even PI. Underwriters are responding by tightening terms, lifting minimum control expectations and demanding deeper risk information at placement and renewal. In practice, that shifts the education and risk‑management burden on to brokers, who must draw out the true state of a client’s cyber posture and then help them lift their controls just to secure acceptable cover and pricing.
At the same time, reputational and advisory stakes are climbing. Even where regulation does not explicitly target brokers, there is a growing expectation that intermediaries will not let clients sleepwalk into foreseeable digital risks. When an SME suffers a serious incident and finds its cover is patchy or misunderstood, the first question is often: “Why didn’t my broker warn me?” That is a very real E&O and trust issue – and it lands squarely in brokers’ laps.
High‑profile ransomware attacks on airlines, healthcare groups or manufacturers can feel remote to a two‑partner firm in Tauranga or a small engineering shop in Dunedin. Yet the same interconnected supply chains that power modern commerce ensure that these SMEs – who are often a broker’s main source of business - can sit at the most vulnerable points.
A small vendor with remote access into a larger customer’s systems can be the door through which attackers walk. Equally, when a major client or platform is hit, the pain often flows downstream: small firms suddenly cannot access ordering portals, get invoices approved or communicate with customers.
“Cyber risk knows no boundaries, it moves freely in both directions, and SMEs sit right in the middle of that flow,” said Soo.
For New Zealand, this is not an abstract problem. The economy is built on small firms: 97% of all businesses employ 20 people or fewer, with micro‑businesses alone accounting for a significant share of employment and value add. When ransomware, a privacy breach or even a basic system failure hits an SME, there is rarely spare financial or operational capacity to absorb the shock.
This is where brokers can turn big‑breach headlines into hard local questions. What would two days without an invoicing system mean for cash flow? How would a client notify customers if email and phones went down overnight? Who would coordinate the response if a practice‑management or booking system locked up at 6pm on a Friday? Framing global incidents through those practical “what if” scenarios helps SME owners see that these stories do, in fact, belong to them.
Despite rising concern, there remains a yawning gap between cyber anxiety and cyber preparedness. One risk report found that while many organisations list cyber among their top fears, only a small minority feel confident in their ability to respond effectively to an incident. For local SMEs, cyber insurance take‑up remains low, with estimates suggesting only about one in five holds a dedicated cyber policy.
For brokers, that gap is both a duty‑of‑care issue and a commercial opportunity. The conversation cannot end at “do you have cyber cover?” It needs to evolve into a structured risk dialogue: mapping a client’s digital dependencies across cloud platforms, software providers, payment gateways and key trading partners; pressure‑testing simple but realistic scenarios such as a compromised email account, a locked‑up billing platform or a stolen laptop with unencrypted client data; and, crucially, clarifying what an existing commercial package does – and does not – cover in a cyber event.
That naturally leads to deeper discussions on limits and sub‑limits, incident response services, business interruption triggers and regulatory exposures, particularly where sensitive customer or patient information is involved. Brokers who can confidently walk clients through those late‑night “what if” moments – when owners fear that everything they have built could disappear – move from being price‑takers to long‑term risk partners.
