Cyber Liability Insurance

Cyber Risk for Sole Traders: Bigger Than You Think

Sole traders often assume they're too small to be targeted by cyber criminals. The reality is the opposite: small businesses are increasingly targeted precisely because they tend to have weaker security than large corporations but still hold valuable data — client financial records, health information, personal details, and payment card data.

A 2023 CERT NZ report noted that small businesses accounted for a significant proportion of reported cyber incidents, with ransomware, phishing, and business email compromise the most common attack types.

Privacy Act 2020: Your Legal Obligations

New Zealand's Privacy Act 2020 introduced mandatory breach notification requirements. If your business experiences a privacy breach that is likely to cause serious harm to any affected person, you must:

1. Notify the Privacy Commissioner as soon as practicable
2. Notify affected individuals where appropriate

Failure to notify can result in a fine of up to $10,000. But the greater cost is the response itself — forensic investigation to understand what was accessed, legal advice on your notification obligations, PR management to protect your reputation, and potentially credit monitoring for affected clients.

Common Cyber Incidents Affecting Sole Traders

Ransomware: Malicious software encrypts your files and demands payment for the decryption key. For a sole trader, losing access to client records, accounts, and work files can be catastrophic.

Business email compromise (BEC): A criminal impersonates you or intercepts your email to redirect client payments. Funds lost to BEC are often unrecoverable.

Phishing: A fraudulent email tricks you or a contractor into providing login credentials, giving attackers access to your systems.

Data theft: A hacker accesses your client database and exfiltrates personal or financial information. You are liable for this data under the Privacy Act.

Third-party breach: A software vendor you use suffers a breach, exposing data you held through their system. You still have notification obligations for your clients' data.

What Cyber Liability Insurance Pays For

A comprehensive cyber policy for a sole trader typically covers:

Breach response costs: Forensic IT experts to identify what was compromised, legal advisers to guide your Privacy Act obligations, and crisis communications support.

Ransomware response: Specialist negotiators and, where appropriate, ransom payment. Crucially, the expertise to avoid payment where possible and to restore systems from backups.

Business interruption: Lost income and additional costs while you recover from a cyber event that renders your systems unusable.

Third-party liability: If a client suffers loss because of a breach of their data you held, cyber liability covers the resulting civil claim.

Regulatory investigation: Privacy Commissioner investigation costs and defence of any enforcement action.

Cyber Security Basics That Reduce Your Risk (and Premium)

Insurers will ask about your cyber security practices. Better practices typically mean lower premiums and fewer claims:

- Multi-factor authentication (MFA) on email and cloud services
- Regular offsite or cloud backups
- Up-to-date software and security patches
- Staff training (even if it's just you) on phishing recognition
- A basic incident response plan

Indicative Annual Premiums

RevenueCoverage LimitAnnual Premium
|---|---|---|
Under $250k$250,000$600–$1,000
$250k–$1M$500,000$900–$1,500
Over $1M$1,000,000$1,400–$2,500

Premiums also depend on your industry (healthcare and financial services pay more) and your security posture.