New Zealand recorded its first C2 cyber incidents since the 2021/22 financial year in the first quarter of 2026 (Q1 2026), according to data released by the National Cyber Security Centre (NCSC) on June 22. The three highly significant incidents exposed sensitive data and affected thousands of New Zealanders, marking the return of the NCSC’s second-highest severity category after nearly five years without a case at that level. For insurers, the quarter’s data raises questions about cyber loss concentration, state-actor attribution, breach-response obligations, and whether policy wordings are keeping pace with a changing threat landscape.
The NCSC’s C2 category is reserved for incidents that expose key sensitive data or disrupt essential services at organisations of national significance. Sensitive data was accessed in all three incidents. Alongside the return of highly significant events, the quarter’s figures revealed a striking concentration of financial losses: 42 incidents generated $5.4 million, accounting for 97% of all reported direct cyber losses.
The NCSC recorded 1,164 incidents for the January-to-March period, marginally above the 1,131 in Q4 2025. Of those, 77 required specialist technical support – down 14% from 90 in Q4 2025 – while the remaining 1,087 were handled without specialist intervention, a figure 4% higher than the prior quarter. Reported direct financial losses reached $5.6 million against $3.2 million in Q4 2025, a 76% increase. The NCSC noted the total remains below the two-year average despite the quarterly rise.
The distribution of those losses is where the underwriting signal sits. The 42 incidents of $10,000 or more produced $5.4 million – 97% of all reported losses – while the remaining 231 incidents that recorded a financial figure generated the other 3% combined. Phishing and credential harvesting was the most frequently reported category at 437 incidents, while scams and fraud ranked second by volume and produced approximately $3.8 million in losses.
Within the aggregate loss figure sits a split that the data does not explain but that insurance professionals should note. Individuals accounted for $5.2 million of the $5.6 million total, while organisations accounted for approximately $340,000 – more than 15 times the organisational figure. That asymmetry raises questions the NCSC data does not resolve. Whether commercial organisations are demonstrating meaningfully better controls than individuals is consistent with the NCSC’s finding that basic security failures drove the quarter’s most serious incidents, and would suggest the gap partly reflects a genuine difference in risk posture.
Whether insured commercial losses are being absorbed at a level that does not reach the NCSC reporting threshold is a separate possibility that the aggregate figure cannot rule out. Most directly relevant for underwriters, however, is whether the individual loss figure is being driven primarily by scams and fraud categories – which produced approximately $3.8 million this quarter – that sit outside the scope of most commercial cyber policies, meaning the exposure the NCSC is recording and the exposure the insurance market is pricing may not be mapping onto each other as closely as the headline figures suggest. The gap is large enough, and consistent enough with the loss concentration finding, to warrant attention from underwriters assessing whether their commercial portfolio reflects the risk profile the quarterly data describes.
NCSC chief operating officer Mike Jagusch pointed to gaps in foundational security practice as a recurring factor in the quarter's more serious incidents. “Ensuring basic cyber security measures such as multi-factor authentication, managing who has full access to the network, and protection of the network edges were in place could have helped to defend against these incidents,” Jagusch said. He framed the issue in terms of legal and organisational obligation as much as operational practice. “Organisations have an obligation to protect their customers’ and their sensitive personal information by securing their networks with NCSC’s recommended, or similar, minimum-security standards,” he said.
Those findings are consistent with conclusions reached in a separate regulatory inquiry concluded in May 2026. The Office of the Privacy Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code following a December 2025 ransomware attack in which sensitive patient information was accessed, stolen, and offered for sale – and that the breach shared the same pattern of basic control failures the NCSC identified across Q1. The Privacy Commissioner’s inquiry found the breach was not the result of a single failure but a combination of factors, including gaps in access control, the absence of multi-factor authentication requirements for all users, and deficiencies in data leak protection and incident detection systems. Around 91% of affected patients were based in Northland, and the Privacy Commissioner indicated he intends to issue compliance notices to both Manage My Health and Health NZ.
For insurers writing cyber cover that includes breach response costs, the compliance exposure that follows such incidents is now governed by two distinct notification tracks. Under the Privacy Act 2020, organisations must notify the Privacy Commissioner of serious privacy breaches as soon as practicable, with the expectation of notification within 72 hours of becoming aware of a notifiable breach – triggered when personal information is accessed, disclosed, or lost in a way likely to cause serious harm, assessed against criteria in section 113 of the Act. The Privacy Amendment Act 2025 brought Information Privacy Principle 3A into force from May 1, 2026, adding a new notification obligation covering the collection of personal information from sources other than the individual concerned – indirect collection – which sits alongside the existing notification obligation under IPP3. Insurers helping policyholders manage post-breach compliance obligations need to account for both tracks when structuring breach response cover.
Of the 77 incidents triaged for specialist support, 52% were assessed as likely linked to cybercrime actors, 17% to state-sponsored actors, and 31% carried insufficient evidence to connect the activity to any known malicious actor. That 17% state-sponsored figure intersects directly with live policy wording questions. Lloyd’s Market Bulletin Y5433, issued in May 2024 and effective from Jan. 1, 2025, updated requirements for state-backed cyberattack wordings across all standalone CY and CZ policies and multi-line policies with a cyber section. From Jan. 1, 2025, Lloyd’s syndicates are not permitted to use clause types that provide cover for state-backed attacks carried out as part of a conventional war unless they do so through a separate, affirmative product.
The practical difficulty is attribution and materiality. The threshold for exclusion under the Lloyd’s framework – attacks that significantly impair the ability of a state to function or its security capabilities – sets a high bar that most commercially targeted incidents are unlikely to meet individually. That means the 17% of NCSC-attributed state-linked incidents will not automatically fall outside cover, but the attribution uncertainty itself creates claims handling complexity that both insurers and policyholders need to anticipate in their policy language. Whether New Zealand domestic wordings have kept pace with the updated Lloyd’s clause framework is a question the quarterly data makes more acute.
The Reserve Bank of New Zealand’s (RBNZ) 2024 General Insurance Industry Stress Test, published in May 2025, ran cyber scenarios – a major data security breach, a cloud service provider outage, and a ransomware attack – across seven domestic insurers: AA Insurance, AIG, IAG, Tower, Vero, Chubb, and QBE. The scenarios were developed in collaboration with Lloyd’s of London, the Bank of England Prudential Regulatory Authority, and CERT NZ. While the cyber losses were smaller than those modelled in the seismic scenario, the cloud-down scenario reduced annual aggregate insurer profit by one-third. The test also highlighted the exposure of particular industries to cyber risks and the need for greater clarity in policy wording regarding coverage.
That finding – policy wording clarity as an identified domestic gap – connects directly to both the attribution challenge the Q1 data presents and the updated Lloyd’s clause requirements now in effect. Insurers that have not reviewed their cyber policy language against Y5433, or assessed how their wordings respond to state-attributed incidents below the materiality threshold, are carrying an exposure the stress test results and the NCSC’s quarterly data now make more visible.
The Q1 report also addressed the role of Frontier AI in reshaping the threat environment. The NCSC published dedicated guidance on June 18 directed at network defenders, examining how to manage vulnerability risks as these models become more capable. Jagusch described the technology as a variable that works in both directions. “Frontier AI models will change the cyber threat landscape for organisations because of the ability for malicious actors to find and exploit vulnerabilities at unprecedented speed and scale,” he said, “but they also have the potential to be used to assist defence and protect systems at a similar scale and pace. For now, the best way to prepare is getting the basic security measures in place.”
The NCSC guidance noted that AI shortens the window between a vulnerability being discovered and being actively exploited, leaving organisations less time to patch. Whether current domestic cyber policies adequately reflect the faster exploitation timelines Frontier AI enables is a question the NCSC guidance raises but does not resolve. Taken together with the loss concentration data, the unresolved individual-versus-organisational loss asymmetry, the attribution gap in policy wordings, the dual-track Privacy Act notification obligations now in effect, and the RBNZ’s own finding on wording clarity, the Q1 2026 data describes a market in which incidents are becoming more severe and the policy language designed to respond to them has not yet fully caught up.
