There is a moment on a ransomware triage call that Duncan Morrison (pictured), cyber practice leader at Aon New Zealand, describes as genuinely surreal. A specialist negotiator - calm, methodical, forensic - joins the line and begins briefing the stricken organisation about its cyber attacker. Morrison recreated the substance of what this negotiator said for Insurance Business: “From our research, this is the group that impacted you. We’ve dealt with them 60 times. 90% of the time they do what we say. Your backups are compromised, but don’t pay today - you’ll look desperate. We can probably get the ransom down by about 50%.”
Most New Zealand organisations have no idea this world exists and most of their brokers have never been in that room either - and that risk management gap could matter more than ever as the cyber threat environment shifts.
The specialist ransomware negotiators, forensic accountants, PR advisors and incident response teams that quality cyber insurance policies unlock represent a claims ecosystem with no equivalent in any other line. For brokers, this is the conversation that separates advisory value from policy placement. The organisations that have been onboarded with their insurer, embedded their cover into incident response plans, and know exactly which panel vendor to call in the first hour of an event recover differently from those that bought a policy and filed it. Morrison is unambiguous about the stakes: for many clients, the difference between those two approaches is the difference between recovery and collapse.
The structural shift Morrison identified is one that should be reshaping how brokers frame the risk conversation with every client in their book - not just those in formally regulated sectors. Cyber threat actors have progressively reoriented away from targeting individual organisations and toward the platforms and managed service providers those organisations rely on. The logic, from a criminal perspective, is ruthlessly efficient. “From a threat actor’s perspective - they get in once and impact dozens of clients," said Morrison. "The leverage for ransom payment is much higher.”
Read next: Jaguar Land Rover hit by cyber attack
New Zealand has already experienced this locally. Morrison pointed to events where a managed service provider breach cascaded across multiple clients simultaneously - and where organisations discovered that their backup data had been pooled with other clients’ data at the provider level. Data that didn’t even belong to their business was exposed in the breach. The assumption that a vendor’s security problem stays the vendor’s problem has been tested, and it has failed.
For brokers, this can rewrite the risk assessment conversation entirely. The question is no longer simply what controls a client has in place internally. It is what their managed service provider, cloud platform, internet provider and IT vendor are doing - and critically, what the client actually knows about what they are getting. The February 2026 New Zealand Government discussion document on critical infrastructure cyber security frames this with uncomfortable precision, noting that 80% of private sector experts surveyed said their organisations lacked basic cyber hygiene for operational technology, and that approximately 35 percent of SCADA assets - the systems controlling physical infrastructure - are at or near end of life. The proposed regulatory regime would extend compliance obligations to third-party vendors with operational control over critical components. The liability perimeter is expanding, and brokers need to be mapping it.
Morrison’s career arc - from general broker to dedicated cyber specialist - has happened while the cyber market has transitioned and shifted in ways that many other lines are only now beginning to navigate. The consultative, risk management-led approach that D&O and property brokers are increasingly being asked to adopt is simply standard operating procedure in cyber.
Watch next: Inside the SME cyber risk and claims landscape
Five or six years ago, the dominant topic at governance and risk committees of large organisations was probably D&O. Cyber has displaced it at the top end - which Morrison considers encouraging - but the mid-market and smaller organisations in most brokers’ portfolios have not moved at the same pace. That is both the challenge and the opportunity.
However, the Government’s discussion document explicitly frames cyber security as a fiduciary obligation, proposing that directors of critical infrastructure entities be personally responsible for compliance. For brokers, that framing is a client conversation waiting to happen across far more of their book than just the 200 or so entities the regime will formally capture.
