Cyber exclusions buried in management liability policies have quietly left smaller businesses exposed just as cyber-triggered claims against company directors climb and while the latest response is playing out in Australia, the warning applies just as directly to New Zealand boards. Sydney-based boutique underwriter Pacific Indemnity Underwriting Solutions has written affirmative cyber language into a new Australian management liability product rather than carving the risk out. The product is not available to New Zealand brokers, but the thinking behind it speaks to a coverage gap that exists on both sides of the Tasman.
Adam Suplina, directors and officers (D&O) practice manager at Pacific Indemnity Underwriting Solutions in Sydney, said most management liability wordings have traditionally pushed cyber exposure into a separate policy that smaller businesses often never buy - leaving a cyber event capable of triggering a director's liability to fall through the cracks. It is a dynamic New Zealand commentators have flagged as well, with legal experts warning that cyber risk for directors is rising sharply on both sides of the Tasman.
At the heart of the issue is what underwriters call silent cyber - cyber exposure that sits unaddressed inside a policy never designed with cyber in mind, neither clearly covered nor clearly excluded. Many insurers have responded by stripping it out altogether.
"What a lot of policies try to do is ring-fence the silent cyber out of other policies,” said Suplina. “They put cyber exclusions on or don't provide affirmative cover for cyber events that could lead to management liability events.”
The motivation, he explained, is partly commercial and partly about controlling the build-up of risk across two policies covering the same client.
"A lot of policies out there contain cyber exclusions, either because they want clients to buy a standalone cyber policy or they don't want accumulation between a cyber policy and a management liability policy," Suplina said.
This type of exposure is far from theoretical. The National Cyber Security Centre (NCSC) reported in its Cyber Threat Report 2025 that direct financial losses from cyber incidents reported to it reached $26.9 million in 2024/25, up from $21.6 million a year earlier, while 53 per cent of New Zealand's small and medium-sized enterprises (SMEs) experienced a cyber threat in the first half of 2025 – up from 36 per cent in 2024. Business email compromise and phishing remained among the most reported categories – both of which lean heavily on social engineering.
Social engineering or fraud in which an attacker impersonates a trusted contact to trick staff into transferring funds or handing over data, is precisely the kind of event that can spill into a director's world and surface as a governance or privacy claim. Suplina said this is a big component of the cyber risk facing SMEs.
"We've gone the other way and tried to put in some affirming language saying that just because you have a cyber event, it's not going to preclude you from having a management liability claim under our policy,” said Suplina. “Especially with things like social engineering and the privacy concerns around that.”
Watch next: Inside the SME cyber risk and claims landscape
A convergence of trends is showing up across the market, with brokers reporting that the uptake of cyber insurance among Australian SMEs is climbing as attacks, regulation and contractual demands all push smaller businesses to take the threat seriously.
Pacific Indemnity's position runs against the prevailing market logic, deliberately keeping cyber-related exposures inside the management liability wording rather than fencing them out.
"This is making sure we're giving cover where some others are ring-fencing cyber exposures in cyber policies – we're allowing our policy to still have those exposures to cyber," Suplina said.
The product, backed by AXA XL and aimed squarely at the SME and mid-market segment, arrives against a tightening regulatory backdrop. Reforms to the Privacy Act 1988 are being rolled out across 2026 and 2027, extending obligations to a wider range of smaller businesses and raising the expectation that boards can demonstrate active data protection rather than paper compliance alone.
For New Zealand brokers, a management liability policy that silently excludes cyber may leave their SME client believing they are protected against governance and privacy claims that, in reality, sit outside the wording. As cyber and management liability risks converge, and with New Zealand's widening cyber resilience gap increasingly falling to brokers to close, the question of where one policy ends and another begins is becoming more consequential to answer,
