Your Cyber Insurance Won't Cover a Click

Last quarter we talked about test restores - the often-overlooked requirement buried in your cyber insurance policy that can void a claim if ignored. Today we need to talk about something even more overlooked, and arguably more dangerous: your people.

Because here's the uncomfortable truth that insurance underwriters are now acting on. Your backups can be perfect. Your firewall can be enterprise-grade. But if one of your team members clicks the wrong link in an email, none of that may matter.

The policy question you probably skipped

Pull out your last cyber insurance renewal form. Somewhere in that document possibly buried under the backup and patching questions - you'll find a section about staff awareness training. It might ask:

  • Do you conduct regular cyber security awareness training for all staff?

  • Do you run simulated phishing tests?

  • Do you have a documented acceptable use policy?

If your honest answer to those questions is "no," "not really," or "we covered it in the induction two years ago," you may have a coverage problem you don't know about yet.

Underwriters in 2026 aren't just reviewing your technical controls. They're reviewing your human controls. Because the data tells them exactly where claims are coming from, and it's not failed firewalls.

The number that should keep you up at night

90% of successful cyber breaches involve human error as the entry point. Phishing emails. Malicious links. Credential theft. Fake invoice scams. These aren't sophisticated attacks - they're simple manipulations that exploit the fact that your team is busy, trusting, and not specifically trained to spot them.

For New Zealand businesses, the stakes are real. Direct cyber losses across NZ now exceed $4 million per quarter. And the businesses taking the biggest hits aren't the ones without technology, they're the ones without training.

What "untrained staff" means to your insurer

Think of it this way. If you insured your car but admitted you'd never taken a driving lesson, your insurer would consider that a material risk. Cyber insurance is moving in the same direction.

When a claim is lodged following a phishing attack and the investigation reveals that staff had never received training, insurers are increasingly using that as grounds to reduce or contest a payout. You attested to having security controls in place. If a court or assessor determines that "staff awareness" is a reasonable baseline control - and they increasingly do. Gaps in your training programme become your liability, not theirs.

The shift from reactive to proactive

Last quarter's conversation was about recovery: can you get your data back? This quarter's conversation is about prevention: can you stop the incident from happening in the first place?

These aren't competing ideas - they work together. A well-tested backup strategy means you can recover. A well-trained team means you're far less likely to need to.

The good news is that fixing the human gap doesn't require a major project or a big budget. It requires consistency.

What a trained team looks like

Effective cyber awareness training in 2026 isn't a one-day seminar or an annual video. It's a rhythm:

  • Monthly micro-learning: Short, engaging video content covering current threats covering: phishing, password hygiene, social engineering, safe remote work habits

  • Simulated phishing tests: Real-world tests sent to your team to see who clicks, with immediate coaching for those who do

  • Policy acknowledgement: Documented sign-off so you can demonstrate to insurers that training actually happened

  • Dark web monitoring: Alerts if your team's credentials appear in known breach databases

  • Reporting you can use: A dashboard showing quiz completion, click rates, and improvement over time — the kind of documentation your insurer actually wants to see

Your next step

Before your next insurance renewal, ask yourself: if a claim was lodged tomorrow and the investigator asked to see evidence of staff cyber training - what would you hand them?

If the answer is "not much," that's the conversation we should have.

At Swerve, we've made this straightforward for NZ businesses. Our Staff Awareness Training programme is built specifically for SMBs - no enterprise complexity, no lengthy setup, and a per-user cost that's a fraction of what a single incident would cost you.

Talk to us about getting your team trained

John Harris

Managing Director & Customer Lead

Previous
Previous

What’s the Highest-ROI Security Spend? Staff Awareness Training

Next
Next

Backups are not enough: Why you must test them to protect your business