In depth: Are SMEs behind the times with cyber insurance?

John Edwards, the UK information commissioner, gave a thundering warning late last year as he issued a £4.4m fine to construction firm Interserve for a data breach when he said: “The biggest cyber risk that businesses face is not from hackers outside of their company, but from complacency within their company.

“If your business doesn’t regularly monitor for suspicious activity in its systems, and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

The warning is clear – if a company in the UK fails to put appropriate security measures in place to prevent a cyber attack, and they suffer a data breach, then it can expect some serious attention from the data regulator.

This should act as a stark warning to SMEs up and down the country, but it appears that the message has yet to fully hit home. 

According to a recent report from GlobalData, only 52% of medium-sized businesses, 40% of small, and 17% of micro businesses held any cyber insurance. That is despite the fact that cloud security firm, Barracuda Networks, found that an employee of a small business with less than 100 employees would, on average, experience 350% more social engineering attacks than if they worked in a larger organisation.

Indeed, this is reflected in the emerging claims experience from the cyber insurance sector, with CFC revealing that, of the 2,500 cyber incidents they responded to in 2022, 90% involved firms with less than £50m turnover.

What is the hold up?

The threat is real, so why haven’t SMEs yet switched on to cyber?

“The rationale we are seeing is that they believe they don’t have that exposure, and won’t be hit in the same way as a big company, so their investment isn’t as high – or even there at all,” Lindsey Nelson, cyber development leader at CFC, explains.

Likewise, Nick Ellis, director at Alan & Thomas, comments that while there is much more awareness of cyber-attacks in general, SMEs still believe it is something that happens to other businesses: “You can tell them the risks as much as you want, but for some until an attack happens close to home, they’re not going to be interested.”

The rationale among many SMEs seems to be that as they are not a big firm with big data, why on earth would anyone want to attack them? On the face of it, this seems a reasonable stance to take, but when the motivations and activities of threat actors are better understood, the threat posed to SMEs by cyber risks becomes much clearer.

According to Nelson, the main attraction of SMEs to threat actors is that they can attack them easily and often. She says: “For me, it’s like when thieves would go down the street trying every car door until they found the one that wasn’t locked and stole it. It’s exactly the same process here, but digital.

“The criminals may get smaller amounts of cash through ransomware and social engineering fraud, but these are still the most frequent incidents.”

Nelson notes that while ransomware attacks do happen to SMEs, the issue for them isn’t so much the cost of the ransom (it tends to be relatively low), but the cost of being out of business for however long the hacker keeps their systems captive.

We can usually get clients up and running within two weeks of an attack, but if they don’t have the right support in place at the time the hack happens, they can be prevented from trading for two or three months.

Lindsey Nelson

“We can usually get clients up and running within two weeks of an attack, but if they don’t have the right support in place at the time the hack happens, they can be prevented from trading for two or three months. It’s not so much the cost of extortion for SMEs, it’s the business interruption issue,” she adds.

Policy problems

It’s easy (and convenient) to lay the blame for the lack of uptake of cyber insurance among SMEs at the feet of those very businesses, but there is more than just naivety and hubris at play here. The insurance sector itself would do well to look at its own role in all this.

There have been complaints from the broking sector about the lack of common wording among the host of cyber policies out there, which causes confusion for brokers when trying to explain the policy to clients. 

Likewise, the terminology used in cyber policies can be impenetrable with technology giving insurance a run for its money in the realm of acronyms.

The consensus is that common wordings will emerge in time, as they have with other new products in the past, like directors’ and officers’ insurance and the British Insurance Brokers’ Association and CFC have recently launched a support guide for cyber insurance. However, the main issue appears to lie not in the complications created by underwriters, but in the lack of knowledge about cyber in the broking community.

“The biggest issue for me is that there is not enough knowledge from brokers and an apparent unwillingness to bring someone in who does have the necessary knowledge,” Sam Cheshire, who runs Clear Insurance Management’s cyber programme, tells Insurance Age.

Cheshire is not alone in this view with brokers and insurers alike conceding that knowledge of the product and how it can be applied to cyber risks in different sectors and business types, is a major sticking point in the take-up among SMEs.

Ellis sees some similarities in the current cyber situation with how the D&O market evolved. Ten or 15 years ago, there was a similar issue of SMEs not taking up D&O cover, as they saw it as something just for the big corporates, rather than them.

“D&O really started to turn a corner when the advisers could explain it all properly. The take-up of cyber is improving, but it is still quite slow. D&O took quite a long time to reach that tipping point with SMEs, and I think we are about another five or six years away from reaching that same point with cyber insurance,” he says.

Education, education, education

This lack of cyber knowledge within the insurance market is a well-known issue, and brokers are working hard to train their people to such a level that they can comfortably talk about the benefits of cyber insurance, and how they apply it to a particular business.

The brokers that do well in this space know the risk. They bring it to client’s attention, and provide some simple tools that clients can use to improve their online safety.

Andrew Marvin

Every broker Insurance Age spoke to has embarked upon some kind of training for their people, with part of the impetus coming from increased risk management demands from insurers as cyber claims start to arrive in volume.

“We’ve been through a hardening market, where insurers didn’t just increase prices, but they increased the level of risk management and preventative measures required to provide cover,” Andrew Marvin, client service director at Gallagher, reveals.

Marvin explains that some insurers are insisting on SMEs seeking cyber cover, having Multi-factor authentication in place, and to have conducted employee training and a data backup for disaster recovery, before even considering taking on the risk.

“I don’t think these demands are unreasonable,” Marvin says, adding that it does however put more onus on the broker’s knowledge to be able guide the client through the requirements for cyber protection. We have done a significant amount of training with our people on what the cyber risk looks like, and why it is important to not just focus on big business, and what the risks to SMEs are.”

But more than giving themselves the necessary education, brokers are working hard to get the wider message across to clients that this is valuable cover, is widely available and, in comparison to the potential fallout of a cyber attack, is a very affordable policy at a couple of thousand pounds premium for £1m of cover.

“We have a large number of SME clients, and we offer cyber cover to every one of them, if appropriate,” Cheshire says.

“We mention cyber without fail at every renewal, and we are starting to get more and more clients coming to us for a quote on the back of that. The argument I use is that they need it for the cyber crime element as that is the biggest threat for SMEs. 

“So, we send out relevant news stories with case studies warning clients of the risks. The story we use is – the criminals are not out to get you in particular, you’re just the low-hanging fruit.”

The value of cyber insurance to SMEs is clear. The policies and the cover is out there with some excellent monitoring support for SMEs, and brokers are rapidly getting up to speed with the intricacies of the product as they seek out the cyber tipping point that D&O insurance eventually enjoyed.

All the pieces seem to be in place for this market to really take off in the SME space and, as Marvin says, the way to make that take off a reality, is really quite simple.

“The brokers that do well in this space know the risk. They bring it to client’s attention, and provide some simple tools that clients can use to improve their online safety. We all know that training is the silver bullet for most things,” he explains.