In depth: The importance of cyber crime education for both brokers and SMEs

Cyber has been a viable product for the best part of 20 years and, while corporates have long since adopted it as a vital part of their insurance programme, take up among SMEs is still very low considering the scale of the threat they face.

The market is rapidly maturing, policies are certainly fit for purpose, the services and cover provided are comparable to any other insurance product and costs are in the low thousands per policy. However, penetration of the SME sector has been described by one broker as “minuscule”, despite the fact the 2022 Hiscox Cyber Readiness Report ranked companies with fewer than 10 employees as the most vulnerable to a cyber attack.

Lack of awareness over risks

There are a whole host of reasons why any one client might decline certain cover, but there is a growing consensus in the insurance market that one of the key blockers is the lack of awareness of the risks posed and the solutions brokers can source.

Lee Musgrove, senior account executive at Lycetts, says that it is very rare for an SME client to spontaneously request to discuss cyber cover, mainly because they don’t believe they are at risk. Cyber crime is for the big boys, not for a jobbing SME.

“We have been pushing the benefits of cyber to commercial clients for some time, and we use case studies of SMEs who have suffered a cyber attack to draw their attention to the risks,” Musgrove explains, adding that an unprotected SME could faced uninsured losses of up to £30,000 following an attack.

“You are relying on the relationship with your client to get over any doubts they may have and stress the genuine need. It doesn’t matter if you are small or large – there is a genuine risk there.”

But it is going to take more than a simple awareness campaign of the risk to convince SMEs to embrace cyber insurance. The appetite to buy largely depends on the individual business.

“You may have an SME with someone on the board who is responsible for data security and find that it receives the same level of strategic importance as financial and operational risks,” Alana Muir, head of cyber at Hiscox, says.

“In contrast, some larger businesses may have one person responsible for data security who works part-time. A sporadic approach to cyber risk is a common trend.”

There is a sense that the lack of awareness is also related to the lack of knowledge that these brokers have of cyber. However, there is a view that they could crack the SME cyber insurance nut if they simply focused on what they do best – assessing the risk and finding the right solution for the client – rather than trying to become completely cyber literate.

We have been pushing the benefits of cyber to commercial clients, and we use case studies of other SMEs who have suffered a cyber attack to draw their attention to the risks.

Lee Musgrove

“We are not tech people. Our expertise lies in understanding the client’s business, what risks we can transfer, what they think they can manage themselves, and how much budget they have available to spend on insurance,” Catie Brooks, client director at Konsileo, comments.

“It’s unrealistic for a broker to expect to understand everything about the systems and how they are exploited by threat actors. Even insurers are struggling to keep up. The Information Commissioner’s Office changed its advice on how frequently passwords should be changed in 2022, but some insurers still haven’t amended their policies to reflect that.”

Have you tried turning it off and on again?

This might give brokers a bit more comfort that they don’t have to be an information technology expert to sell cyber effectively, and hauling cyber out of the IT box in brokers minds could be a crucial step in securing the volume of sales the market is looking for.

“For years, cyber risk was associated with IT, but a business cannot make decisions about a marketing campaign without considering their GDPR exposure. Cyber risk is an enterprise-wide issue and should be managed in the same way as financial and operational risks,” Muir says.

This should be music to brokers’ ears as this approach starts to take cyber out of the realm of the unknown and firmly back into their comfort zone. But cyber isn’t a straightforward commercial combined policy. Brokers do need to understand how the policy protects a business in a practical sense, as cyber policies are becoming radically different to more traditional ones.

Having access to blue chip professionals to hold your hand, triage, manage and resolve an event from both a technical and legal perspective is crucial.

Alana Muir

“It’s about understanding how different types of cyber losses impact their business,” Brooks comments.

“Brokers need to have less understanding of the tech behind it all, and much more on the impact of a cyber event on their clients. The best thing brokers can do for their clients is to understand how the losses can come in and how they will affect them.”

But in cyber there is a growing clamour to provide support services that seek to prevent claims happening and mitigate the impact when they do, with a growing number of insurers adding services with significant preventative value.

Muir adds: “The first response cover is worth its weight in gold. When the worst happens, having access to blue chip professionals to hold your hand, triage, manage and resolve an event from both a technical and legal perspective is crucial.”

These kinds of services, while still valuable to middle-sized businesses and corporates, were designed and implemented specifically with the safety of SMEs in mind. 

In addition, the industry is starting to collaborate to remove some of the opacity of terms and acronyms that are in the cyber market and to get brokers and clients much more comfortable in this digital realm.

Help is available

In December 2022, the British Insurance Brokers’ Association, in conjunction with CFC, launched a cyber awareness guide, detailing case studies and providing a glossary of terms to help everyone start to make sense of it all.

With the way it’s developing, I think cyber is moving towards being the kind of cover you need just to be in business.

Catie Brooks

“The guide can be used as a useful tool to help brokers demonstrate to their business customers the value of stand-alone cyber cover,” technical services manager at Biba, Shaune Worrall, says.

“Many leading cyber policies now offer so much more than reacting to a claim. Some include services like vulnerability scanning and round-the-clock threat monitoring, as well as information and advice about security concerns, meaning that businesses don’t have to claim to get value from their policy.”

While the uptake of cyber among SMEs has been slow, it appears that all the pieces for change are falling into place – a collaborating industry, a product that has been designed with SMEs in mind and a sales approach that shouldn’t differ too much from traditional products – which could finally bring cyber in from the cold.

Or, as Brooks said: “With the way it’s developing, I think cyber is moving towards being the kind of cover you need just to be in business.”

But to get there, the broking market must ensure that it is approaching the right clients in the right way, and with the right product. If it can get that right, then there’s no reason Brooks’ predication can’t become fact.