Mike Dalby, chief executive at Howden’s consumer and local commercial division, makes the case that we must all be more serious about selling cyber
Spend enough time talking to small business owners and a familiar scepticism emerges around cyber insurance. They understand the need to insure their vans, their premises, their tools and their people.
But ransomware? Phishing? Data breaches? These risks still feel remote, abstract and the sort of thing you can avoid with “a bit of common sense”.
That perception persists despite years of warnings, statistics and high‑profile cyber incidents. And while it’s tempting for the insurance industry to conclude that SMEs simply “don’t get it”, the uncomfortable reality is that we haven’t yet done a good enough job of making cyber insurance feel essential.
Within the industry, the arguments for cyber insurance are well rehearsed. We all know that cyber crime is no longer confined to large corporates.
Reports repeatedly show that small businesses are targeted precisely because they are smaller, less resourced and easier to exploit. The methods are rarely sophisticated mega hacks and more often involve phishing emails, subtly altered invoices, compromised suppliers or stolen login credentials.
These incidents rarely make the news, but they regularly cripple businesses employing fewer than 20 people.
And yet penetration among SMEs remains low. Even optimistic estimates suggest that fewer than one in four SME businesses have cyber insurance in place, and for microbusinesses, it’s significantly lower. That should give everyone in distribution pause for thought.
And it’s not that cyber cover doesn’t work, isn’t affordable or isn’t relevant. It’s that too often it is positioned as something extra. A specialist add‑on. A nice to have once the core insurances are dealt with. An optional extra that is easy for clients to dismiss without challenge. That mindset, on our side of the table, is part of the problem.
Making cyber deliberate
In most broker to client conversations, cyber insurance still appears too late. It arrives after the ‘proper’ covers have been discussed, when appetite is low and pricing sensitivity is high.
Read: Using insurance to make a genuine difference to people’s lives
Read: Howden appoints new chief executive of consumer and local commercial
Explore more cyber-related content here, or discover other briefing columns here
When clients hesitate, it drifts away without much resistance. Compare that with how we treat employers’ liability, professional indemnity or commercial motor and the inconsistency becomes stark.
But we can’t escape the fact that cyber risk is now an unavoidable feature of running a business. Email, online banking, cloud systems and supplier networks are integral to daily operations. The idea that cyber can remain a specialist concern no longer stands up to scrutiny. If it can stop a business trading, it is a primary risk.
The consequences of getting this wrong are severe. A successful cyber attack on an SME can drain bank accounts overnight, halt trading for weeks, expose customer data and trigger regulatory action. For smaller firms, there is often no balance sheet strength to absorb that shock. Reputational damage lingers. Stress levels rise. Customers walk. Some businesses never reopen.
And this is where cyber insurance is fundamentally misunderstood. The right cyber policy is not just a claims mechanism, it’s a rapid response capability.
Access to forensic specialists, legal advice, breach notification support and recovery expertise from the moment something goes wrong. For a modest annual premium, often comparable to insuring a single vehicle, SMEs gain support they could never replicate themselves. Yet too many clients only appreciate that value after an incident.
The tragedy is that, had we been firmer in our advice, the cover would already be in place.
So it’s time for us, as an industry, to raise our own expectations. Cyber insurance should be treated as a default conversation, not an optional one. Advisers should feel confident and supported in recommending it robustly, not tentatively.
Let’s stop being overly concerned about discomfort in the sales conversation and focus instead on the consequences of silence. Those awkward conversations are often the ones clients thank us for later.
The market has evolved. Cyber products for SMEs are clearer, proportionate in cost and far better aligned to real‑world risks than they were even a few years ago. What hasn’t moved far enough is our collective mindset. Cyber protection needs to be centre stage.
The next wave of cyber attacks will not discriminate by size, sector or turnover. The businesses that come through won’t necessarily be the biggest or best resourced, but the ones that anticipated the risk and acted early.
Closing the cyber protection gap starts with us. By treating cyber insurance as a core business protection, by leading with it rather than tagging it on and by being braver in our advice, we can collectively, materially improve outcomes for SMEs.
That is not just good insurance practice. It’s good advice. And it’s long overdue.
No comments yet