SMEs are waking up to cyber threat, but are they buying cover?

This year’s Allianz Risk Barometer reflects the growing concern and awareness of cyber threats among small and medium-sized firms (SMEs). For the first time, cyber incidents ranked as the top risk for mid-sized companies surveyed, and the second (after business interruption) highest risk for small companies (those with annual revenues of less than €250m).

Yet while awareness is clearly growing, driven by major breaches hitting the headlines and direct cyber losses, “many SMEs still underestimate their exposure and are not prepared for, or able to respond to, an incident”, Allianz warns.

This finding is supported by research by the Federation of Small Businesses (FSB) which found that only 35% of small firms and the self-employed have a plan to cope with potential disruption to their business operations or supply chains. IT problems and the impact of cybercrime were identified as primary threats to small businesses.

FSB figures show that, on average, a cybercrime incident costs an SME nearly £3,000 and takes more than two days to recover from. It is estimated that seven million cybercrimes are committed against smaller firms in the UK every year.

In the past, many smaller companies believed cyber was just a threat for big business, according to Graham Whyatt, group head of affinity and SME at James Hallam. “Even now some probably still believe that’s the case, but we’ve been trying to highlight those cyber events where smaller firms have been getting hit and how it’s affected their businesses.”

What are relatively small costs associated with forensic investigations and system restoration for large corporations can be a massive hit for an SME, he adds.

“Getting the specialists in to find out what’s gone wrong can cost tens of thousands of pounds, which is an awful lot of money for an SME.”

Such costs are covered by cyber insurance policies, but are smaller firms buying the cover? Efforts by government (through initiatives such as Cyber Aware and Cyber Essentials), associations and insurance brokers to educate small firms about the risks are beginning to bear fruit. Since 2017 the FSB has offered its members access to a free helpline and up to £10,000 of third-party cyber cover as standard.

The UK government has set up the National Cyber Security Centre, with a remit to encourage small and micro-companies to seek certification under the Cyber Essentials scheme. Its small business guide includes advice on backing up and protecting data, preventing malware damage and avoiding phishing attacks, among other things.

As cyber insurance becomes more readily available and affordable Whyatt believes it will become an increasingly standard purchase alongside other professional liability products. “That’s only happened over the last 12–18 months,” he says. “We can arrange a cyber policy for a few hundred pounds. And for an SME that will be an adequate level of cover which will cover an average attack of £50,000 to £100,000.”

A market set to grow

The growing maturity of the cyber insurance market, assisted by a growing wealth of claims data and analytics, has also contributed to the ability of SMEs to secure affordable cover that is tailored to their needs, says JLT Re global head of analytics David Flandro. “A few years ago SMEs thought of cyber cover as something that was slightly esoteric, and there are still many who do,” he says. “But what we’ve noticed in the last year is that in fact the retail products are starting to sell themselves.”

With Hiscox anticipating the cyber insurance market could grow from $3.2bn to $36bn by 2027, it is clear the steady increase in exposure and capacity will also drive take up among SMEs. “Nobody knows how big cyber exposure is or what cyber limits ought to be, and we are working very hard on that so that we can accurately model it,” says Flandro. “What we do know, when we look at this empirically and ask our clients about it, is that intangible risks are now perceived to be as big as property risks.”

“Cyber is one of these intangible risks that we can’t really put a ceiling on yet – the ceiling is still unknown,” he adds. “But whatever it is, it’s big. And it could be as big as the property market for all we know, which is huge. And the risks will continue to grow as the world becomes more interconnected.”