Calls for mandatory reporting as 59% of SMEs hit by cyber attacks

Calls have been made for better reporting around cyber attacks after Hiscox found that 59% of UK SMEs have experienced a cyber attack in the last 12 months.

Hiscox’s latest Cyber Readiness Report, released yesterday (1 October 2025), investigated the impact of changing cyber threats on small businesses – including the threat posed by artificial intelligence (AI).

The introduction of AI has proven to be a major enabler for cyber criminals and the report suggested that 55% of the firms that reported an attack had experienced it due to AI vulnerabilities.

AI can be used to exploit companies via methods such as malware generation, AI-powered phishing and social engineering tools, the abuse of chatbot integrations and the hacking of poorly secured AI-generated code.

Despite the inherent risks, the report found that the majority of SMEs – some 65% – still felt that AI was more of an opportunity than a threat to their business.

However, according to Eddie Lamb, global head of cyber at Hiscox, the effects these attacks can have on SMEs cannot be ignored.

He said: “No business, however small, can afford to underestimate the devastating impact a cyber attack can have. Cyber attacks don’t just disrupt day-to-day operations – they can threaten the very survival of a business.

“The financial fall-out, from crippling fines to lost customers or soaring costs, can push even the most resilient business to the brink. On top of this, the stress and long hours required to recover can impact staff morale and even lead to burnout.”

Improved reporting

Meanwhile, respondents were heavily in favour of better reporting around attacks, with 71% believing that targeted firms should be required to disclose if they paid a ransom and the value of it.

While paying ransoms may seem the fastest route back to operation for desperate businesses, respondents reported that only 60% of those that paid an attacker recovered all of their data and 31% of payees found that their attackers demanded more money.

Kirsten Maley, director of claims at MGA Cowbell, spoke to Insurance Times to explain how a lack of mandatory reporting may be hurting businesses.

She said: “One of the biggest challenges of ransomware response in the UK is incomplete incident data, particularly from SMEs, where attacks often go unreported. This in itself creates serious blind spots.

“Without full visibility, models of ransomware frequency and severity are skewed, meaning controls can be mis-targeted and insurers risk mispricing. It also keeps much of the problem in the shadows – when incidents are hidden, guidance and education efforts are undermined and a sort of ‘shame culture’ persists that tends to make victims far less likely to seek help.”

The upsides of reporting, Maley explains, are clear: “The obvious upside is better data – better as in more complete and more timely.

“For insurers, this means better risk modelling, fairer pricing and more accurate, tailored cover. And for brokers and their clients, it means quicker, safer decision-making to enable sanctions and guidance on reducing legal and reputational risk.

“Yes, there’d be an extra administrative burden on the organisations affected, but the trade-off outweighs that – faster recovery, clearer guidance and less chance of legal or reputational damage. Over time, I think consistent reporting would also help to improve response planning and just generally build market resilience.”