Asking SMEs to buy cyber insurance is ’like asking them to voluntarily buy a culture change’, says cyber chief executive

Cyber insurance is ”the most inaccessible” product for small and micro businesses, according to Lucy Scott, partner and head of global cyber and technology at broker Lockton. 

Scott was addressing delegates attending day one of Insurtech Insights on 20 March 2024. She was speaking during a panel session entitled Cyber crime set to reach all time high: Driving awareness and accessibility for SMEs.

In her opinion, micro businesses – which are defined by the European Union as having 10 or less members of staff and an annual turnover or balance sheet of less than £1.7m – simply cannot “comply” with ”the level of security and maturity” that is ”suddenly expected of them almost overnight” if they were to purchase a cyber insurance policy.

Scott continued: ”We got to a stage where some clients just couldn’t buy cyber insurance and we feel that isn’t an acceptable state of affairs. So, we’ve done a lot to improve that.”

These improvements include Lockton offering risk management services to its clients, as well as exploring automated underwriting. 

Partly driving SMEs’ struggle to obtain cyber insurance is the fact that these businesses remain a target for cyber criminals – especially as artificial intelligence (AI), fraud and cyber attacks are increasing in “sophistication”, Scott noted.

This includes the escalation of deepfake crimes, which use AI generated images or videos that are not real, and chief executive impersonation fraud.

Describing the uptick in chief executive impersonation fraud, panellists cited a May 2023 report from law firm Pinsent Masons – entitled Annual Fraud report: The definitive overview of payment industry fraud in 2022 – which found that this type of fraud increased by 11% in 2022, amounting to losses of £12.9m.

This is compared to losses of £11.9m in 2021. 

Regarding deepfake crime, the panel shared an example where an unnamed employee at a Hong Kong firm was duped into wiring £20m of her firm’s money to the company’s chief financial officer. In fact, the money was not sent to the c-suite professional at all, but was in reality a deepfake video conference call with fraudsters.

Another trend hitting SMEs is generative AI, which is ”definitely the new game in town” according to Gareth Wharton, cyber chief executive at insurer Hiscox.

He explained: ”It allows you to write phishing messages in any language that are near perfect, so the idea of looking for typos in phishing emails is starting to go out the window.”

Not all bad news

Despite Wharton believing that asking an SME to buy cyber insurance is “like asking them to voluntarily buy a culture change”, he also thinks “it’s not all bad news” in terms of cyber cover’s penetration in the SME market.

 This is because the technology to detect malware is quickly improving.