For many small and mid-sized enterprises (SMEs), cyber insurance can feel like something designed for bigger businesses with bigger problems. After all, when headlines focus on breaches involving global retailers, airlines, and banks, it’s easy for smaller players to assume they’re beneath a hacker’s radar – or already protected through general liability or D&O coverage. But that perception, experts warn, is both outdated and dangerous.
At Beazley, cyber specialists are seeing a shift in the conversation – both because smaller businesses are also being impacted, and because they’re becoming more aware of the risks. The difference is that the risks are growing, the coverage assumptions can often be wrong, and the fallout for underprepared businesses can be catastrophic.
While some assume their general liability (GL) or directors and officers (D&O) insurance includes adequate cyber protection, Beazley experts say that belief is increasingly rare among more sophisticated clients. According to Wayne Imrie (pictured left), head of London market wholesale executive risks at Beazley, the real issue tends to surface among less experienced buyers in the SME space.
“We have had it … on some of the smaller SME business where there may be not the level of sophistication within the entity or the buyer,” he said. “Because when you … drill down into a GL policy or a D&O policy at that level, you do get some fairly broad form coverage … but [it] doesn’t necessarily give you the cyber cover … that you would want.”
Imrie noted that progress has been made, both by insurers and brokers, in educating clients and improving clarity around what is – and isn’t – covered. “I think over time that has … evolved to a point of … clear understanding,” he said, citing policy language that is now more precise and exclusionary regarding cyber threats.
Still, grey areas remain. Sydonie Williams (pictured right), Beazley’s head of international cyber risks, pointed out that older policies might include cybercrime coverage that doesn’t align with today’s digital landscape. “What cybercrime meant 30 years ago was probably a fraudulent wire transaction,” she said. “It’s very different to think about how we all send money all day long … So it’s slightly different.”
Her advice: work with a broker and a specialist carrier who can help interpret policy terms in today’s context.
One of the most persistent misconceptions in the SME market is that a company’s small size makes it an unlikely target. Williams said this belief often stems from how cyber attacks are portrayed in the media – where only the most dramatic incidents involving major brands make headlines.
“You can understand, if you’re a retailer with a couple of hundred thousand in revenue and you see someone with billions … you’re going to think [why would they target me]?” she said. But in reality, most attackers don’t discriminate – they just follow opportunity. “Actually, it’s that there was a big campaign to get lots of different companies, and they’re just the ones that they managed to get.”
Many SMEs also believe that outsourcing IT or cybersecurity functions offers them sufficient protection. But in doing so, they often overlook a major vulnerability: third-party risk. “An SME probably doesn’t have its own chief information security officer … They probably rely on a third party to outsource that technology,” said Williams. “And there is a little bit of a misunderstanding that because I’ve done that, I’m protected.”
The truth, she said, is that supply chain failures are among the leading causes of losses today – and they can easily ripple through a network of SMEs that all rely on the same external providers.
Even when SMEs do fall victim to a breach, the incident often doesn’t make the news – creating a false sense of how widespread the problem really is. Imrie explained that many large companies are required to disclose breaches due to listing rules or regulatory obligations, but SMEs often aren’t.
“There’s a lot of activity that’s going on that’s not in the public domain,” he said. “You’d be short-sighted if you thought that wasn’t happening.”
More importantly, even a relatively minor cyber incident can have outsized consequences for a smaller business. “These large organizations are feeling the pain … and yet they’ve got the financial … capabilities of weathering such a storm,” Imrie said. “For small businesses [it] could be catastrophic.”
