Small and medium-sized enterprises (SMEs) are increasingly targeted by cybercriminals, yet many remain with inadequate insurance coverage, according to a report by Munich Re.
The German reinsurer’s Cyber Risk and Insurance Survey 2026 found that nine out of 10 C-level executives worldwide consider their companies inadequately protected against cyber risks. The findings highlight growing awareness of digital threats – an awareness Munich Re says is warranted given the rising scale and sophistication of attacks.
The report points to a troubling shift in criminal tactics. Cyber attackers are increasingly targeting entire supply chains and launching automated attacks on numerous companies at once. This evolution places SMEs squarely in the line of fire, even when they are not the primary target.
When large organizations are hit by cyberattacks, the financial fallout often spreads to smaller suppliers and service providers. Business interruptions and losses can cascade down the supply chain, in some cases pushing smaller companies toward insolvency.
SMEs are particularly vulnerable, the report notes. Compared with larger firms, smaller companies often have limited resources for preventive measures, employee training, and IT security infrastructure. Recovering from an attack – restoring systems, resuming operations, and managing financial loss – can become an existential challenge.
A survey by the Identity Theft Resource Center, a San Diego-based education and victim resource nonprofit, found that four in five small firms encountered cyber scams, and nearly half of these attacks were powered by artificial intelligence, allowing attackers to automate strikes and adapt to defenses rapidly.
Despite the elevated risk, many SMEs remain uninsured against cyber threats. Munich Re attributes this to limited access to appropriate insurance products and a tendency among smaller businesses to underestimate the importance of comprehensive cyber risk management.
The report urged insurers to act, suggesting that cyber insurance products be designed for clarity and simplicity, with transparent purchasing processes tailored to real business needs.
The reinsurer framed the challenge as a collaborative one, calling on primary insurers and reinsurers to work together to strengthen cyber resilience across smaller businesses.
