More than a third (36%) of UK businesses now see cyber as their most significant insurable risk, placing it ahead of all other identified threats, Aviva’s latest research into small and medium-sized enterprises (SMEs) has revealed.
The findings highlight a clear gap by size, with only 20% of micro businesses with fewer than 10 employees ranking cyber as their biggest risk, compared with more than 40% across all other SME size bands.
Appetite and confidence to address the issue also appear limited, with 25% of SME decision makers naming IT and cyber security as the task they dislike the most.
Beyond cyber, SMEs pointed to a cluster of operational and financial concerns, including business interruption (30%), reputational damage (27%), fraud (26%) and regulatory change (26%). Despite this, just 32% say they use a broker as a primary way of staying informed about regulatory or legislative developments, while 48% rely mainly on their own research.
Almost all respondents – 98% – stated that they are up to date on relevant regulatory and legislative requirements, suggesting a possible mismatch between perceived and actual understanding of compliance exposures.
Recent external research indicates that nearly three-quarters of UK SMEs have experienced at least one cyber incident in the past five years, yet more than 60% still do not hold standalone cyber insurance.
Caspar Stops (pictured above), cyber underwriting manager at Aviva, said: “Cyberattacks on UK businesses are rising, with small firms increasingly targeted. While many companies are improving their own cyber defences, recent high-profile breaches often begin with vulnerabilities in third-party vendors or supply chains.”
Aviva’s internal data suggests that cyber exposure is not only a perceived risk but a growing source of claims. The insurer reported that the number of cyber claims it received from SMEs increased by 10% year on year, based on its own portfolio experience.
The average cost of an SME cyber insurance claim at Aviva stands at £40,000, with an average lifecycle of 300 days. The insurer said this underscores the importance of considering business interruption cover alongside standalone cyber protection, given the length of time it can take to investigate, remediate and recover from an incident.
The research also links cyber events to wider business interruption and reputational concerns, with 30% of SMEs citing business interruption and 27% citing reputational damage as top risks.
Cyber incidents can force temporary, or in some cases permanent, closure, affecting a firm’s ability to trade and potentially altering customer perceptions if service outages are prolonged or poorly managed.
Stops said that as operations become more digital and interconnected, it can be difficult for SMEs to monitor security beyond their immediate systems and vendors.
“Attackers don’t care about size, they seek opportunity - meaning that unprepared organisations, regardless of size - are most at risk. Brokers have a unique opportunity to help smaller firms become more engaged and resilient," he said.
