When a cyberattack paralyses a small business, many don’t call their broker. They call their bank. The instinct feels rational: protect liquidity, stabilise cash flow and buy time. But as ransomware and invoice fraud continue to hit UK SMEs, reliance on post-incident borrowing is emerging as a fragile recovery strategy.
For Tom Draper (pictured), head of the UK division at Coalition Inc., the issue is not mistrust of insurance. It is misdiagnosis. “It’s not natural for them to say, ‘I wonder if I can get insurance for this,’” he said. “They’re not viewing it as a risk they own.”
Many SMEs, Draper said, still displace responsibility for cyber risk, pushing it either to internal IT teams or outsourced providers with strong credentials. In doing so, they separate the technical management of cyber from its financial consequences.
When an incident occurs, that framing drives behaviour. Businesses tend to treat ransomware or funds transfer fraud as an operational disruption rather than a balance-sheet shock. They focus on cash flow first, and often assume debt will provide a bridge.
The problem, Draper said, is how lenders respond once the cause becomes clear. “When you go to them and say, ‘I’m suffering a ransomware attack,’ their next question is, ‘Is that going to have an impact on the business?’ When the answer is yes, they may decide not to give you a loan.”
The collapse of Knights of Old in 2023 illustrates how quickly options can narrow. After a major cyberattack left the company unable to access critical financial data, additional funding required personal guarantees from directors. They declined, and the business entered administration.
Draper said turning to debt is an understandable reaction focused on protecting cash flow. “But I think the reality, when an incident hits, is that it doesn’t stand up.”
In a cyber event, revenue can stop overnight. Payments may be misdirected. Financial systems can become inaccessible. “In a cyber incident, you might have no revenue at that point, or you’ve lost funds,” he said. “How are you going to get the increased loan when you have no funds?”
Debt assumes stability, but a cyber incident often removes it.
High-profile attacks on brands such as Marks & Spencer, Co-op and Jaguar Land Rover dominate headlines, reinforcing what Draper described as a misleading perception. “That kind of feeds the narrative that this is a large company problem,” he said.
“In fact, in 2025, more UK companies with fewer than 10 employees suffered a ransomware attack than companies with more than 10,000 employees. The data supports that.”
Among micro-SMEs, reliance on technology is so embedded that it rarely feels like a discrete exposure. Business owners do not view running operations from a smartphone or cloud platform as something insurable, until it fails.
Draper argued that the wider market must do more to quantify cyber exposure for SMEs. “One of the biggest challenges the market has had is demonstrating what a loss would look like for most firms, which is surprising, because we are the people who should know that,” he said.
Insurers, he added, are uniquely positioned to translate technical risk into financial consequence. “Unlike anybody else in the security ecosystem, the insurance market is the one that can say, ‘If you have this concern, if you run this technology, here is what a claim would look like.’ We know that because we’ve paid thousands of losses that operated in these spaces.”
Providing clearer financial modelling at quotation stage, he argued, helps businesses understand the scale of potential impact, even if they ultimately choose lower limits.
The comparison, he suggested, is ultimately about realism. If cyber is treated as a liquidity problem to be solved with borrowing, businesses must consider how large that loan would need to be, and how quickly it would be approved. “And that number is quite a big number to try to get a loan for at very short notice,” he said.
The issue, Draper argued, is less about distrust of insurance and more about misplaced confidence in post-incident finance. For brokers, the task may be less about selling cyber as an add-on and more about reframing it as immediate balance-sheet protection.
