The gap between awareness of cyber risk and actual cyber insurance take-up among small businesses in the US is one of the most significant challenges in the sector today. While more owners recognize the threat posed by digital attacks, many still believe they are too small to be targeted and often balk at paying for protection.
This disconnect presents a key opportunity for agents and brokers, said James Hajjar (pictured), chief product and risk officer – portfolio risk solutions at Hartford Steam Boiler (HSB). HSB recently launched a suite of cyber coverage specifically for small and micro enterprises, reflecting a strategic push to bridge that gap.
“The consumer is getting more mindful of cyber risk,” Hajjar told Insurance Business. “We find about 45% to 50% of small businesses understand the threats out there. But at the same time, around half of those same consumers think their businesses are too small to be attacked. That’s a really big divide: they understand that cyber risk exists, but not that it could affect them.”
One of the biggest hurdles in selling cyber coverage is still psychological. Many small business owners think that without massive data sets or advanced systems, they won’t be targets. But Hajjar argued that logic is flawed.
“Cyber criminals aren’t necessarily coming after you; they’re coming after vulnerabilities,” he said. “And because small businesses are less sophisticated, they’re often more vulnerable.”
That’s where agent messaging can make or break a sale. HSB has found that storytelling, not technical jargon, helps overcome that mental barrier. Real stories of small business owners who’ve been defrauded by email, a phone call, or another low-tech method to move the needle during client conversations.
“Simple storytelling is the most powerful tool,” said Hajjar. “With AI and other technologies, you can impersonate someone’s voice or even a video. Some of these things, I look at them and say, ‘Wow, I could have fallen for that one.’ So those stories of other small business owners can really resonate.”
Another key barrier is cost. Cyber policies are sometimes seen as a “nice to have” rather than a must-have, particularly by businesses operating on razor-thin margins. Hajjar suggested that framing the value of prevention services included with policies can help.
Many cyber policies now include value-added tools such as dark web monitoring, vulnerability scanning, and breach response planning. This forward-looking value proposition may resonate more strongly than the traditional pay-if-it-breaks model.
HSB’s cyber suite, for instance, includes tools that actively scan client websites for vulnerabilities, alerting them before an attack occurs. The platform also provides ransomware prevention as a service, which includes dark web monitoring for compromised credentials.
“We’re trying to predict and prevent, not just repair and replace,” Hajjar said. “In fact, some of these services have as much or even more value than the coverage itself.”
For price-sensitive clients, introducing basic cyber policies could serve as entry-level protection, as some carriers offer tailored solutions at more accessible price points.
The nature of cyber risk is that it keeps changing. “If you asked me six or seven years ago, I’d say data breaches were the main concern,” Hajjar said. “Then came ransomware. Now, fraud is the leading source of loss, such as phishing campaigns that target employees directly.”
While ransomware activity dipped in 2023, HSB is seeing signs of resurgence. It’s part of the reason the company continues to evolve its cyber product suite, integrating new threat intelligence and services with each release.
What’s one thing agents and brokers working with SMEs should know? For Hajjar, it’s that cyber insurance is becoming a mainstream necessity, not a niche product.
“Every business has vulnerabilities, regardless of size,” he said. “If you’re a small business and you lose access to your computer systems – your POS, your customer list, your CRM – you’ll have a tough time operating.”
