Skip to Main Content

SME cyber insurance gap is a risk too big to ignore

Markel’s Josh Brown and Rachel Nestor unpick the nature and frequency of today's cyber attacks against SMEs, future threats on the horizon, plus what steps can be taken to mitigate business interruption.


By Josh Brown and Rachel Nestor

Originally published in Insurance Post, January 2026:
SME cyber insurance gap is a risk too big to ignore

7-minute read

The Amazon Web Services outage and prolific cyber-attacks against consumer brands last year have highlighted the continuing threat to high-profile businesses and the vulnerabilities that all types of companies are facing.

The Cyber Security Breaches Survey 2024 found that around half of businesses and a third of charities had experienced some form of cyber-attack in the last 12 months.

It also cited that a high proportion of medium-sized businesses (70%) were impacted by cyber-crime, while a subsequent report from the Association of British Insurers noted small and medium-sized enterprises (SMEs) are highly exposed to the risk of cyber-attacks.

Ransomware attacks proliferated during and after the Covid-19 pandemic and have continued their onslaught by targeting SMEs alongside larger organisations.

The prevalent use of AI to develop ransomware has made the latter more easily available, leading to more sophisticated ransomware and social engineering attacks.

A common attack ploy we’re seeing is through email compromise incidents where cyber criminals impersonate senior members of staff on phishing emails to trick company employees into transferring funds or revealing confidential information.

These scenarios were described in the FBI’s 2022 Congressional Report on BEC and Real Estate Wire Fraud as “one of the fastest growing, most financially damaging internet-enabled crimes”, while in the same breath, a recent CrowdStrike article has predicted that BEC incidents will rise, following the increase in remote working and the ubiquity of digital communication channels.

As the world becomes even more interconnected, many businesses increasingly rely on digital supply and vendor chains to operate.

During the start-up phase, SMEs are focused on their core business activities and so outsourcing IT is usually a quick and efficient way to get up and running as quickly as possible. However, this process carries a degree of risk.

Online booking systems for the hospitality sectors, payments and logistic systems for retail and common software solutions such as payroll or HR software are all examples of crucial vendors which, if attacked and disrupted, have the potential to cause catastrophic impact.

A recent report from Reversing Labs shows the security of software supply chains lags even as malicious actors score bigger wins targeting the commercial and open-source software running in homes, businesses and powering critical infrastructure. We expect this to continue, as cyber criminals become aware of the significant implications this can have across various sectors.

The AWS outage, albeit not a cyber-attack, was a large event that temporarily brought down many industries, including airlines, banks and social media platforms.

This scenario not only underlined the reliance on third-party vendors, but also the importance of system failure as a coverage consideration when purchasing cyber insurance.

Taking affirmative action

According to the previous ABI report, only 15% of SMEs and 10% of small businesses are believed to have cyber insurance cover in place to safeguard their operations against malicious threat actors – reinforcing the need for adequate protection.

A standard cyber insurance wording is likely to include cover for data and system rectification costs, privacy breach notification and mitigation costs, cyber privacy liability risks, business interruption (BI) risks and regulatory investigations.

Potential loss of business or customer funds through social engineering attacks are likely to be covered and we’re starting to see further extensions of cover for loss of stock and contingent bodily injury.

Additionally, cyber insurance solutions typically include access to round-the-clock IT support from cyber security specialists, PR support for issuing public and internal statements and specialist legal advice on regulatory and liability issues.

As well as insurance, organisations can enable multi-factor authentication across company systems, ensuring critical data and systems are backed up and stored away securely.

As the workplace becomes increasingly flexible and agile, companies will be more vulnerable to attacks targeted at unsecured end points in less secure environments.

Cyber criminals rely heavily on human error to gain access to an organisation’s systems and data. Improving employee awareness of common cyber-attack methods through regular training, simulated phishing exercises and drills can significantly help protect an organisation from cyber criminals.

SMEs should consider reviewing contracts with companies in their digital supply and vendor chain now, before a cyber incident occurs, as this can lead to discussions about what would happen should a member of the chain be compromised.

Businesses should be aware of potential remedies available from vendors (including the vendor’s own insurance arrangements), and any financial caps on recoveries available in their contracts.

Additionally, SMEs should ensure robust business continuity and incident response plans are in place and regularly tested. An offline or paper copy of contingency plans, including a list of key contact numbers, is essential.

According to a recent BBC report, one company was forced to resort to using pen and paper and fax machines to fulfil orders following a crippling cyber-attack.

Future cyber risks

Looking ahead, ransomware attacks will continue to be a significant risk, driven by the growth of ‘ransomware as a service’ (RaaS) software that’s removing the barriers to entry for cyber criminals.

Supply chain disruptions (such as the AWS outage) are likely to increase in frequency because of the rapid expansion of companies migrating to cloud services, which are exposing more organisations to the vulnerabilities inherent in cloud service architecture, including service interruption, downtime and data breaches.

Remote and hybrid working continues to pose challenges to companies trying to maintain their cyber security. As the workplace becomes increasingly flexible and agile, companies will be more vulnerable to attacks targeted at unsecured end points in less secure environments.

In addition to professional criminals, less sophisticated cyber criminals are leveraging RaaS solutions to carry out attacks, sometimes purely for the kudos of successfully hacking an organisation.

SMEs should also be cognisant of the potential implications of cyber-attacks for directors and officers.

Companies that suffer a breach and don’t have cyber insurance at their disposal could find themselves facing directors and officer liability claims from shareholders, investors or other stakeholders arguing that the directors should have been aware of this exposure and mitigated it via a risk transfer mechanism.

Cyber insurance has evolved from a ‘nice to have’ option to a business-critical expense, following the continual rise in cyber-crime, which is showing no signs of slowing down.

SMEs need to review their risk management protocols, so that they’re adequately covered and equipped to deal with breaches as and when they occur.

Josh Brown - headshot

Josh Brown

Head of Cyber
Rachel Nestor

Rachel Nestor

Claims Manager - Management & Transactional Liability, Cyber and TMT
  • Professional & Financial Risks and Cyber

Related content

  • The importance of proactive cyber risk management in an evolving threat landscape

    Rachel Nestor explores the recent surge in cyber attacks on major UK retailers, highlighting the need for robust supply chain management and tailored insurance solutions.

  • Markel launches InsurtechRisk+ product for insurtech businesses

    InsurtechRisk+ package contains four insuring clauses – insurance services and technology liability, directors and officers (D&O) liability, crime, and cyber liability and loss cover.

  • Navigating the fintech risk landscape

    Fintech investment faces challenges, but optimism remains for future growth and innovation.