Is cyber insurance ready for SMEs?

Panellists say the market is complex and costly – but not unreasonable

Tom Allen
clock • 2 min read
Is cyber insurance ready for SMEs?

The cyber insurance market is a very new one, still finding its sweet spot in terms of both target market and price. That adds a lot of confusion around what is on offer, what is covered and what a pay-out will look like – and that keeps IT leaders away from investing.

Cyber insurers today largely serve enterprise-scale firms. Their services are open to SMEs, but - said John Stenton, Head of Information Technology at Thrive Homes and a panellist at Computing's Cybersecurity Festival this month - "maybe they just don't know they can get help."

IT budgets have climbed in the last two years, but at the same time the climbing rate of cyber-attacks has sent the price of cyber insurance soaring nearly 400%, as insurers look for a sweet spot in risk versus revenue.

And it's not only the price keeping SMEs away; some delegates thought the demands insurers make are overly burdensome for small businesses, in terms of both requirements to be in place and information to be shared before a policy is issued.

Mudassar Ulhaq, CIO at Waverton Investment Management, advised bringing in people from around the organisation to help IT leaders read through exhaustive policies, like legal and security teams. "Having additional support can help in making that decision," he said.

Nick Rosser, Head of Information Technology at Saunderson House, said certain industries - like his own, financial services - face regulatory demands that mean "you may already have a number of pieces of the jigsaw in place." However, some organisations that don't have those demands or executive level support for cybersecurity have to take "a much larger leap" to meet insurers' requirements.

There are ways for everyone to lower their risk and demonstrate some readiness, though. Complying with ISO27001 and completing the NCSC's Cyber Essentials certification, for example, can lower premiums and attract new insurers - "but if you have a very low level of security maturity, you're going to pay for that."

However, Rosser warned against insurance driving a security maturity strategy. That should be guided by what is right for the business, not the insurer.

Despite higher-than-expected complexity and rising costs, neither Stenton, Ulhaq or Rosser thought that insurers were excluding SMEs from the insurance space.

"We're an SME, about 250 people," said Rosser. "It comes back down to what your exec team is prepared to invest in. They're not the cheapest contracts and you need to understand what your business needs.

"It may also come down to insurers building the market right now by focusing on enterprise firms, and when economies of scale come in they will expand. Cyber insurance is still a very new market, but that doesn't mean it's not accessible if [SMEs] want to go shopping."

Stenton agreed, adding that he has taken out multiple insurance contracts and has never felt "excluded on complexity."

"There will be more products for SMEs, but it will take time for the market to mature. The massive explosion in cybercrime is really scaring insurers now, they don't know which way to turn and that's why premiums have gone up so much, but things will settle down."

You may also like
NCSC and insurers unite to fight ransomware threat

Threats and Risks

First rule: 'Don't panic'

clock 15 May 2024 • 3 min read
Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums


Certifications mean nothing without action

clock 08 May 2024 • 4 min read
'Really frightening': IT leaders on cybersecurity in the age of AI


'How do you work out what's real and what's not real?'

clock 10 October 2023 • 3 min read
Most read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Management

IT Essentials: Sun, stress and security

IT Essentials: Sun, stress and security

Burnout is the scourge of UK cyber - don't let it ruin your holidays

Tom Allen
clock 20 May 2024 • 3 min read
IT Essentials: Curtain call for irresponsible cyber

IT Essentials: Curtain call for irresponsible cyber

With great pay comes great responsibility

Tom Allen
clock 13 May 2024 • 2 min read
Effective management means thinking like a marketer

Effective management means thinking like a marketer

Facts tell, stories sell

Tom Allen
clock 29 April 2024 • 3 min read