Is cyber insurance ready for SMEs?

Panellists say the market is complex and costly – but not unreasonable

Tom Allen
clock • 2 min read
Is cyber insurance ready for SMEs?

The cyber insurance market is a very new one, still finding its sweet spot in terms of both target market and price. That adds a lot of confusion around what is on offer, what is covered and what a pay-out will look like – and that keeps IT leaders away from investing.

Cyber insurers today largely serve enterprise-scale firms. Their services are open to SMEs, but - said John Stenton, Head of Information Technology at Thrive Homes and a panellist at Computing's Cybersecurity Festival this month - "maybe they just don't know they can get help."

IT budgets have climbed in the last two years, but at the same time the climbing rate of cyber-attacks has sent the price of cyber insurance soaring nearly 400%, as insurers look for a sweet spot in risk versus revenue.

And it's not only the price keeping SMEs away; some delegates thought the demands insurers make are overly burdensome for small businesses, in terms of both requirements to be in place and information to be shared before a policy is issued.

Mudassar Ulhaq, CIO at Waverton Investment Management, advised bringing in people from around the organisation to help IT leaders read through exhaustive policies, like legal and security teams. "Having additional support can help in making that decision," he said.

Nick Rosser, Head of Information Technology at Saunderson House, said certain industries - like his own, financial services - face regulatory demands that mean "you may already have a number of pieces of the jigsaw in place." However, some organisations that don't have those demands or executive level support for cybersecurity have to take "a much larger leap" to meet insurers' requirements.

There are ways for everyone to lower their risk and demonstrate some readiness, though. Complying with ISO27001 and completing the NCSC's Cyber Essentials certification, for example, can lower premiums and attract new insurers - "but if you have a very low level of security maturity, you're going to pay for that."

However, Rosser warned against insurance driving a security maturity strategy. That should be guided by what is right for the business, not the insurer.

Despite higher-than-expected complexity and rising costs, neither Stenton, Ulhaq or Rosser thought that insurers were excluding SMEs from the insurance space.

"We're an SME, about 250 people," said Rosser. "It comes back down to what your exec team is prepared to invest in. They're not the cheapest contracts and you need to understand what your business needs.

"It may also come down to insurers building the market right now by focusing on enterprise firms, and when economies of scale come in they will expand. Cyber insurance is still a very new market, but that doesn't mean it's not accessible if [SMEs] want to go shopping."

Stenton agreed, adding that he has taken out multiple insurance contracts and has never felt "excluded on complexity."

"There will be more products for SMEs, but it will take time for the market to mature. The massive explosion in cybercrime is really scaring insurers now, they don't know which way to turn and that's why premiums have gone up so much, but things will settle down."

You may also like
'Really frightening': IT leaders on cybersecurity in the age of AI

Security

'How do you work out what's real and what's not real?'

clock 10 October 2023 • 3 min read
The changing face of shadow IT

Security

Cloud, smartphones and the pandemic. How to maintain control over proliferating devices and services?

clock 17 May 2023 • 4 min read
Cyber no longer attractive for insurers, and public sector can't afford it: Cybersecurity Festival

Security

Prices have spiked – but the pendulum will swing back, said panellists

clock 12 May 2023 • 3 min read

More on Management

Peter Cochrane: A tragedy of management hubris?

Peter Cochrane: A tragedy of management hubris?

A proliferation of MBAs can hinder more than help

Professor Peter Cochrane
clock 01 February 2024 • 3 min read
How to secure investment - and keep it: CTO Kingsley Hibbert

How to secure investment - and keep it: CTO Kingsley Hibbert

'The touch point for me is always the customer’

Tom Allen
clock 20 November 2023 • 4 min read
'Your real challenge is not tech': The modern leader's approach

'Your real challenge is not tech': The modern leader's approach

Stop thinking through a technical lens, says CTO Kingsley Hibbert

Tom Allen
clock 14 November 2023 • 3 min read