The 99% left behind: a call for action towards SMEs

With micro, small and medium-sized enterprises (SMEs) making up 99.9 percent of the UK business population and the US business population, a significant portion of the commercial market remains without access to cyber insurance options.

Matt Cullina, head of global cyber insurance at TransUnion, spoke to Intelligent Insurer to shed light on the current lack of availability of cyber insurance tailored for small businesses around the globe. 

The question, he says, is how to collectively bridge this gap.

Cullina noted: “It has got to the point where brokers are trying to connect SME clients who do not have cyber insurance to incident response/breach response vendors directly in case they have a cyber event.”

This revelation highlights the pressing need for increased awareness and real SME cyber insurance options across the industry.

Heads in the sand

At the heart of the issue is a strong misconception about cyber risk among SME owners. “Many think it won’t happen to them, because they’re low risk and not a target, or they have other priorities,” Cullina explained.

“Mostly it’s because an event hasn’t happened to them yet—that they know about.”

This false sense of security can lead to devastating consequences should a cyber incident occur.

Cullina points out two different approaches SMEs have to cyber insurance. “There’s an awareness curve around risk, with some asking ‘what is cyber risk and what am I susceptible to?’.

“The other curve is those who are unaware of cyber insurance, who say ‘if I don’t know about it, I won’t buy it’.”

This highlights the importance of educating SMEs about the existence of cyber risks and the protective measures, like cyber insurance, available to them.

Too much focus on mid-to-large market

Cullina noted that there is also an issue with current industry focus.

“Most insurers in the cyber market focus all their attention on corporate business,” he said. 

“Cyber underwriters who write for mid-to-large businesses have been slower to pivot to SME markets. One possible reason is they view smaller cyber insurance endorsements as inadequate compared with standalone cyber offerings,” he added.

“Small cyber endorsements should be a part of any insurer’s business model.” Matt Cullina, TransUnion

He elaborated on the role of smaller cyber insurance endorsements, likening them to “training wheels” that can teach retail brokers to confidently sell cyber insurance to SMEs.

“Products with relatively low limits have more specific coverage than enterprise policies and are right-sized for the micro and small business markets,” he pointed out.

By integrating smaller endorsements into their offerings, insurers can gradually elevate the understanding and acceptance of cyber insurance among SMEs.

“The way we look at it, small cyber endorsements should be a part of any insurer’s business model. Offer everyone the small product, then segment your book between endorsements and standalone cyber products,” Cullina stated.

“Currently, it’s usually more divided than that, with large cyber writers on one side of the line and the cyber endorsement side on the other,” he admitted.

Little steps for greater cyber coverage

An ICMIF-commissioned survey conducted in 2023 on behalf of TransUnion revealed that 74 percent of the multiline P&C insurers surveyed were researching or had already launched a cyber endorsement.

The remaining 26 percent cited a lack of demand and in-house expertise as barriers.

For those without in-house expertise, the reinsurance market, together with companies such as TransUnion, is stepping in to fill the gap. 

“They’re offering support for insurers around development of right-fit cyber products for smaller markets—offering capacity to take the risk and respond to policyholders experiencing a cyber event,” Cullina explained.

Cullina’s view is that cyber should be a standard offering across all sizes of business.

“Everyone should have cyber insurance, but it’ll take a village to get there,” he said.

Despite its affordability and the increasing necessity for businesses, cyber insurance is still not a universal offering, although endorsements could play a pivotal role.

“Small businesses tend to be grateful when something like cyber insurance is included when they hadn’t anticipated that need,” Cullina observed.

Overlooking the SME market is no longer an option

“This isn’t a market to be ignored: small businesses are the vendors of large businesses and part of a larger ecosystem,” Cullina said.

“That means cyber insurance is becoming a prerequisite when you’re providing products and services to large corporations.”

As the landscape evolves, Cullina believes small businesses may eventually require standalone cyber products.

He explained how professional classes such as accountants, doctors, and lawyers were particularly at risk, given the sensitive nature of the data they handle.

“For retailers, the risk is likely to centre around credit versus medical or financial data,” he said. 

Juggling the risks

For insurers which offer both standalone and endorsement cyber products, balancing risk is crucial.

“Some enterprise-focused cyber insurers want to offset their risk by entering the SME market,” Cullina observed.

This strategy can lead to a more profitable overall cyber portfolio, balancing lower risk SME books with higher risk corporate cyber.

“With increased insurer focus on offering cyber insurance to SMEs, the cyber market will continue to grow at a fast rate, which should drive profitability as well,” he concluded.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.