Small businesses can't afford to ignore cyber risk any longer

By Madison Williamson, At-Bay

The cybersecurity landscape for small and medium businesses (SMBs) has fundamentally changed. For insurance professionals, this evolution demands a shift from policy placement to guiding clients toward comprehensive cyber resilience.

Today, SMBs are more than twice as likely to suffer a cyberattack as a fire, and they spend up to four times more on recovery^[1]. Cyber insurance, once “nice-to-have” coverage for this segment, is now essential. However, the gap between SMB cyber risk and protection continues to widen, threatening not just individual businesses but entire supply chains.

Cyber insurers stand in a unique position to bridge this gap by providing comprehensive security products and services with their policies, but only if providers – and their broker partners – effectively communicate the value to insureds, who are expressing increasing “demand for preemptive insurance policies and products to mitigate risks ahead of incidents” according to an executive from Aon.

The growing gap between SMB risk and protection

The notion that “no one’s targeting the flower shop on Main Street” no longer holds. In 2024, At-Bay observed a 46% increase in ransomware claim frequency and a 47% increase in severity among companies with $25-$100M in revenue. Technology advances have made SMBs attractive targets: Ransomware-as-a-service (RaaS) and automated attack tools mean targeting SMBs is feasible and profitable, while AI has eliminated traditional email fraud indicators like misspellings.

Modern business operations compound this risk. SMBs are being forced into the digital world, relying on online commerce, remote access, and email connectivity – each of which creates entry points requiring security measures that many simply aren’t aware of.

Many SMBs turn to managed service providers (MSPs) to outsource cybersecurity expertise, but this creates a false sense of security: Businesses believe they’ve mitigated risk but may have simply transferred it without oversight. In fact, 50% of At-Bay’s top 20 cyber claims involved an MSP^[2].

Software development practices further complicate matters. The tech industry’s focus on rapid deployment often prioritizes speed over security – and on top of that, security tools only work if they’re properly configured. Verizon’s 2024 Data Breach Investigations Report reported misconfigurations among the fastest-growing causes of breaches. Finally, there’s the issue of vulnerability management. There were a total of 40,303 Common Vulnerabilities and Exposures (CVEs) disclosed in 2024 – a 38% increase over the prior year.

Robust insurance coverage is paramount

The financial impact of cyber incidents on SMBs is often catastrophic. According to the WSJ, a forthcoming MasterCard report reveals that nearly half of small businesses have experienced a cyberattack, and nearly one in five that experienced an attack then filed for bankruptcy or closed.

Unlike large enterprises, smaller businesses often lack the resilience to survive such disruptions. And, in today’s competitive landscape, customers have more alternatives than ever. A wholesale distributor offline for three weeks may be replaced by competitors who remain operational. Business continuity is now critical for survival.

To provide SMBs with the protection they need, insurers must resist competing solely on price by reducing coverage options. While lower sublimits may make policies more affordable, they often fail to provide adequate protection. With ransomware claims among SMBs averaging almost $500K, offering significantly lower sublimits can leave businesses vulnerable to serious financial harm.

Insurance providers can bridge the security gap

The challenge of SMB security lies not just in having the right technology, but also the expertise to bridge the gap between business operations and cybersecurity requirements. Cyber insurers have a unique opportunity – and responsibility – to be that bridge. The cyber insurance industry’s reliance on underwriting requirements to encourage better security practices has proven effective in improving some risks among this segment, but more needs to be done.

Insurers see where losses are most frequent and severe and know the controls and tools that can help prevent them. Forward-thinking cyber insurers are beginning to offer comprehensive security services that go beyond loss prevention as part of their coverage – representing a shift toward true partnership in risk management. For the annual cost of their cyber insurance policy, businesses can access security assessments, vulnerability notifications, and expert guidance, which would otherwise cost thousands on top of insurance costs.

However, the insurance industry must do more to communicate this value. Too many businesses treat cyber insurance as a passive product, purchasing and forgetting it until a claim occurs. By taking these controls and recommendations seriously, businesses can improve their security and avoid a costly attack that’s likely to do more damage than if they invested in prevention firsthand.

A new approach to SMB risk creates opportunities for brokers

The path forward requires a shift in the insurance industry’s approach from risk transfer to active partnership. For brokers, this evolution creates both opportunities and responsibilities. Specialty brokers can differentiate themselves by understanding available security services and helping clients maximize their coverage. Retail brokers must then educate their clients about the true nature of cyber risk and the importance of engaging with available resources.

This obviously sounds easier than it is, as brokers continue to balance the cost and benefits of niche expertise with the overarching responsibility of guiding their insureds, but brokers can partner with carriers for training and resources. Demystifying cybersecurity is the key, and the next step is setting up SMBs to stand a chance against what can feel like an insurmountable challenge. In a landscape where the validity of every source requires verification, the insurance ecosystem can continue to support businesses, as it has done since its inception, by taking on this new challenge and partnering with groups invested in solving what may become a cybersecurity crisis for SMBs.

The stakes are too high for anything less than a comprehensive approach, yet cybersecurity often feels like a foreign language to business owners. SMBs form the backbone of the economy, and their cyber resilience affects entire supply chains and communities. By providing not just coverage but genuine protection, the insurance industry can better serve clients and contribute to a more secure and resilient business ecosystem.

Madison Williamson is Head of SMB Product, Cyber & Tech at At-Bay. She can be contacted on LinkedIn.

[1] Based on At-Bay analysis of At-Bay 2023 claims from over 30K unique policies, and U.S. fire frequency statistics from SMB 2015 claims study from The Hartford, latest available report

[2] At-Bay 2024 claims data