Key Trends in the Small Business Cyber Insurance Market

Small businesses are the backbone of an economy increasingly reliant on digital infrastructure. However, accompanying digitization creates significant cyber risks, with small businesses frequently targeted by threat actors globally. A 2023 study revealed that 43% of all cyber attacks targeted small businesses. Despite the growing number of cyber threats, only 14% of small businesses had comprehensive measures in place to prevent breaches.¹

Consequently, cyber insurance has emerged as a critical tool for small- and medium-sized businesses; 72% of these businesses without cyber insurance believe that a major attack could destroy their operations.²

Common cyber threats

In recent years, ransomware attacks have risen in prevalence. In these attacks, cybercriminals gain entry to a database, encrypt business-critical data and hold it for ransom. For small businesses, such attacks can result in a loss of highly valuable time, money and customer trust.

A mode of social engineering, phishing remains a common method of cyber attack. Here, cybercriminals employ deceptive emails or messages to trick employees into entering confidential information such as financial details or passwords.

Another major threat is data breaches, which occur when an attacker gains unauthorized access to customer or business information. Such breaches can lead to fines and legal liabilities.

Shifting cyber insurance trends for small businesses

Increased demand for coverage as rates remain flat

The frequency and severity of data breaches and the increasing awareness among small business owners have caused a surge in demand for cyber insurance. Stricter regulatory requirements and the increasing addition of state-of-the-art technologies to the workplace mean small business entrepreneurs recognize that having adequate cyber insurance can help mitigate financial losses and provide peace of mind.

Interestingly, despite the increase in high-profile cybercrimes and growing exposure to further threats, cyber insurance rates have remained flat or decreased, due to a competitive market. This news is great for small businesses looking for affordable coverage options.

Greater need for custom coverage

Affordable insurance rates are essential, but even more crucial today is tailoring risk-transfer products and services to each small business's requirements. As a result, insurers aren't approaching risk transfer products and services with a one-size-fits-all approach. Instead, they're offering policies targeted to meet the needs and risks of different industries.

For instance, a small business healthcare provider can get access to cybersecurity insurance that covers Health Insurance Portability and Accountability Act (HIPAA) violations and patient data breaches, or a hotel can acquire coverage for data breaches involving guest information or reservation system hacks.

Assessing a small business's risk profile

Insurers evaluate the risk profiles of small businesses through a combination of assessment tests and advanced tools. Technologies such as analytics and artificial intelligence (AI)-powered tools are critical in safeguarding a small business from cybercriminals.

Through a series of steps such as vulnerability scanning, behavioral analytics, cybersecurity frameworks assessment and stress testing, insurers can:

• Assess IT systems and access controls, to identify weaknesses in the business's cybersecurity framework.
• Evaluate the frequency of employees' cybersecurity training, their phishing susceptibility and incident response readiness.
• Organize simulated attacks and find vulnerabilities in the systems.
• Conduct a third-party risk assessment and check policies for vendor risk management and other critical supply chain vulnerabilities.
• Gauge the use of technologies such as AI, cloud security and Internet of Things (IoT) device management.
• Study historical data and claims history and find persistent vulnerabilities.

Integrating cybersecurity insurance with risk management

Insurers are increasingly combining cyber insurance with risk management strategies to optimize a business's cyber defense. This optimization includes:

• Proactively assessing risk and evaluating the IT infrastructure, as well as identifying vulnerabilities, to enable tailoring insurance policies to cover industry-specific risks.
• Integrating incident response services such as forensic experts or public relations teams into cyber insurance policies to minimize damage.
• Rewarding businesses that implement robust cybersecurity strategies with lower premiums of broader coverage.
• Transferring residual risks that cannot be mitigated internally by the small business, leaving them to focus on their core operations while guaranteeing financial protection in case of any breach.

The combination of insurance and risk management can strengthen a small business's cybersecurity profile, maximizing long-term resilience.

Future outlook

As cyber threats evolve and become even more sophisticated, the frequency and severity of claims will determine when rates climb again. It also depends on changes across the regulatory landscape, businesses' resilience and the standards of the established cybersecurity framework.

Emerging risks in cyberspace

Generative AI

The inclusion of Generative AI into operations as part of the larger continued digitalization of operations brings a set of risks for small businesses, including:

• Concerns over the privacy of the data collected and stored by the AI systems.
• Discrimination lawsuits if the algorithm that drives the AI tools unintentionally discriminates against certain groups.
• AI-powered cyber attacks with sophisticated phishing attacks and other social engineering hacks. For instance, deepfakes impersonating employees can trick victims into transferring funds or divulging confidential data.

Policy uncertainty

The insurance industry has yet to establish clear guidelines on AI-related claims. Consequently, a lack of clarity in insurance policies persists, with many opting to remain silent on AI exposure. But as the number of AI-related claims rises, insurance carriers could modify policy language to provide affirmative coverage of these risks or introduce exclusions to limit liability.

Key exposures

The critical areas of exposure for small businesses include:

• Data breaches, leading to the theft of sensitive customer or employee data.
• An attack on the digital supply chain or on third-party vendors, causing major disruptions to operations. Such events can be particularly devastating for businesses forming critical infrastructure, such as those in healthcare.

Customized coverage is the way forward

With the growing complexities and frequency of cyber attacks, cyber insurance has become a cornerstone of risk management for small businesses. Be it safeguarding against data breaches or phishing attempts, having in place a comprehensive cyber insurance policy crafted according to your specific needs provides the financial security and freedom to focus on core operations.

However, navigating the complex insurance market may be daunting, particularly as the cyber landscape is continually shifting. Gallagher can help you find the coverage options that best suit your small business's needs. Our experts are ready to help you understand the tools you require and find the cyber protection plan that meets your unique needs.

Source

¹Dal Cin, Paolo, et al. "State of Cybersecurity Resilience 2023," Accenture, 12 Jun 2023.

²"Report on the Cyber Insurance Market," NAIC, 15 Oct 2024. PDF file.