Mike Puglia, General Manager, Security Products, Kaseya makes the case for why SME’s should consider cyber insurance as an additional key tool in the battle against increasing cyber attacks.
UK SMEs have had plenty on their plate in 2024. While Brexit and COVID-19 are no longer the headline issues, businesses face several ongoing challenges: attracting and retaining talent, keeping pace with rapid technological changes, and adapting to a new government landscape.
If the past decade has shown SMEs anything, it’s that event in quieter periods, change is inevitable. Today, staying ahead of the curve is crucial, and those who don’t will quickly fall behind.
Nowhere is this more evident than in cybersecurity. Once primarily the concern of large enterprises, it has become a critical area of focus for SMEs that are now facing the full force of a rapidly evolving threat landscape.
According to the UK government’s latest Cybersecurity Breaches Survey, 70% of medium businesses experienced breaches or attacks in the 12 months ending April 2024.
This statistic is alarming on its own, but when coupled with the potential impacts of such breaches, it raises serious concern: IBM’s latest Cost of a Data Breach Report for 2024 reveals that data breaches cost UK businesses an average of £3.58 million, making the UK the seventh most costly country for data breaches in the world.
With both the volume of attacks on SMEs and the associated financial implications rising, such enterprises find themselves in a precarious position.
While larger enterprises might be able to withstand a loss of several million pounds, SMEs aren’t typically in such a luxurious position. Indeed, a single data breach could be catastrophic, potentially driving an SME out of business altogether.
The case for cyber insurance
Such is the extent of the threat that the Information Commissioners Office (ICO) is actively “calling on all SMEs to take simple steps to boost their cyber security and protect the personal information they hold, amid the growing threat of cyber attacks”.
Such advice is being issued for good reason. With the rising frequency and impact of cyber attacks, it’s only a 
matter of time before unprepared firms become victims. Therefore, it’s vital for SMEs to get ahead of the game, working to adopt the necessary measures to mitigate potentially devastating impacts.
The key lies in developing a multi-layered security strategy that enhances protection and improves resilience across the board, addressing everything from misconfigurations and human error to unpatched vulnerabilities, weak policies and security awareness.
Indeed, firms must not rely too strongly on any single aspect. It can be enticing to focus on prevention, working to keep threat actors out in the first instance. However, increasingly sophisticated cybercriminal gangs are continuously finding new loopholes and backdoors to enter and exploit. Similarly, others may focus on remediation and recovery, but these aren’t always 100% effective in identifying and limiting the damages of an attack quickly enough.
The point is, SMEs must be prepared for the worst. Even those with the most robust defences should expect to fall victim to attacks and prepare with ‘if-all-else-fails’ measures.
In working to strike the optimal balance, cyber insurance is an additional key tool that should be considered. Indeed, unlike other security-centric preventative or remediation measures, cyber insurance offers financial protection.
It works much like insurance for your business premises would. If a fire occurs, insurance covers rebuilding costs and staff salaries during downtime. Similarly, cyber insurance provides the financial support needed if ransomware or another cyber attack takes your company offline. In the event of a breach, you’ll need incident response, digital forensics, and recovery services – all of which are costly.
So, to prevent the potential financial implications of an attack from crippling your company, cyber insurance is another increasingly important measure.
Assessing the current gap in policy uptake
Unfortunately, despite the key role that it can play in protecting firms, many SMEs still haven’t secured cyber insurance. Indeed, according to research from Aviva, less than one in five (17%) small businesses have a cyber insurance policy.
This is concerning, yet it is a gap that has become difficult to bridge.
First, cyber insurance has become increasingly expensive. Indeed, insurers have raised rates to stabilise the market as claims have surged. However, Swiss Re now expects premiums to grow to roughly £18 billion by 2025 – up from less than £4 million in 2019.
In any case, given the sizeable sums that can be incurred from breaches, more expensive cyber insurance may seem like a viable cost to stomach for those firms looking to protect themselves holistically. However, cost isn’t the only hurdle.
Over the years, cyber insurance policies have evolved from simple check lists to complex questionnaires. Now, most policies will require use of endpoint detection and response (EDR) and security awareness training, as well as adherence to cybersecurity frameworks, such as NIST, CMMC, or CIS.
It’s a step that insurers have had to take to level out rapidly rising claims, yet for SMEs, it adds another burden of establishing all these various controls before cyber insurance even becomes attainable.
Further, these issues are not helped by the challenge of skills shortages. Naturally, SMEs often lack the in-house security expertise to identify and implement all the necessary solutions with precise configurations that meet the exacting demands and eligibility criteria of the policies. Yet such skills are becoming vitally important to obtain.
Insurance underwriters are becoming increasingly stringent on claim payments and will often require proof that mandated tools were in place at the time of the attack, such as EDR and security awareness training. To overcome this issue and ensure claims are covered, maintaining compliance evidence is of the utmost importance. However, without the right skillsets, achieving this is easier said than done.
Working with an MSP to improve eligibility
If the past is prologue, then we can conclude that cyber liability insurance policies are only going to become more complex and convoluted.
So, what’s the solution? How can SMEs navigate these complexities, bridge the current cyber insurance gap that exists, and become financially protected in the face of a rapidly evolving threat landscape?
For those enterprises that lack the resources of larger firms, seeking the services of external specialists like managed security service providers (MSSPs) can be invaluable
Critically, many MSPs offer 24/7 cybersecurity services from advanced security operations centres (SOCs). Using tools such as Security Information and Event Management (SIEM), MSSPs monitor and analyse data from their clients’ IT infrastructure to prevent, identify, and mitigate threats.
Leveraging their expertise in threat management, security frameworks, and relevant solutions, MSSPs can build essential defences that enable enterprises to meet cyber insurers’ eligibility criteria while delivering added value. For example, during this process, MSSPs will be able to help identify protection gaps and enhance overall security, reducing the likelihood of attacks or breaches occurred and therefore the need to ever access cyber insurance in the first place.
From ensuring regulatory compliance and helping prevent attacks to expediting recovery and providing additional layers of defences to mitigate cyber impacts, the value that MSSPs offer extends far beyond simply aligning with cybersecurity criteria.
In the modern age, it’s support that SMEs should embrace as a priority, leveraging the right expertise to develop a relevant multi-layered security strategy that provides comprehensive security and financial resilience in the face of evolving threats.
