Cyber insurers focus on SMEs as policies cover firms under $10m

SMEs account for more than 80% of all cyber policies.

Cyber liability coverage is primarily targeting small-to-midsize enterprises (SMEs), with most policies covering businesses with less than $10m in annual revenue, according to AM Best.

The survey, which gathered responses from nearly 70% of the world's 60 largest cyber insurers (representing around $8b in premiums) emphasised the significant exposure these smaller firms bring to the insurance market.

Whilst large companies are often the primary targets of cyberattacks due to their vast wealth and data stores, SMEs account for more than 80% of all cyber policies. 

Ransomware remains the most common type of claim, often involving quick payouts to threat actors. 

More than half of the reported claims were for "incident response," including ransomware attacks and business email compromise. 

Whilst some businesses have managed to avoid paying ransoms, those that do not often face higher losses from business interruptions than from the ransom itself.  

According to AM Best's analysis, business interruption claims are more costly than incident response claims on a per-claim basis, accounting for 25% of total net incurred losses compared to 14% for incident response. 

Christopher Graham, senior industry research analyst at AM Best, warned that the systemic nature of cyber risk demands careful attention to aggregate exposure, especially as SMEs increasingly depend on shared cloud and service platforms.