Cyber insurance trails as only 10% of SMEs buy cover

Amongst the worst attacks, average losses in the top 10% of events topped $28m in 2024.

Cyber insurance remains underutilised, the Geneva Association warns, as estimates suggest only around 10% of small and medium-sized enterprises (SMEs) globally have cyber insurance – and in some countries it could be much lower, especially amongst the very smallest firms.

Even so, the cover appears to be paying out: one study cited found 92% of potentially covered cyber losses fell within insurance coverage, and for SMEs, average payouts covered close to 70% of incident costs, according the report by Darren Pain, Director of Research at Geneva Association, and Sasha Romanosky, Senior Policy Researcher at RAND.

The median annual loss from a cybersecurity breach has climbed 15-fold over the past 15 years, from $190,000 to nearly $3m. 

Amongst the biggest incidents, average losses in the top 10% of events rose to more than $28m in 2024.

It says cyber insurance is now doing more than risk transfer. Insurers are setting baseline security requirements, offering monitoring and alerts, and helping cover expert response costs when incidents happen.

The report says cyber insurance is also shaping behaviour. It cites a 2024 survey showing 76% of companies increased cybersecurity spending to qualify for cover. 

But it adds that insurers still face limits, including difficulty pricing risk accurately, low awareness of policy support services, and uncertainty over losses from major cyber events.