Is cyber insurance ready for SMEs?
Panellists say the market is complex and costly – but not unreasonable
The cyber insurance market is a very new one, still finding its sweet spot in terms of both target market and price. That adds a lot of confusion around what is on offer, what is covered and what a pay-out will look like – and that keeps IT leaders away from investing.
Cyber insurers today largely serve enterprise-scale firms. Their services are open to SMEs, but - said John Stenton, Head of Information Technology at Thrive Homes and a panellist at Computing's Cybersecurity Festival this month - "maybe they just don't know they can get help."
IT budgets have climbed in the last two years, but at the same time the climbing rate of cyber-attacks has sent the price of cyber insurance soaring nearly 400%, as insurers look for a sweet spot in risk versus revenue.
And it's not only the price keeping SMEs away; some delegates thought the demands insurers make are overly burdensome for small businesses, in terms of both requirements to be in place and information to be shared before a policy is issued.
Mudassar Ulhaq, CIO at Waverton Investment Management, advised bringing in people from around the organisation to help IT leaders read through exhaustive policies, like legal and security teams. "Having additional support can help in making that decision," he said.
Nick Rosser, Head of Information Technology at Saunderson House, said certain industries - like his own, financial services - face regulatory demands that mean "you may already have a number of pieces of the jigsaw in place." However, some organisations that don't have those demands or executive level support for cybersecurity have to take "a much larger leap" to meet insurers' requirements.
There are ways for everyone to lower their risk and demonstrate some readiness, though. Complying with ISO27001 and completing the NCSC's Cyber Essentials certification, for example, can lower premiums and attract new insurers - "but if you have a very low level of security maturity, you're going to pay for that."
However, Rosser warned against insurance driving a security maturity strategy. That should be guided by what is right for the business, not the insurer.
Despite higher-than-expected complexity and rising costs, neither Stenton, Ulhaq or Rosser thought that insurers were excluding SMEs from the insurance space.
"We're an SME, about 250 people," said Rosser. "It comes back down to what your exec team is prepared to invest in. They're not the cheapest contracts and you need to understand what your business needs.
"It may also come down to insurers building the market right now by focusing on enterprise firms, and when economies of scale come in they will expand. Cyber insurance is still a very new market, but that doesn't mean it's not accessible if [SMEs] want to go shopping."
Stenton agreed, adding that he has taken out multiple insurance contracts and has never felt "excluded on complexity."
"There will be more products for SMEs, but it will take time for the market to mature. The massive explosion in cybercrime is really scaring insurers now, they don't know which way to turn and that's why premiums have gone up so much, but things will settle down."