SMEs fall victim to online crime - yet many have no cyber insurance cover

Authored by Aviva

Our latest SME research found that more than a fifth (21%) of small and medium-sized enterprises (SMEs) have suffered a cyber incident or attack in the past 12 months, yet more than a third (34%) said they had no cyber insurance cover.

Major system failures or outages (8%), theft of funds or phishing (7%), malware infections (6%) and ransomware or extortion attempts (5%) were among the incidents described by businesses in the latest survey.

Half (50%) of SMEs said they were more reliant on digital systems than before the Covid-19 pandemic and 44% that they were reliant on cloud technology.

But the latest research found that just 8% had a specific stand-alone cyber security policy and that while many said they were covered through other insurance policies or their IT provider, 10% didn’t know if they had any cyber cover at all.

Although 59% thought that in the event of losing access to files and systems in a cyber attack they could be back to normal within a month, others estimated it could take far longer.

Asked how long it might take, 8% said a month or more, 6% said two months, 3% said three months, 2% said four months and 1% said five months or more. A further 22% said they didn’t know.

Those SMEs without cyber insurance were asked why they didn't have it, with 38% saying they didn't believe they would be a target for a cyber attack, while 27% said it wasn't relevant to their business.

Others said it was too expensive (18%), that they didn’t know cyber insurance even existed (16%) and that they didn’t need it because they spent their money on IT security controls (11%).

Asking for help

Businesses were asked who they'd turn to for help in the event of a cyber attack causing major disruption to their business:

• Three in ten (29%) said they'd expect their MSP (managed service provider) to deal with it and a quarter (25%) said they'd go to the police.
• Others said they'd seek help from the National Cyber Security Centre (23%), from their insurer (19%), from incident response experts (17%) and their insurance broker (15%).
• Some said they would use Google to try to find expert help (15%) while 17% said they didn’t know who they would go to.

Protecting their business

But the survey does reveal some of the measures businesses have taken to help protect against a cyber incident. More than two-thirds (69%) said they make sure firewall and virus protection software were installed, active and updated according to the providers’ instructions.

62% back up all of their data at least once a week, while 61% said they make sure any access and passwords were personalised, stored securely and weren't reliant on manufacturer settings.

Other security measures taken included using multi-factor authentication (48%), installing any software or firmware updates within 14 days of release (47%) and educating and training staff on cyber dangers and risks (44%).

Policy coverage

Businesses were also asked to choose what they would want cyber insurance to cover. More than half (52%) selected business interruption cover and 46% chose data breaches.

System failure / network outages and cyber extortion / ransomware were each selected by 42%, while defence costs and damages in the event of being sued (38%), corrupt data (34%), regulatory fines (24%) and lost customers (23%) were among the other answers.

All these covers can be included in a cyber insurance policy from Aviva.

Stephen Ridley, Head of Cyber at Aviva, said:

"Cyber crime is a growing problem and it’s alarming that many SMEs either have no cover, don’t know if they’re covered or are relying on non-specific cover that may not respond in the way that they think it will.

It’s a misperception that because you’re an SME, cyber criminals won’t be interested in you. Often the criminals won’t even know whose system they’ve accessed until they’re in there and they'll look to extract whatever value they can.

People often think because they have got fantastic security, they don’t need to worry, but the impenetrable system just doesn’t exist. Even massive, highly technically savvy companies with big security budgets have fallen victim to cyber attacks. Whilst those attacks grab the headlines, lower value but equally disruptive attacks are becoming increasingly commonplace for SMEs.

The survey shows many businesses believe they're insured but they need to be sure their policy will do the job. It doesn’t have to be a completely stand-alone policy, either – at Aviva, we can package our cyber cover as part of a wider Commercial Combined policy."

More help and support

• To hear more from Stephen, read his latest article - which discusses underinsurance in Cyber and the risk of uninsurance. 
• For more information about our Cyber product and proposition, head to our Cyber page.

For insight and helpful resources relating to underinsurance, visit our dedicated page on Aviva Broker here.