What’s stopping SMEs from buying cyber insurance?

LONDON–Small to medium sized businesses (SMEs) are increasingly aware of cyber threats to organizations, but are still reluctant to take action, according to the UK’s CBI head of enterprise policy, Tom Thackray.

“There is a disconnect between awareness and action among SMEs,” Thackray told the audience here at the Institute of Risk Managers cyber forum last week.

He noted SMEs are constrained by their own perceptions in three major categories: the threat is only real for large organizations; the financial cost of fighting cyber threats is too high; SMEs do not have adequate in-house expertise to defend themselves.

However, Thackray noted that the CBI and other organizations – including the insurance sector – are building data to break down these perceptions and encourage SMEs to take action against cyber threats.

There is an increase in data breach notifications in the UK, with institutions such as the Information Commissioners publishing enforcement actions against UK businesses that do not report data breaches.

Proposed pan-European legislation will also enforce more frequent disclosure of data breaches and drive data collection, speakers at the conference said.

Combined with the insurance industry collecting information and breach reports, the industry will reach a critical mass “to drive estimates of return on investment and a justification for the financial spend on cyber insurance”, Andrew Rogoyski, head cyber security services at CGI said.

The conversion rate of a cyber insurance inquiry to a bound policy is extremely low compared to other insurance lines of business, according to Nigel Pearson, global head of fidelity at Allianz Global & Corporate.

“A normal hit ratio for an established line of business is one in every four or five submissions,” Pearson said at the conference. “For cyber, this ratio is one in ten.”

Pearson noted that the longest buying cycle and most reticence came from the SME sector.