The concentration of cyber insurance limits among SMEs highlights growing concerns over aggregate exposure and systemic risk, according to AM Best’s inaugural cyber survey.
The agency’s survey of 41 global cyber insurers, representing about US$8b in premiums, shows the vulnerability of small enterprises to coordinated cyberattacks—and by extension, cyber catastrophe threat to insurers—as concerns about accumulation risk intensify.
Small businesses with annual revenue under US$10m account for 73.1% of all cyber policies and 52.7% of total limits, according to the survey. But despite this concentration, SMEs only generate 21.3% of direct premiums written.
In comparison, larger businesses with annual revenues of over US$1b have the highest premium per policy at approximately US$69,000, but take up only 7.9% of limits, suggesting some degree of underpricing for smaller businesses.
A September 2024 whitepaper from Guy Carpenter and cyber insurer At-Bay highlighted that small and medium-sized enterprises (SMEs) are increasingly targeted by scalable cyberattacks exploiting common vulnerabilities, underscoring the urgent need for improved cyber catastrophe modelling.
The report recommends insurers enhance their models by integrating SMB-specific security controls such as Endpoint Detection and Response (EDR) and Multi-Factor Authentication (MFA), as well as understanding technological interdependencies, to better quantify risk and confidently expand cyber insurance coverage in the growing SMB sector.
But AM Best’s survey shows the industry has yet to converge on standardised risk assessment.
Of the 41 surveyed, only 30 insurers have used any form of catastrophe modelling at all. Of those, 10 used probabilistic models, five used deterministic models, and the rest used a mix of both. 11 surveyed insurers did not use catastrophe modelling.
Proper modelling is needed as cyber threats shift toward repeatable and scalable attack methods through vulnerabilities found in popular products. Small businesses—which tend to use common services and also have weaker security—thus represent a systemic risk.
“To the extent that any of these small businesses could be using the same cloud service or another common service illustrates how one outage or attack could impact several policies,” said Christopher Graham, Senior Industry Research Analyst at AM Best.
This comes as a Guy Carpenter from January showed that the Asia Pacific cyber market has grown to approximately US$1.7bn, driven by increased SME adoption, emerging markets, and broader product offerings.
Insurers in the region have been increasingly willing to expand their cyber coverage offerings, driven by rate reductions and increased capacity, making cyber insurance more accessible and attractive to buyers, the reinsurance broker said.
Bryan Raber
AM Best AnalystWhat dominates claim coverage?
AM Best’s survey also revealed a gap in claims categorisation by cyber insurers, with the majority categorised as “unknown.”
Among categorised claims, business interruption claims accounted for only 1.2% of total cyber claims but represented a disproportionate 25.3% of net incurred losses, the ratings agency found.
Incident response—which would include ransomware attacks and business email compromise—dominated claim frequency at 22.5%, with insurers setting aside US$1b in reserves for incident response.
“While many insureds have been able to avoid paying ransoms, those that haven’t ultimately may endure more losses owing to business interruption than the cost of the ransom,” AM Best Analyst Bryan Raber said.
“On a per-claim basis, business interruption claims are more expensive than incident response claims, encompassing 25% of total net incurred losses among the survey population, compared with 14% on the business interruption side.”
Several other categories contributed notable portions of categorised claims: extortion accounted for 3.9% of claims paid and 6.0% of losses, while financial theft and fraud represented 3.6% of claims but only 0.8% of losses. Network security failure liability and breach of privacy also factored into the mix.
AM Best expects the percentage of uncategorised claims to decrease as insurers organise claims systems and classification mechanisms alongside the cyber market’s evolution.
