The 2025 SMB Cybersecurity Gap

This article from Matt Cullina, head of global cyber insurance business at TransUnion, originally appeared as “Preparing for 2025: The SMB Cybersecurity Gap” on Forbes.com.

Large companies are no strangers to cyber insurance policies. In fact, 93% of companies with more than $1 billion in annual revenue have some form of cyber coverage.

On the other hand, small and medium businesses (SMBs) may be less familiar with them. However, as third-party data breaches (e.g., supply chain attacks) increase in severity, I see a growing number of larger companies requiring vendors to show proof of cyber insurance as part of their compliance checklists.

Corporate vendors are apt to take such demands in stride as they have the resources to weather these shifts. SMB vendors, however, likely will need to set aside time to develop a plan of action for satisfying cyber insurance mandates so they don’t experience a loss of business.

Just the nudge SMBs may need

Since 2022, small businesses have experienced a 28% increase in cyberattacks, and a 2023 Forrester poll of more than 5,000 small-business cybersecurity professionals revealed 41% experienced a cyberattack during the prior year. That notable rise was driven, in part, by cybercriminals targeting vendors to access their clients' data.

Many small-business owners falsely believe their organizations are "too small to be targeted" by cybercriminals, but in my experience, I find the opposite is true. Their size and lack of defenses make small businesses even more attractive targets for hackers looking to access client data.

Smaller vendors typically don’t have the same security expertise or resources as larger companies. Targeting these less protected vendors creates a higher return with less effort.

By focusing attacks on accounting, payroll, IT or administrative firms that serve multiple clients, a single breach can give an attacker access to the data of multiple organizations at once. A chain is only as strong as its weakest link, so a vulnerable vendor creates a vulnerable client.

Reputational risks

Based on my experience as head of global cyber insurance, I’ve observed that third-party data breaches often result in significantly higher severity than primary breaches, gauged largely by the volume of fraud-enabling credentials stolen during these attacks.

The large number of third-party breaches over the past two years has given attackers expanded access to personally identifiable information (PII) like Social Security numbers, medical data and credit card account details.

The reputational fallout of these incidents is only expected to worsen as resulting incidents of identity theft, social engineering and consumer scams increase. In fact, identity theft (59%) was the cyber threat consumers were most concerned with in TransUnion’s 2024 Consumer Pulse Study.

The potential for reputational damage following a leak of fraud-enabling PII is considerable. A recent report by Vercara showed 66% of U.S. consumers would not trust a company that exposes their data in a breach, and 75% would sever ties with a brand following any cybersecurity issue.

Making cybersecurity manageable for SMBs

Only 17% of small businesses currently have cyber insurance. And despite a 24% increase in cybersecurity spending over the last months, 43% of surveyed SMBs don’t have network-based firewalls to block hacking attempts. Nearly 60% of those businesses also never use security awareness training, which is considered to be among the most effective risk-mitigating activities.

An overwhelming 95% of cybersecurity breaches are caused by human error, which includes falling victim to social engineering attacks, misconfiguring cloud storage and other accidental exposures.

This is why many cyber insurers insist on conducting a cybersecurity assessment during underwriting. As SMBs look to bolster their security posture to obtain policies and keep premiums as low as possible, they may want to consider deploying or expanding the following:

• Compliance with industry security frameworks to meet a minimum standard of security.
• Frequent security testing to identify, mitigate and prevent new vulnerabilities.
• Regular cyber training to keep employees updated on the latest threats and scams.
• Incident response planning to guide recovery efforts following a data breach or similar disruption.
• Data backups to prevent the need to give in to demands from ransomware attackers.
• System update policy and procedures to ensure the latest security patches are in place.
• Permissions management to dictate appropriate levels of access to sensitive resources.
• Password management to guide the secure creation, storage and use of credentials.

This list is not exhaustive; it’s merely a set of practices carrier partners consistently ask for as they conduct assessments of prospects and policyholders looking to upgrade coverage. For SMB vendors overwhelmed by the many different layers necessary for a strong cyber posture, engaging with cyber insurance brokers can be a good way to identify and solve security gaps, as well as understand the risks of claim denials.

This is something of a moving target as carriers are continuously adding exclusions to cyber policies. The cyber warfare exclusion, for example, enables insurers to deny claims related to cyberattacks that are part of a state-sponsored or politically motivated conflict.

Another is the systemic event exclusion, a clause that limits or excludes coverage for losses arising from widespread, large-scale cyber incidents affecting multiple policyholders at once.

Mitigating losses for both SMBs and their clients

The average small business can’t afford to recover from a data breach, let alone support impacted clients. I see big companies that absorb the losses from third-party breaches growing increasingly dissatisfied with this imbalance. Thankfully, cyber insurance can help both parties recover from a cyber incident.

SMB cyber policies often begin as endorsements on small-business policies. As an SMB grows and its risk profile expands, a stand-alone cyber policy may become more appropriate. While these policies are often customizable, they typically come with three core benefits: coverage for financial losses, assistance with incident response and third-party liability.

As enterprises require vendors to maintain cyber insurance as a condition of partnership, SMBs may need to learn how to select the most effective coverage. Cyber insurers and the larger enterprises being served can help guide SMB vendors to help ensure the supply chain is adequately protected against modern cyber threats.