More than half of small and medium-sized businesses (SMBs) in North America lack basic email security protections, compared with nearly a third of UK small and medium-sized enterprises (SMEs), according to new research from cyber risk intelligence provider KYND.
The findings highlight widespread cyber exposure among smaller businesses and a significant opportunity for insurers to support resilience.
The analysis, based on 7,980 SMBs across the US and Canada and 830 UK SMEs, identified common weaknesses in cyber hygiene, including poor email authentication, outdated software and exposed internet-facing services often linked to phishing, ransomware and business email compromise (BEC) attacks.
According to the report, 54.9% of North American SMBs and 31.7% of UK SMEs have missing or invalid email authentication controls, such as SPF and DMARC, increasing exposure to phishing, impersonation and fraud.
KYND also reported that 51% of North American SMBs and 55.1% of UK SMEs are running outdated software, extending their window of exposure to known vulnerabilities. In addition, 10.7% of North American SMBs and 8.0% of UK SMEs have exposed file-sharing services (Server Message Block), while 9.5% of North American SMBs and 5.8% of UK SMEs have exposed remote access systems (Remote Desktop Protocol). A further 4.3% of North American SMBs and 2.7% of UK SMEs have both remote access and file-sharing services exposed at the same time, creating multiple potential entry points for attackers.
KYND said these weaknesses are consistent with what incident responders and insurers are seeing in real-world events, with ransomware and BEC still driving a large share of cyber insurance claims globally.
Despite the level of exposure, cyber insurance penetration among SMEs and SMBs remains relatively low, often estimated at below 10% in many smaller-business segments. Analysts have noted that while the global cyber market continues to grow and pricing has started to stabilise, standalone cyber take-up among SMEs is still in single digits in many regions, and significantly below large-corporate levels.
This gap between risk and insurance take-up is both a concern and an opportunity. Weak controls can push up loss ratios and volatility if not properly understood and priced, but the prevalence of visible, relatively basic issues such as missing email authentication or unpatched systems also creates room for insurers to pair cover with practical risk-improvement support.
Ben Duffy (pictured), VP and head of North America at KYND, said the findings underline both a growing risk issue and a commercial opening for the insurance sector.
“Many of these risks are externally visible and relatively easy for attackers to identify. What this research shows is that cyber exposure among SMEs and SMBs is widespread, measurable and often preventable,” he said. “There is a clear opportunity for insurers and brokers to play a more proactive role by combining insurance cover with practical, data-led cyber risk insight. Better visibility of exposure can help improve underwriting, reduce friction across the insurance lifecycle and ultimately support stronger cyber resilience among smaller businesses.”
As the cyber insurance market matures, industry voices have stressed that SMEs are not necessarily unwilling buyers, but are often put off by complexity, cost and perceived relevance. Many smaller firms still see cyber as a “big company” problem, despite being attractive targets for opportunistic attackers.
KYND argued that better use of external cyber risk intelligence could help address some of those barriers by allowing insurers to streamline SME underwriting, support brokers in expanding cyber portfolios and deliver more proactive risk management services. Rather than relying solely on lengthy questionnaires and self-attestations, carriers can pre-populate risk profiles using external scans, highlight specific exposures and provide targeted recommendations.
In response to the research, KYND is encouraging insurers to use external risk signals to improve underwriting accuracy and portfolio segmentation; support SMBs with practical insights to reduce exposure before incidents occur; simplify the process of selling and renewing cyber insurance through better data; and move gradually towards continuous monitoring of cyber risk across insured portfolios.
“Cyber risk is a core business risk for smaller organisations globally. By helping businesses better understand and manage that exposure, insurers have an opportunity to create value both for their clients and their own portfolios,” Duffy said.
