Cyber insurance growth in the UK is no longer being driven solely by large corporate buyers. After years of relatively gradual adoption, the market is beginning to see broader momentum among SMEs, with brokers, insurers and clients all changing how they approach the product.
For Lindsey Maher (pictured), head of global cyber development at CFC, the UK cyber market is entering a new phase of SME adoption.
“It’s been a product that’s been available in the UK for now over 25 years,” she said. “Certainly more pronounced in the last six months we’ve really seen that inflection point of growth trends and interest level.”
Maher believes recent UK cyber incidents have had a different effect on SME behaviour than earlier headline-grabbing breaches.
Historically, large-scale cyber events generated attention but did little to materially change SME buying behaviour. Even the introduction of GDPR failed to create the sustained shift many expected.
“Everybody thought that was going to be the moment that changed everything and it just simply didn’t,” Maher said.
The turning point, she argued, was the disruption linked to Jaguar Land Rover and the wider supply chain impact that followed.
“JLR changed it up completely,” she said. “People saw tangible losses as a result of it.”
What distinguished the incident was not simply the scale of the breach itself, but the visibility of the downstream economic impact on suppliers and smaller businesses connected to larger organisations.
“The economic damage from JLR was much more heavily weighted towards the SMEs who were caught in the crosshairs of it, rather than JLR themselves,” Maher said.
That has helped shift cyber discussions away from data breaches alone and towards business interruption, operational disruption and supply chain dependency.
Maher said the recent acceleration in uptake is not being driven by a single factor. Softer conditions across other commercial lines have also made cyber easier to introduce during renewals. During harder markets, brokers were often focused on explaining premium increases elsewhere rather than introducing new products.
“When rates and premiums are going up on other product lines,” Maher said, “brokers often find themselves in conversations where they’re explaining rate increases to clients and then having to introduce a completely new product.”
Insurers have become more aggressive in pursuing cyber growth, with new entrants, expanded appetites and additional product launches increasing competition across the market.
That has also changed broker behaviour. Maher said brokers are increasingly formalising cyber placement strategies, selecting specific insurer panels and investing more time in understanding the infrastructure and services sitting behind policy wordings.
“We’ve responded and participated in more RFPs for SME cyber insurance in the last six months than we have in the last three years,” she said.
The shift reflects a broader recognition within the broking market that cyber can no longer be treated as a peripheral product.
“We are seeing a shift where brokers are realising it’s an E&O issue if they aren’t talking to their clients about it,” Maher said.
Despite the recent growth, Maher argued the market still faces structural barriers to wider SME adoption.
“I don’t think we have an awareness problem when it comes to cyber risk in the UK anymore,” she said. “What we have to still overcome is an execution problem.”
Many insurers, she suggested, still approach SMEs as smaller versions of large corporate risks, relying on lengthy proposal forms, rigid security questionnaires and point-in-time underwriting assessments.
Maher argued the market instead needs simpler underwriting, more accessible buying journeys and greater emphasis on helping businesses improve resilience over the course of the policy period rather than filtering risks out at the application stage.
“It does require more of a portfolio underwriting approach in that segment,” she said.
One of the most significant changes, Maher said, is growing awareness among SMEs that cyber exposure increasingly sits outside their direct control.
“The reality is that they’re targeted because they’re connected,” she said.
SMEs are not only exposed through their own systems, but through suppliers, software vendors and managed service providers that support day-to-day operations.
“Most of the SMEs rely on a huge number of third-party tools and managed service providers and they have really little insight into those suppliers and their own security postures,” Maher said.
That interconnectedness has made supply chain disruption a more immediate concern for smaller businesses, particularly following high-profile UK incidents.
“When SMEs understand cyber more as a business interruption exposure rather than data loss, their intention to buy cyber insurance changes,” Maher said.
Maher said the market remains healthy overall, with continued insurer appetite and sustained growth expected over the coming years, although the current pace of rate reductions is unlikely to continue indefinitely.
For a market that spent years struggling to move beyond niche adoption among smaller firms, the recent shift is becoming harder to dismiss. Cyber insurance is increasingly being discussed less as a specialist add-on and more as part of mainstream SME risk planning.
