Willis expands cyber facility for SMEs across EMEA

Just over 40% of UK SMEs currently hold cyber cover, well below adoption among larger firms

Willis expands cyber facility for SMEs across EMEA

Cyber

By Mark Rosanes

UK cyber insurance claims payouts rose from £59 million in 2023 to £197 million in 2024 - a 234% increase in a single year - while just over 40% of UK SMEs hold cyber cover, compared with roughly 63% of medium-sized firms and 70% of FTSE 100 companies. That combination of surging claims severity and persistently low SME take-up frames why Willis, a WTW business, has expanded its CyMax Facility into a panel-based primary and excess cyber insurance facility for small and mid-sized companies across EMEA, with capacity now provided by AXA XL, Beazley, HDI Global and Markel.

The expansion builds on an earlier Continental Europe version of the facility, which previously relied on a single insurer. The panel structure pools capacity from several insurers under a single set of terms, giving brokers and clients access to higher limits and more flexible placement options than a single-carrier arrangement provides.

Why SME cyber take-up remains low

Security gaps remain common among the businesses the facility is designed to serve. Research on UK SMEs found nearly a third had missing or invalid email authentication controls and more than half were running outdated software - both common entry points for phishing and ransomware attacks. The facility reflects that reality in its eligibility criteria: it covers businesses with turnover of up to €500 million or CHF500 million and accepts companies with fully established security controls alongside those with controls only partially in place. The two-tier approach is an acknowledgment that waiting for SMEs to achieve full security maturity before offering coverage would exclude most of the market the facility is designed to reach.

Applicants complete a one-page cyber application form and an eligibility questionnaire of six to eight underwriting questions, with pricing set using pre-agreed grids rather than individual negotiation. Coverage includes incident response, notification costs, emergency costs, business interruption, contingent business interruption, regulatory action, social engineering, cyber theft, invoice manipulation and reputational harm.

The regulatory alignment and its limits

The wordings are aligned with the EU's GDPR and NIS2 rules and the Digital Operational Resilience Act, known as DORA, which sets cybersecurity and operational resilience requirements for infrastructure and financial sector firms. That alignment matters but has practical limits. DORA has applied since January 2025, yet as of mid-2025 only 14 of the EU's 27 member states had fully transposed NIS2 into national law. Regulatory fines themselves often remain uninsurable depending on jurisdiction even where breach-response costs are covered - a distinction brokers placing coverage under this facility should confirm with clients rather than assuming wording alignment equates to full regulatory cost coverage.

Willis said the facility also gives clients access to pre- and post-breach services including threat intelligence reports and pre-ransomware alerts, and that the single vulnerability-scan requirement and streamlined application process are intended to reduce friction for brokers and policyholders.

A crowded but underpenetrated market

Willis's expansion follows other recent product activity aimed at the same segment. Brit Insurance launched an SME-focused cyber product in March 2026 built around "any one claim" limits. CFC and Beazley have separately been developing supply-chain cover extensions and alternative capacity structures for the same market. The volume of activity from multiple carriers and facilities reflects both the scale of the SME cyber protection gap and the competitive pressure to close it - though the gap between 40% SME take-up and the 70% FTSE 100 rate suggests the market still has significant room to run before the underserved segment is genuinely served.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!