The next major growth opportunity in cyber insurance may not come from multinational corporations but from the vast population of small and medium-sized enterprises (SMEs) that remain underinsured against digital threats.
Executives at AXA XL told Insurance Business that the cyber market has reached a level of maturity where lessons learned from insuring large enterprises can increasingly be applied to small- and middle-market businesses, creating new opportunities for insurers and brokers alike.
The opportunity is significant because small businesses remain among the least protected segments of the cyber insurance market. According to the US Small Business Administration, there are more than 34 million small businesses in the United States, representing 99.9% of all US businesses and employing nearly 46% of the private-sector workforce.
The US cyber insurance market also remains the world's largest, accounting for roughly 60% of global cyber premiums, according to Swiss Re, giving insurers a significant opportunity to expand penetration among smaller commercial buyers as the market matures.
"The reason we have the current market conditions is because there was a readjustment three to five years ago," said Michelle Chia (pictured on the left), chief underwriting officer for cyber in the Americas at AXA XL. “Organizations needed particular controls in place, and without those controls, the frequency and severity of threat vectors such as ransomware created a very different loss profile than we had initially assumed.
“We're now at a point where there's significant maturation on both the client side and the insurance side. Organizations have improved their cyber resilience, implemented controls, and are looking beyond their own networks to ensure their vendors, suppliers, and other critical partners are also resilient.”
According to the Council of Insurance Agents & Brokers (CIAB), average US cyber insurance premiums fell 7.7% during the fourth quarter of 2025, extending a softening trend that has emerged as insureds adopted stronger controls such as multi-factor authentication, endpoint detection, and incident response planning.
Yet the softening market is also forcing carriers to look beyond their traditional customer base for growth. After years of focusing on large enterprises, many insurers now see the middle market as one of the few segments where cyber insurance penetration can still expand materially.
That shift reflects the maturation of the broader cyber market. According to Swiss Re, global cyber insurance premiums have grown from less than $5 billion a decade ago to more than $15 billion annually, driven initially by large corporate buyers.
As purchasing among major enterprises has become more widespread, insurers are increasingly targeting smaller organizations that face many of the same threats but often lack the cybersecurity resources and insurance sophistication of larger peers.
Historically, AXA XL has focused primarily on large, complex organizations. However, the interconnected nature of cyber risk has highlighted the need to extend similar risk management principles to smaller businesses.
"One advantage we have is our long history working with large enterprise customers," Malone said. "We've learned a tremendous amount from highly sophisticated organizations and have accumulated very rich data. We can take lessons learned over the past two decades and make them more accessible and actionable for organizations that aren't Fortune 1000 firms.”
From an underwriting standpoint, Chia said the philosophy remains consistent across market segments, but the process must be adapted to match the complexity of the organization.
"A middle-market organization typically has a smaller attack surface and a simpler operating model," she said. “As a result, we ask different questions. We tailor our underwriting to the nature of the risk rather than applying the same process to every organization. Some middle-market businesses are quite sophisticated and require more detailed evaluation. Others are simpler businesses that happen to generate significant revenue.
“In some cases, underwriting can be streamlined. In others, more detail is needed. It's a combination of simplifying the process for clients while still gathering the information necessary to understand the risk.”
One area where the market has made significant progress – and which has allowed for insurers to scale into the critical SME market – is third-party risk management. As claims increasingly stem from vendor and supply chain vulnerabilities, cyber underwriters have expanded scrutiny beyond an organization's own systems.
"Today, it's essentially standard practice to ask questions about supply chain management, dependencies, redundancies, and critical infrastructure," said Malone. He compared the trend to the widespread adoption of multi-factor authentication following the ransomware surge of 2021. Underwriters, he said, can influence behavior by asking the right questions and aligning coverage terms with stronger risk management practices.
Chia also said insurers are increasingly helping clients understand not only how to secure their own operations but also how to assess the resilience of vendors and partners that support critical business functions.
The focus on SMEs comes as cyber threats continue to intensify. According to Verizon's 2025 Data Breach Investigations Report, ransomware was involved in 44% of all breaches analyzed, while small and midsize organizations experienced ransomware at significantly higher rates than larger enterprises. The combination of rising cyber dependency, improving underwriting data, and a vast underserved customer base makes SMEs the industry's most compelling growth opportunity for insurers.
Looking forward, the goal is no longer simply to transfer cyber risk, but to bring the controls, insights, and resilience practices developed among Fortune 1000 companies to the millions of smaller businesses that increasingly face the same interconnected threats.
“There are only about a thousand Fortune 1000 companies, and even companies in the same industry can look dramatically different,” Malone said. “By contrast, there are hundreds of thousands of small businesses, and many of them look relatively similar to one another.”
“(By aggregating data more effectively)… we can draw insights from broader trends, rather than relying solely on highly specific control information.”
