Phishing emails aren’t just a nuisance - they’re now a gateway to class action lawsuits for small businesses. Today’s cyber threats don’t scale to size.
As digital systems grow increasingly entangled, attackers are exploiting every weak link - from third-party vendors to the receptionist’s inbox. Phishing remains the most common entry point, and it's costing SMEs more than just downtime. According to IBM’s 2023 Cost of a Data Breach Report, for organizations with fewer than 500 employees, the average cost of a breach climbs to $3.31 million - a 13.4% jump from 2022.
Patricia Kocsondy (pictured), head of global cyber digital risks at Beazley, said the most critical challenge isn’t frequency - it’s infrastructure. “Yesterday’s big company problems as relates to cyber and tech risks are now today’s small company problems,” she said. “We are definitely seeing that small companies are being hit just as much as large companies.”
Part of that vulnerability comes from a widening awareness gap. “Most particularly for our small business clients, the area where we see the most claims are still resulting from humans clicking on malicious links,” she said.
The consequences are also escalating. “We are now seeing class actions against small companies—even with the smaller breaches.”
But the threat doesn’t have to arrive at the front door. Digital infrastructure has become one of the biggest sources of vulnerability. “If they can target key companies in a supply chain, then the real victims are actually the clients of the targeted entity,” Kocsondy said. “Over half of the claims notifications we see result from what we call third-party risk.”
Despite the growing exposure, awareness - and action - remains staggeringly low among SMEs. “The awareness gap is the biggest difference that we see between small companies and large companies,” she said.
Phishing remains the top culprit, often leading to business email compromise, ransomware attacks, and regulatory penalties. It’s also among the most avoidable risks - if employee training keeps up. “It is the area where they would get the most improvement in their cybersecurity protection if they could only train employees to not click on malicious links,” Kocsondy said.
Today’s attacks are faster, stealthier, and increasingly powered by AI-generated content and malware. SMEs, often lacking in-house IT resources, need more than a payout - they need a partner. “Cyber insurance is not just insurance. It’s so much more than insurance,” Kocsondy said. “It’s an entire protective ecosystem.”
That includes real-time alerts, patching guidance, and post-breach containment support. “The biggest difference is that large clients likely have an infosec team managing this on their behalf. In the small client space, they definitely need our assistance,” she said.
Unlike major corporations, a single cyberattack can threaten the very survival of a small business. “Having a cyber incident might be an existential threat,” Kocsondy said. “We work very closely with [clients] to educate them about exactly what they need to do to manage the fallout.”
Tight policy limits make efficient incident response critical. “We do everything we can to manage that incident within their policy limits so that they don’t have to come out of pocket,” she said. “The level of expertise required from our claims team requires that much more sophistication to manage it properly.”
Meanwhile, global regulatory pressures complicate recovery timelines and legal strategies. “The US is rather litigation heavy,” she said. “In the EU, for example, there’s a patchwork of regulatory obligations that companies may have, and it can be very complicated.”
Kocsondy believes the challenge of delivering sustainable cyber coverage to SMEs isn’t just about underwriting or price - it’s about access. “SMEs usually don’t have a budget to invest in their own security awareness and their own cybersecurity risk,” she said, “so insurance could play a role here.”
Worse, many don’t even know the coverage exists. “There’s just so much information out there and so little at the same time,” she said. “Without a broker or an advisor, it’s very hard to pick out the quality established carriers, much less understand the protective services those carriers may offer.”
It’s a knowledge gap that could spell the difference between recovery and collapse. “There are folks who don’t even know that cyber insurance exists,” Kocsondy said. “Their risk is very acute, and they may not even be aware this protection is available.”
Whether the threat comes through a direct attack or a breach upstream in the supply chain, she added, resilience is no longer a luxury. “The risk is not going away. If anything, it’s getting bigger,” she said. “And it’s unpredictable. There are a whole host of constantly changing risks.”
