There’s a dangerous assumption that cybercriminals only seek to target large, global and wealthy organizations - and that smaller companies just aren’t worth their time or effort. On the contrary, in reality, it’s the SMEs that are prime prey for threat actors looking to extort funds from them.
Why? Because many smaller companies still don’t have cyber coverage - and it’s significantly costing them. Speaking to Insurance Business, Richard Savage, Senior Director of Cyber Incident Management at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas, revealed that microbusinesses are experiencing more frequent incidents in part due to a perception that they are less likely to be targeted
“Every device that’s attached to the internet is represented by a specific address. The attackers don’t know who’s behind that address until they gain access to the individual system. The internet is just a maze of doors and cyber criminals are finding ways in by scanning those doors for vulnerabilities. They’re using technology to access these doors at a mass scale which is why more SMEs are being frequently targeted.”
According to data from Total Assure, small businesses experienced a 46% cyberattack rate in 2025, with average losses reaching $120,000 per compromise.
Here, Erin Hendrix, Director Cyber & Tech Claims and Litigation at CPLG, added that larger entities tend to have much more stringent protections and protocols in place, whereas their smaller counterparts have fewer resources to implement them at the same scale.
“The small businesses are generally lacking the technological infrastructure they need to make sure their people and their data are secure,” she explained. “The technology the criminals are using means SMEs are [hit more] because, quite frankly, they’re viewed as low-hanging fruit by threat actors.”
This assumption that ‘we’ew over today! re too small to be targeted’ is increasingly challenged by current trends. And despite media headlines focusing in on large-scale incidents, the majority of attacks hit SMEs or medium-sized businesses.
“We know that the vast majority of these attacks are down to human error,” added Hendrix. “As opposed to the big, flashy headlines you see in the news. As a result, the smaller attacks often fly under the radar which in turn leads to this false sense of security.”
There’s also a huge disparity between the sophistication of the tech in SMEs compared to larger organizations. As Savage told IB, smaller companies may think that their IT support is adequate when in reality it’s just not up to par, often relying too heavily on external third parties. When an attack occurs, nothing but the very best coverage and support is going to cut it.
“It’s a question of cyber resilience versus cybersecurity,” added Savage. “Most of what we see, especially in the small to medium-sized business area, is the exploitation of vulnerabilities or security weaknesses which are entirely preventable, such as weak controls or devices that haven't been patched or updated in a long time. These are the kinds of issues which are continuing to affect SMEs over and over again. It's as much about cyber risk management as it is simple infrastructure and information technology hygiene. Most of the attacks that we see are preventable, because those weaknesses are fixable, but SMEs are just ripe for the taking.”
Looking at it from the policyholder perspective here, Hendrix added that there needs to be a mindset shift, something which can be difficult for SMEs.
“Exhibiting cyber resilience is important” but, for many small businesses, the day-to-day focus is understandably on running and growing the business. She continues, “[f]or us, at CPLG, this means that we have to wear two hats. On the one hand, we have to be clinical and precise in understanding how the threat actor got in and what they accessed.
“On the other hand, we also have to work on our bedside manner, so to speak. Yes, we’re clinicians, but also we have to be empathetic because we're dealing with policyholders who’ve been the victims of a crime. It’s about making sure that even though we see this day in and day out, that we take that step back and lead with empathy. [Ultimately], it’s about helping people get back up and running as quickly as possible.”
And the role of education here really can’t be understated. From Savage and Hendrix’s viewpoint, people have a responsibility to self-educate in order to prevent accidents before they happen. At CPLG, this is all part of the package.
“We provide free access to comprehensive, online cyber security training and phishing simulations training to help educate policyholders,” added Hendrix. While we can’t enforce the use of our training platform, we encourage it because it makes everybody stronger.”
As Savage pointed out, however, this is often easier said than done. As he told IB, historically, the take-up for education or proactive cybersecurity, risk management and even free offerings have been extremely low.
“[As such], continuing to get the word out without fear-mongering, but rather, encouraging people to take advantage of this free training, would go a long way in preventing a lot of the things that we see on a regular basis.”
In the face of increasingly sophisticated methods of cybercrime, the best method of attack is having the right defense. As Savage went on to tell IB, there’s three main components that dictate how well a company is covered - multi-factor authentications (MFAs), secure backups, and managed detection and response teams.
“Multi-factor authentication is probably the single most important protection that businesses can implement from a security standpoint,” added Savage. “It's the first line of defense against a remote attack. Following that, if an intruder is able to get past this portion of security, the next wall of defense is managed detection and response. [However], those tools are only as good as the people that are watching them.
“Finally, if an attacker gets past multi-factor authentication and then gets past the detection solution, the last line of available defenses are secure backups. Secure backups are really important to ensuring cyber resiliency and the ability to recover in the wake of an active cyber event. We find time and time again that backups are being taken for granted and that the focus on redundant, segregated and immutable backups has gone away over the past 10 years.”
When a cyberattack hits, panic often sets in. For organizations, the distress of potentially losing money or data to hackers means that common sense goes out of the window. This really is where the human element of cyber coverage comes in. Because when you’re facing cybercriminals, you want to speak to a fellow person - not a machine. This is why CPLG provides 24/7 support with real-time claims guidance and proactive risk management.
“Cyberattacks don’t always happen between 9am to 5pm,” added Savage. “Normal business hours don’t apply here. For us, it’s about being able to be there for an insured who's going through a cyber incident at 3am on a Saturday morning. This can be helpful in mitigating the downstream exposure of the actual attack. Having the opportunity to be heavily involved in driving the incident response process for an insured that's going through an active cyberattack is important. This means we can better understand what happened, what was exposed, and provide any necessary notifications to individuals, regulators, or anyone else in a quick, timely manner to reduce potential third-party exposure.”
For Hendrix, she uses the analogy of a clinician. As she told IB, when your vision becomes blurry you don’t call a podiatrist - you go to the optometrist even if you’re more comfortable with your regular general practitioner.
“People face this a lot,” she added. “They're comfortable with their normal vendors and their normal counsel. However, in terms of real-time claims guidance help, this is all we do. We do cyber day in, day out. We know the threat actors, we know how they work and we’re incredibly thoughtful and precise with how we handle claims, making sure that we're putting the right response in place for the right claim. At CPLG, we're the experts in this. [Essentially], we recognize that the folks we're helping are experts in what they do too - and we're just trying to get them back to square one.”
About Tokio Marine HCC – Cyber & Professional Lines Group
Tokio Marine HCC – Cyber & Professional Lines Group, doing business as NAS Insurance Services, LLC with the CA license #0677191, is headquartered in Encino, CA and is a member of the Tokio Marine HCC group of companies based in Houston, Texas. For more information about Tokio Marine HCC – Cyber & Professional Lines Group, please visit www.tmhcc.com/pro.
About Tokio Marine HCC
Tokio Marine HCC is a member of the Tokio Marine Group, a premier global company founded in 1879 with a market capitalization of $71 billion as of December 31, 2025. Headquartered in Houston, Texas, Tokio Marine HCC is a leading specialty insurance group with offices in the United States, Mexico, the United Kingdom, and Continental Europe. Tokio Marine HCC’s major domestic insurance companies have financial strength ratings of ‘A+’ (Strong) from S&P Global Ratings, ‘A++’ (Superior) from AM Best, and ‘AA-’ (Very Strong) from Fitch Ratings; its major international insurance companies have financial strength ratings of ‘A+’ (Strong) from S&P Global Ratings. Tokio Marine HCC is the marketing name used to describe the affiliated companies under the common ownership of HCC Insurance Holdings, Inc. For more information, please visit www.tokiomarinehcc.com.
This article was created in partnership with Tokio Marine HCC - Cyber & Professional Lines Group (CPLG)
