Cyber Risk Insurance – An Effective Risk Management Tool for SMES in the UK?

Small and medium-sized enterprises (SMEs)¹ make up around 99% of all businesses operating in the United Kingdom (UK)² and are often regarded as the backbone of the economy.³ With an increased reliance on digitalisation, data breaches and security incidents have been commonplace for all businesses; and to a large extent SMEs are more vulnerable to such perils, as they often lack the technical expertise, knowledge and resources to protect their data and business. In a cyber security context, although prevention is often the preferred option for risk managers,⁴ there is no denying the fact that cyber risk insurance⁵ could prove to be a valuable risk management tool for SMEs, given that it can provide the support they need to get back to business following a cyber breach and/or incident.

The main purpose of this paper is to evaluate how effectively cyber risk insurance is utilised by SMEs as a risk mitigation tool. Accordingly, we aim to focus on the debate from the perspective of providers of cyber risk insurance (risk carriers) and users of such products (SMEs). Therefore, by adopting a systematic qualitative analysis we shall elaborate what losses are normally covered by cyber insurance policies, what losses are excluded and what kind of risk control clauses are employed by cyber risk insurers to deal with the risk aggregation problem⁶ and moral hazard issue⁷ in cyber risk policies. It needs to be stressed at this juncture that the knowledge and experience of the authors of the insurance industry⁸ and interviews conducted with those on the supply side of the market (i.e., insurers and insurance brokers) played a significant role in shaping our analysis.

Turning to the other side of the equation, by obtaining data from randomly, but purposively selected SMEs, we aim to acquire an appreciation of the degree of understanding SMEs have of this relatively new insurance product and to what extent they are currently utilising it as a risk mitigation tool. In instances where they are not utilising it, we aim to understand the reasons behind their decision and evaluate what kind of changes in the nature and scope of such insurance products might incentivise SMEs to consider their wider use.

Our research seeks to fill what we perceive to be a critical gap in the design, understanding and purchase of cyber risk insurance for SMEs by subjecting the supply and demand side of this new product to a critical analysis. We hope the outcomes of this study will inform: i) the cyber risk insurers as to how they can tailor their products to enhance their commercial appeal; ii) SMEs as to the need to purchase the right kind of cyber risk insurance product; and iii) policymakers by highlighting the need to provide better training to SMEs as to the role of cyber risk insurance as a risk mitigation tool. To this end, we shall first provide a description of relevant literature, followed by an explanation of our research methodology, data, and results of our content analysis and interactions with various SMEs.

The existing literature almost exclusively focuses on the theoretical examination of asymmetric information, network externalities⁹ and insurability of cyber risks in the market.¹⁰ Particular emphasis is often placed in academic literature on information structures that create particular difficulties for cyber risk insurers and problems associated with the cyber insurance cover (i.e., adverse selection and moral hazard).¹¹ The former is a potential outcome of information imbalance in favour of the assured, and the latter is the risk of the assured taking less than optimal precautions against the insured risk after the attachment of the policy.

There is some qualitative research on cyber risk policies but these are restricted to analysing various insurance policies available¹² and examining self-assessment questionnaires provided to potential assureds by insurance companies.¹³ Some researchers have also attempted to conduct theoretical modelling of a cyber insurance market by analysing the products offered by various insurers.¹⁴

Academic work has also been carried out evaluating the role of cyber risk insurance in enhancing cyber security and its benefit to society. For example, some researchers have found that it is hard to achieve a market equilibrium that improves network security without contract discrimination amongst users.¹⁵ Another study concluded that cyber risk insurance is a high-security investment that could potentially have a positive impact on social welfare by making the internet safer for all users.¹⁶ More recently, academic debate has focussed on whether the introduction of compulsory cyber risk insurance is a vital step in improving cyber security standards particularly with regard to SMEs¹⁷ with some commentators arguing that cyber risk insurance should not be extended to cover ransom payments.¹⁸

To our knowledge, no academic study has been carried out to evaluate the scope of cyber risk insurance cover afforded to SMEs and the suitability of cyber cover on offer, especially in the UK context. Likewise, no study has considered the attitude of SMEs to cyber risks and their willingness to utilise cyber risk insurance as a mitigation tool. This study aims to fill this gap by not only considering the demand side of cyber risk insurance, but also studying the awareness of SMEs of cyber risk exposure and their attitude towards cyber risk products available in the market. We are of the opinion that this approach will provide a sound foundation in understanding how this novel insurance product can be developed and utilised in a more efficient manner to the benefit of SMEs, the insurance industry, and society as a whole.

In the following part (D), we shall share the results of the thematic analysis that we have engaged, with a view to identify and categorise themes and concepts, and derive meaning and insights, across a collection of standard insurance policies used by insurers when underwriting cyber risk insurance for SMEs. We have obtained these policies from several insurance brokers independent of each other, so we are relatively confident that we secured access to a large amount of samples commonly used in the market.¹⁹ Also, some large insurance companies make their standard coverage terms available online (such as Hiscox and Travelers); and we have, accordingly, obtained the text for such policies from the websites of these insurance providers.

In order to determine the appropriate number of cyber risk policies to examine, we employed a common form of qualitative non-probabilistic sampling known as “purposive sampling”.²⁰ Sampling size in purposive sampling is determined by a concept called “thematic saturation”, which is the point at which “no additional data are being found whereby the researcher can develop properties of the category – the point where no new concepts emerging”.²¹ We believe we reached that point after analysing 14 policies.

At the beginning of the coding process, a master codebook was created which recorded the following metadata for each docket: the relevant insurance company, the product name, the insurance line, coverage/exclusions, provisions dealing with moral hazard risk, and claim-related issues. Two teams composed of the authors (and research assistants) of this article coded the coverage/exclusions, moral hazard, and claim-related issues. Each team developed their own codebook as they examined and processed their respective documents. The codebooks for each section were guided by an inductive approach that enabled investigators to identify themes and patterns within their respective documents. The authors followed common coding practices to first deductively anticipate initial coding variables, and then as each subsequent policy was examined, updated the codebook in order to capture unexpected findings. The themes were adjusted to create new and collapsing redundant themes, as needed. The ultimate data obtained was checked by all contributors at the end. We believe that the coding practice undertaken here was straightforward and less open to interpretation, as it was the direct result of whether a particular provision was present or not in the policy document. It needs to be stressed that we found the format of these policies to be standardised, and this assisted us immensely in the process of coding.

In Part E, you will find the results of the data collected from UK SMEs, with a primary view to determine the effectiveness of cyber risk insurance as a risk mitigation tool. As you will note, the study reveals other important, but relevant information, such as their understanding of coverage provided and significance of various contractual mechanisms employed by cyber insurers to protect themselves against the risk of moral hazard and ensure smooth running of the claims process. For this part, naturally a different research methodology has been employed, namely the method of probability (random) sampling.²² When selecting our sample group, our purpose was to acquire an accurate representation of the current SME sector in the UK. To this end, we utilised statistics provided by the UK government on SMEs.²³ In 2021, in terms of business density rates (numbers of SMEs per 10,000 resident adults) London had 1460, Wales 796, Scotland 752, Northern Ireland 825 and the rest of England (South West, South East, East of England, Yorkshire and the Humber, North West, North East, West Midlands, East Midlands) 974. So that our sample group appropriately represents all parts of the UK proportionately, we strived to gather samples at the following rate from different parts of the UK: 30.5% (London), 11.9% (Wales), 10.16% (Scotland), 9.32% (Northern Ireland) and 38.12% (rest of England).²⁴

The same statistics reveal that the main industries that these SMEs engaged in, in terms of turnover and employment, are the...