UK small and medium-sized enterprises (SMEs) are facing a growing cyber threat, but the smallest firms are the least prepared. Aviva is urging brokers to step in as SMEs underestimate cyber and other disruptive risks. According to new research from Aviva, 36% of businesses rank cyber as their most significant risk, surpassing any other insurable risk. However, the smallest SMEs (those with fewer than 10 employees) appear less concerned, with only 20% selecting cyber as their biggest risk, compared to over 40% across other size categories. This lack of concern is further exacerbated by low appetite and confidence to address the issue, with IT and cyber security being the top tasks that SME decision-makers dislike (25%).
In addition to cyber risks, SMEs highlighted business interruption (30%), reputational damage (27%), fraud (26%), and regulatory change (26%) as top concerns. Despite this, only 32% of SMEs use brokers to stay updated on regulatory or legislative changes that could impact their business, while 48% rely on their own research. Interestingly, 98% of SMEs believe they are up-to-date, which could be a misleading confidence. To mitigate a wide range of risks, from cyber incidents to business interruption and regulation, SMEs should leverage their brokers and the services they offer, ensuring they have the confidence and ability to grow.
The research is in stark contrast to Aviva's cyber claims data, which reveals a 10% year-over-year increase in cyber claims from SMEs. The average cost of a cyber insurance claim from an SME is £40,000, with an average lifecycle of 300 days, emphasizing the need for adequate business interruption insurance alongside cyber coverage. As businesses become more digitized and interconnected, monitoring the security perimeter beyond their own walls becomes challenging. Attackers don't discriminate based on size; they seek opportunities, making unprepared organizations, regardless of size, the most vulnerable. Brokers have a unique opportunity to help smaller firms become more engaged and resilient.
To protect SMEs, Aviva recommends that brokers utilize renewal and mid-term touchpoints to promote simple yet impactful controls for their SME clients. These controls include:
1. Implementing multi-factor authentication (MFA) on email, remote access, and critical applications, with phishing-resistant MFA where possible.
2. Conducting regular offline backups and testing restoration procedures to minimize ransomware downtime.
3. Patching systems promptly, prioritizing internet-facing systems, and reducing remote desktop exposure. Download the National Cyber Security Centre's 'It's time to act' guide.
4. Employing business continuity basics, such as mapping critical suppliers, setting recovery time objectives, and rehearsing incident/communication plans to safeguard customer service and reputation.
5. Insisting on governance and training, assigning clear responsibility for cyber/operational resilience, and conducting short, role-specific awareness refreshers to counter social engineering.
Aviva offers two cyber products tailored for SMEs: Cyber Respond and Cyber Complete. Cyber Respond is a streamlined solution for micro businesses (fewer than 10 employees; turnover < £1m), focusing on 24/7 incident response, with coverage for data/IT systems damage, increased cost of working, and optional external cyber crime (e.g., social engineering/funds transfer fraud). Cyber Complete provides Aviva's broadest protection, including first-party, third-party, business interruption, data regulatory, and reputational management covers, with detailed policy wordings available for brokers.
The research was conducted by Censuswide among 500 insurance decision-makers at SME businesses in the UK, with data collected between 27.08.2025 and 03.09.2025. Censuswide adheres to the Market Research Society's code of conduct and ESOMAR principles and is a member of the British Polling Council.
