PIA Connection Online

The Cyber Reckoning: The Next Cyber Growth Story Is SMB

Cyber insurance’s next growth wave lies with small and mid-sized businesses, where rising exposure and low adoption create a critical opportunity for agents to close the protection gap.

Candace Boyle
6–9 minutes

The biggest opportunity for cyber insurance growth is not at the top of the market, but sits squarely with small and mid-sized businesses (SMB), many of which are uninsured today. “Most small businesses don’t have a cyber policy right now,” says Keith Savino, Managing Partner, Trucordia and the firm’s Cyber Practice Leader.

A surprisingly low percentage of small businesses carry coverage, according to recent surveys, leaving most unprotected when incidents occur. This is a stark contrast with breach exposure: small and medium businesses are increasingly common targets.

The contrast between market segments is stark. “As you move mid-market, the percentage of clients with cyber policies increases dramatically,” Savino explains. “If I’m talking to an account that’s doing $350 million a year in revenue and I don’t see a Cyber policy, I’m in shock.”

That divide—between where cyber insurance is well established and where it is largely absent—defines the current moment for independent agents.

The Market Has Grown Up

“The cyber industry has matured,” Savino noted. “Everyone in the space has matured, the producers, the insureds, and the carriers, perhaps most of all.”

Erin Burns, Director, with CRC Specialty’s National Cyber Practice sees that evolution clearly. Her firm traces its roots to 1997, when its legacy operation wrote one of the first cyber policies. Today, her team works nationally with retail agents to place cyber and technology risks for clients ranging from startups to multi-billion-dollar organizations.

“Claims are actually increasing,” Burns says. “Logically, you would think that the market should be hardening. We’re still not seeing that. It’s stabilizing, especially in the smaller space.” Capacity remains strong. New entrants continue to compete. Traditional carriers are pushing into smaller accounts. As a result, pricing has largely leveled out in the SMB segment.

That stability, however, should not be mistaken for reduced exposure. “It’s a really good time to buy. For agents, it’s a critical opportunity to talk to clients about it,” Burns notes. “The market will harden at some point. It’s just the nature of insurance.”

In many ways, the conditions today create a strategic window for agencies with small- and mid-sized clients. Underwriting requirements in the small business segment are not as stringent as they were during the hard market, making placement easier. “And they can use this time to help clients improve their cybersecurity controls,” Burns advises.

Carriers and wholesale partners increasingly offer risk assessments, breach readiness tools, and cyber hygiene resources that agents can share with clients. For many businesses, these assets will be as valuable as the coverage itself.

Why Small Businesses Still Say No

“Cyber is such a different coverage,” explains Ariel Rivera, Director of Carrier & MGA Distribution, Cyber & ID Theft Program Manager, RGS Limited. “There’s first party, there’s third party liability. There are many things that come into play when you try to sell a cyber policy.”

Rivera sees hesitation every day—but he doesn’t attribute it to indifference. “It’s not because the independent agent doesn’t have the knowledge. Most of them do,” he says. “It’s the customer that doesn’t understand the product yet.”

Perception remains a barrier. “A food truck may think it’s not a target. But they don’t realize that with a point-of-sale system, a cyber thief can easily steal data from their POS. Let’s say they steal credit card information from over 400 people…this can turn into a $150,000+ claim,” Rivera says.

Every Industry Has Exposure

Cyber exposure is no longer confined to financial institutions or healthcare. It includes operational risk, business interruption risk, privacy risk across nearly every industry. Certain classes, like construction, are frequently overlooked. “If their systems were down and they can’t put together a bid, they’re losing business,” Burns says. “There’s coverage for that.”

Operational technology creates additional vulnerabilities. “Some contractors use drones to survey land,” Burns notes. “There’s privacy coverage for that.”

Often, small businesses first learn about a breach from an outside entity. “Small businesses are often notified of a breach by the credit card processing companies,” Rivera explains. “And from there the financial impact can keep piling up.”

Cyber claims also tend to unfold over time. “Simply having knowledge of an act that’s going to give rise to a claim is a reason to pick up the phone and call,” Savino says. “Those first hours are really important.”

Coverage Gaps Matter

Understanding the policy language at a micro level is critical. “It’s so important to ensure that coverage provides first- and third-party cyber liability,” Rivera advises. “There are products out there that say they do cyber, but when you look at it, it’s just data restoration.”

Policy form variability remains one of the biggest risks for agencies. “We don’t have a standard policy form out there,” Burns explains. “Every carrier does things differently.” That inconsistency makes expertise critical.

“The worst thing to do is provide a cyber quote, not really understand it, and then they have a loss and that loss isn’t covered because you didn’t ask for the right coverages, something that could have been avoided if it was placed correctly,” Burns says. For agencies without deep in-house cyber knowledge, partnering with a specialist can serve as an extension of the agency, handling negotiations and structure while preserving the client relationship.

Everyone is talking about AI today. “But it doesn’t matter what drove the attack,” Burns explains. “It’s the event itself that determines whether there’s coverage under the policy.” If the underlying event is covered, the technology that facilitated it may not change the outcome.

At the same time, carriers continue to innovate, adding AI-related privacy language, introducing upfront cyber cash features to address business interruption liquidity, and developing standalone crime solutions to address social engineering and invoice manipulation sub-limits.

The Cyber Shift in Real Time

“Cyber is not an emerging risk—it’s been maturing for many years now,” Rivera says. Claims are increasing. Coverage is evolving. Capacity is strong—for now.

“Agents should make sure they’re quoting every single account, even if the client’s not buying just yet,” Burns says. “It’s very easy to quote and it protects the agency from an E&O perspective.”

Savino believes the shift is inevitable. “I’m envisioning the industry moving to consider cyber similarly to workers’ comp. It’s critical coverage. There is no choice here,” he says.

“It’s not a matter of whether they should do it,” Rivera agrees. “They have to do it.”

The largest accounts are already insured. The middle market is catching up. But the small business segment is still wide open.  The same book of business many agencies already serve—contractors, food trucks, professional firms, small retailers—is where the next wave of cyber growth will occur. For independent agents, that’s the opportunity.

Cyber: What Agents Can Do Right Now

  • Quote Every Account: Even if the client declines coverage, offering it protects your agency from an E&O perspective and reinforces that you’re proactively addressing exposure.
  • Normalize Cyber as a Core Line: If cyber is positioned as optional or specialty, clients will treat it that way. If it’s presented as standard protection, adoption changes.
  • Simplify the Conversation for SMB Clients: Cyber is such a different coverage. Agents can lead with technical controls, but ask about the business impact:
    • What happens if your systems are down?
    • What happens if customer data is compromised?
    • What happens if funds are misdirected?
  • Don’t Assume Any Industry Is Low Risk: Everyone has an exposure. Construction firms, real estate companies, law offices, contractors using drones—cyber is operational risk, not just data risk. If a business relies on technology to function, it has exposure.
  • Understand What the Policy Actually Covers: Cyber policies vary widely. Not every product includes:
    • First-party business interruption
    • Third-party liability
    • Social engineering
    • Invoice manipulation
    • Regulatory response

Some policies marketed as cyber are little more than data restoration coverage. If you don’t have deep expertise in-house, partner with a specialist.

  • Rethink Admitted vs. Non-Admitted Assumptions: Non-admitted markets may provide broader, more responsive coverage because cyber language evolves quickly. In this line, E&S doesn’t mean less than.
  • Use the Current Market to Strengthen Clients: It can be a good time to buy and the perfect time for clients to improve cybersecurity controls. Agencies that help clients improve MFA usage, credential controls, and overall cyber hygiene now will be better positioned when underwriting tightens.
  • Encourage Early Reporting: Cyber claims don’t unfold like property losses. They escalate. They spread. They involve vendors, regulators and legal response. Clients need to know: if something looks suspicious, call immediately.
  • Don’t Let AI Distract from Fundamentals: AI may be changing how attacks happen, but core exposures — ransomware, business interruption, social engineering — remain the primary drivers of loss. Focus on coverage fundamentals first. It doesn’t matter what drove the attack—the event itself determines whether there’s coverage.
  • Lead the Conversation: This is not an emerging risk and should be offered to the client. The growth opportunity isn’t in inventing new products, it’s in closing the protection gap that already exists in your book of business.

Leave a comment

Trending