- 36% of businesses ranked cyber as their most significant risk.
- Smallest SMEs less concerned: 20% selected cyber as biggest risk vs 40%+ across other sizes.
- Low confidence/desire to deal with cyber: IT and Cyber Security tops tasks decision makers dislike (25%).
- Other top risks: Business Interruption (30%), Reputational damage (27%), Fraud (26%), Regulation change (26%).
Aviva urges brokers to step in as SMEs underestimate cyber and other disruptive risks.
New SME research from Aviva finds that 36% of businesses rank cyber as their most significant risk, more than any other insurable risk[1].
However, the smallest SMEs (less than 10 employees) appear markedly less concerned, with just one in five (20%) micro firms selecting cyber as their biggest risk, compared with more than 40% across all other size bands. Appetite and confidence to tackle the issue are also low, with IT and cyber security topping the list of tasks SME decision makers dislike most (25%).
Alongside cyber, SMEs highlighted business interruption (30%), reputational damage (27%), fraud (26%) and regulatory change (26%) as top risks. Despite this, only 32% of SMEs are using a broker to stay up to date on regulatory or legislative changes that could affect their business; 48% rely on their own research. At the same time, 98% say they are up to date – a confidence that could be misplaced.
To mitigate a wide range of risks – from cyber incidents to business interruption and regulation – SMEs should make the most of their broker and the services they provide, ensuring they have the confidence and ability to grow.
SME cyber claims on the rise
Aviva’s research is in sharp contrast to its own cyber claims data, which shows that the number of cyber claims Aviva received from SMEs rose by 10% year on year[2]. The average cost of a cyber insurance claim from an SME is £40,000, with an average lifecycle of 300 days, underlining the need for adequate business interruption insurance alongside cyber cover[2].
Beyond cyber: interconnected risks that stop SMEs serving customers
While many companies are improving their own cyber defences, recent high-profile breaches often begin with vulnerabilities in third-party vendors or supply chains.
Aviva’s research shows business interruption (30%) and reputational damage (27%) are among the top SME concerns. One of the most effective ways to protect a business’s reputation is to ensure it can remain open. Cyber attacks often result in temporary, and in some cases permanent, closure of a business. Taking steps to prevent and protect a business from such an attack not only ensures its ongoing operations, but also supports its reputation.
Caspar Stops, Cyber Underwriting Manager, Aviva, said: “Cyber attacks on UK businesses are rising, with small firms increasingly targeted. While many companies are improving their own cyber defences, recent high-profile breaches often begin with vulnerabilities in third-party vendors or supply chains.
“As businesses become more digitised and interconnected, it’s challenging to monitor the security perimeter beyond their own walls. Attackers don’t care about size, they seek opportunity – meaning that unprepared organisations, regardless of size – are most at risk. Brokers have a unique opportunity to help smaller firms become more engaged and resilient.”
Protecting SMEs
Aviva recommends that brokers use renewal and midterm touchpoints to promote simple, high-impact controls for SME clients:
1. Use multi-factor authentication (MFA) on email, remote access and critical apps; enable phishing resistant MFA where feasible.
2. Carry out regular offline backups and tested restoration procedures to minimise ransomware downtime.
3. Patch fast, prioritise internet facing systems, and remove/limit remote desktop exposure. Download the National Cyber Security Centre: It’s time to act guide.
4. Employ business continuity basics: map critical suppliers, set recovery time objectives, and rehearse incident/communication plans to protect customer service and reputation.
5. Insist on governance and training: assign clear responsibility for cyber/operational resilience and run short, role-relevant awareness refreshers to blunt social engineering.
Aviva responds
To help brokers close the protection gap, Aviva offers two cyber products designed for SMEs:
- Cyber Respond: a streamlined solution for micro businesses (fewer than 10 employees; turnover <£1m), focused on 24/7 incident response, with cover for data/IT systems damage, increased cost of working, and optional external cyber crime (e.g., social engineering / funds transfer fraud).
- Cyber Complete: Aviva offers its broadest protection, including first-party, third-party, business interruption, data regulatory, and reputational management covers, with detailed policy wordings available for brokers.
ends
References:
1. The research was conducted by Censuswide, among a sample of 500 insurance decision makers at SME businesses in the UK. The data was collected between 27.08.2025 – 03.09.2025. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council. [↑]
2. Based on year-to-date cyber claims data from Aviva. [↑]