The insurance industry must improve its understanding of cyber risk in small and medium business portfolios to allocate capital efficiently, Guy Carpenter says.

SMEs represent 45% of the cyber market’s exposure, the broker says in a new report.

“Granular” representation of SME portfolios will enable models to reflect risk accurately and allow the insurance market to expand more confidently in this segment, where rapid growth is expected to continue with increasing technological reliance.

“It is imperative to deepen our understanding of internal security controls within the defensive aspect of cyber risk and their limitations,” the report says. “A precise understanding of interdependencies is required.” 

Guy Carpenter says SMEs are not well modelled for cyber risk because challenges are different from those facing large businesses. Without better understanding, it might be “harder to attract capital at scale in the [SME] segment”, Guy Carpenter says.

SMEs typically have greater variability of cybersecurity measures due to smaller IT budgets and limited in-house expertise, and it is crucial to incorporate internal security controls into models to quantify risk exposure appropriately, because they vary widely. 

Current models are not easy to apply to the SME segment due to a lack of information regarding incidents and data.  

“Detailed inside-out information has to be provided by insurance companies and overlaid on the model output to create a better assessment of [SME] cyber catastrophe risk,” the report says. “Accurate quantification of their aggregation potential is critical to capacity deployment and risk management.”