Small and mid-sized businesses are increasingly in the crosshairs of cybercriminals, with 61% of those surveyed reporting they experienced a cyberattack last year. While it might seem that cybercriminals would be better off targeting big corporations for a larger payday, in reality SMBs are easier targets. They often lack the resources for robust internal cybersecurity teams and layered defense systems. Because criminals generally choose the path of least resistance, it makes sense for them to adopt a high-volume, smaller-payout strategy that’s just as lucrative with less effort.
The result? SMBs are prime targets. But it’s not just through direct attacks. In fact, most SMBs become victims without ever being directly targeted.
The growing reliance on outside vendors is a key reason. As the digital supply chain expands, new vulnerabilities and entry points emerge for cybercriminals. They often seize opportunities to compromise dozens — and frequently hundreds — of SMBs at a time by targeting a single third-party service provider.
It’s an increasingly difficult situation for insurers, which may face either large claims or policy disputes. To avoid both while strengthening customer loyalty, SMB insurers must find a way to help those clients manage digital supply chain risks.
Third-party compromises
Given today’s interconnected business environment, SMBs are only as secure as their least secure vendor. Many breaches originate from digital partners that provide everything from cloud storage or payment processing to medical care or payroll services.
These vendors often hold or can access sensitive data for multiple organizations, which presents a potential jackpot for attackers. While SMBs may believe they are too small for a cyber incident to affect them, many are quickly realizing that’s a mistake. What’s worse, fewer than half have cyber insurance protection to help them recover. For those that do, a lack of advanced risk mitigation can lead to bad outcomes, with insurers potentially left to absorb the consequences.
To make matters worse, TransUnion’s analysis of publicly reported data breaches in 2024 revealed that their severity is rising. Cybercriminals are increasingly targeting sensitive personal information to use in future scams, causing even greater damage. In 2024, the average breach severity score increased 34% — its highest level since TransUnion initiated studies in 2020.
SMBs often lack the resources to vet or monitor their vendors’ cybersecurity practices. This creates an opportunity for insurers to help fill the gap as risk mitigation partners, earning the trust and loyalty of policyholders.
Helping SMBs build resilience
Forward-thinking insurers and agents can play a more active role as advisers in risk prevention. Guiding SMB customers through digital supply chain-focused risk assessments and appropriate cyber insurance coverages provides stronger protection for both the business and the insurer.
Here are four areas where insurers can lead:
1. Mapping vendor ecosystems. Many SMBs lack a complete picture of who has access to their sensitive data. Their vendor list can span software providers, marketing agencies, managed services and other contractors — each of which may handle customer information, employee records or financial data.
Recommendation: Encourage policyholders to list all third-party vendors with access to digital systems or sensitive data. This mapping exercise establishes a foundation for identifying weak links and prioritizing the most significant risks.
2. Assessing vendor security posture. Not all vendors pose the same risks. Some may have mature cybersecurity practices, while others may not encrypt customer data or use multi-factor authentication. SMBs need a systematic approach to evaluating and understanding vendor risk.
Recommendation: Suggest that SMBs require critical vendors to complete cybersecurity questionnaires or provide independent audit results. To add additional value to their services, insurers can further enhance their offerings by providing access to cyber due diligence templates.
3. Including cyber clauses in contracts. Many SMBs rely on standard agreements. Unfortunately, many of those don’t include minimum cybersecurity expectations or breach notification timelines. Clearly outlining contractual obligations can reduce ambiguity in the event of a breach and promote better vendor behavior.
Recommendation: Educate clients on the importance of including cyber clauses in vendor contracts. These can define responsibilities for data protection, timelines for breach notification and liabilities if vendor negligence leads to a data compromise.
4. Enhancing cyber coverage for third-party risk. Even with best practices, data exposure can still happen. Because third-party compromises are still common, SMBs should consider cyber insurance policies that adequately cover their risk from both direct attacks and third-party liabilities. SMBs should not assume vendors will bear the financial burden of a breach.
Recommendation: Work with clients to evaluate whether their cyber insurance provides sufficient third-party coverage. Key features to consider include coverage for legal costs, regulatory fines, notification expenses and business interruption stemming from a vendor-related incident.
Expanding the risk conversation
Digital supply chain risks for SMBs are growing in cost and complexity. A single vendor failure can disrupt normal operations, compromise sensitive data and expose an SMB to severe financial or reputational damage. For insurers, the risks include large claims or disgruntled clients who discover that vendor-related losses aren’t covered. As vendor-related breaches increase in severity, the claims tied to third-party failures could become one of the largest drivers of cyber loss among SMB portfolios.
The evolving cyber risk landscape requires insurers to become more active and engaged with SMB clients. Doing so can earn them their place among their clients’ most trusted advisers and position them to lead in a marketplace that increasingly values prevention over payout.
Matt Cullina is head of TransUnion’s global cyber insurance business. He can be reached at [email protected].