- 36% of businesses ranked cyber as their most significant risk.
- Smallest SMEs less concerned: 20% selected cyber as biggest risk vs 40%+ across other sizes.
- Low confidence/desire to deal with cyber: IT and Cyber Security tops tasks decision makers dislike (25%).
- Other top risks: Business Interruption (30%), Reputational damage (27%), Fraud (26%), Regulation change (26%).
Aviva urges brokers to step in as SMEs underestimate cyber and other disruptive risks.
New SME research from Aviva finds that 36% of businesses rank cyber as their most significant risk, more than any other insurable risk[1].
However, the smallest SMEs (less than 10 employees) appear markedly less concerned, with just one in five (20%) micro firms selecting cyber as their biggest risk, compared with more than 40% across all other size bands. Appetite and confidence to tackle the issue are also low, with IT and cyber security topping the list of tasks SME decision makers dislike most (25%).
Alongside cyber, SMEs highlighted business interruption (30%), reputational damage (27%), fraud (26%) and regulatory change (26%) as top risks. Despite this, only 32% of SMEs are using a broker to stay up to date on regulatory or legislative changes that could affect their business; 48% rely on their own research. At the same time, 98% say they are up to date – a confidence that could be misplaced.
To mitigate a wide range of risks – from cyber incidents to business interruption and regulation – SMEs should make the most of their broker and the services they provide, ensuring they have the confidence and ability to grow.
SME cyber claims on the rise
Aviva’s research is in sharp contrast to its own cyber claims data, which shows that the number of cyber claims Aviva received from SMEs rose by 10% year on year[2]. The average cost of a cyber insurance claim from an SME is £40,000, with an average lifecycle of 300 days, underlining the need for adequate business interruption insurance alongside cyber cover[2].
Beyond cyber: interconnected risks that stop SMEs serving customers
While many companies are improving their own cyber defences, recent high-profile breaches often begin with vulnerabilities in third-party vendors or supply chains.
Aviva’s research shows business interruption (30%) and reputational damage (27%) are among the top SME concerns. One of the most effective ways to protect a business’s reputation is to ensure it can remain open. Cyber attacks often result in temporary, and in some cases permanent, closure of a business. Taking steps to prevent and protect a business from such an attack not only ensures its ongoing operations, but also supports its reputation.
Caspar Stops, Cyber Underwriting Manager, Aviva, said: "Cyber attacks on UK businesses are rising, with small firms increasingly targeted. While many companies are improving their own cyber defences, recent high-profile breaches often begin with vulnerabilities in third-party vendors or supply chains.
“As businesses become more digitised and interconnected, it’s challenging to monitor the security perimeter beyond their own walls. Attackers don’t care about size, they seek opportunity - meaning that unprepared organisations, regardless of size - are most at risk. Brokers have a unique opportunity to help smaller firms become more engaged and resilient."
Protecting SMEs
Aviva recommends that brokers use renewal and midterm touchpoints to promote simple, high-impact controls for SME clients:
1. Use multi-factor authentication (MFA) on email, remote access and critical apps; enable phishing resistant MFA where feasible.
2. Carry out regular offline backups and tested restoration procedures to minimise ransomware downtime.
3. Patch fast, prioritise internet facing systems, and remove/limit remote desktop exposure. Download the National Cyber Security Centre: It's time to act guide.
4. Employ business continuity basics: map critical suppliers, set recovery time objectives, and rehearse incident/communication plans to protect customer service and reputation.
5. Insist on governance and training: assign clear responsibility for cyber/operational resilience and run short, role-relevant awareness refreshers to blunt social engineering.
Aviva responds
To help brokers close the protection gap, Aviva offers two cyber products designed for SMEs:
- Cyber Respond: a streamlined solution for micro businesses (fewer than 10 employees; turnover <£1m), focused on 24/7 incident response, with cover for data/IT systems damage, increased cost of working, and optional external cyber crime (e.g., social engineering / funds transfer fraud).
- Cyber Complete: Aviva offers its broadest protection, including first-party, third-party, business interruption, data regulatory, and reputational management covers, with detailed policy wordings available for brokers.
ends
References:
1. The research was conducted by Censuswide, among a sample of 500 insurance decision makers at SME businesses in the UK. The data was collected between 27.08.2025 - 03.09.2025. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council. [↑]
2. Based on year-to-date cyber claims data from Aviva. [↑]
Enquiries:
Erik Nelson
Motor Insurance and Compensation Culture, Fraud and Data
-
Phone
-
+44 (0) 7989 427086
-
-
Email
Notes to editors:
- We are the UK's leading diversified insurer and we operate in the UK, Ireland and Canada. We also have international investments in India and China.
- We help our 25.2m customers make the most out of life, plan for the future, and have the confidence that if things go wrong we’ll be there to put it right.
- We have been taking care of people for more than 325 years, in line with our purpose of being ‘with you today, for a better tomorrow’. In 2024, we paid £29.3 billion in claims and benefits to our customers.
- In 2021, we announced our ambition to become Net Zero by 2040, the first major insurance company in the world to do so. While we are working towards our sustainability ambitions, we recognise that while we have control over Aviva’s operations and influence over our supply chain, when it comes to decarbonising the economy in which we operate and invest, Aviva is one part of a far larger global system. Nevertheless, we remain focused on the task and are committed to playing our part in the collective effort to enable the global transition. The scope of our Climate ambitions and the risks and opportunities associated with our Climate strategy are set out in our Transition Plan published in February 2025: www.aviva.com/sustainability/taking-climate-action. Find out more about our sustainability ambition and action at www.aviva.com/sustainability
- Aviva is a Living Wage, Living Pension and Living Hours employer and provides market-leading benefits for our people, including flexible working, paid carers leave and equal parental leave. Find out more at www.aviva.com/about-us/our-people/
- As at 30 June 2025, total Group assets under management at Aviva Group were £419 billion and our estimated Solvency II shareholder capital surplus as at 30 September 2025 was £7.0 billion. Our shares are listed on the London Stock Exchange and we are a member of the FTSE 100 index.
- For more details on what we do, our business and how we help our customers, visit www.aviva.com/about-us
- The Aviva newsroom at www.aviva.com/newsroom includes links to our spokespeople images, podcasts, research reports and our news release archive. Sign up to get the latest news from Aviva by email.
- You can follow us on:
- X: www.x.com/avivaplc/
- LinkedIn: www.linkedin.com/company/aviva-plc
- Instagram: www.instagram.com/avivaplc
- For the latest corporate films from around our business, subscribe to our YouTube channel: www.youtube.com/user/aviva
