The picture for small to medium-sized enterprises or SMEs in the United Kingdom (see figure below) is broadly consistent with that for larger firms, but for this segment of companies, (re)insurers see a higher incidence of cyber crime. For example, a small broker was targeted by a phishing scam, where an e-mail containing a link to malicious software was sent to the financial controller within the business. The controller was tricked into installing the software onto his personal computer, and this software was used to steal banking credentials. The cyber criminals were subsequently able to complete electronic wire transfers to the total of GBP100,000 over the following 10 days.
SMEs are also considered to be at a greater risk of data/software damage. This reflects the belief that SMEs are more vulnerable to attack and lack the back-up disaster-recovery solutions of larger firms. On the other hand, with the exception of those working on innovative technologies, most SMEs are considered less likely to suffer from losses connected to damaged reputation or intellectual property theft.
Most companies’ typical risks invo’lve low-level impacts that can be managed within the business, monitored via a risk register and mitigated by insurance. That approach is likely to be inadequate for a tail risk like cyber, however, given the scale and pace with which it can threaten business viability. This becomes a reporting issue for listed firms under the viability statement now required by the UK Corporate Governance Code. More generally, it becomes a challenge for how risk governance operates.