Summary

• SME cyber risk in Emerging Asia is increasingly prevalent and significant. Of the SMEs surveyed in Peak Re’s Consumer Survey, 84% said they had experienced a cyber threat in the past and 28% suffered business disruption as a result.
  
  
• The cyber protection gap is driven not only by growing exposure but also by gaps in risk awareness and preparedness. Many SMEs believe they are reasonably protected from cyber risks due to their small size and limited digital footprint, or that their existing cyber security measures are enough.
  
  
• Cyber insurance adoption is limited by three practical barriers:  awareness, affordability and cyber capability gaps. Confusion with non-insurance cyber protections adds to the awareness factor.
  
  
• There is a meaningful role for insurers to better support SMEs. Rising regulatory and supply-chain pressures are likely to increase SME cyber insurance demand, but closing protection gaps may require strengthening risk awareness, clearer positioning of insurance, and simpler underwriting combined with modular, affordable solutions customised to SME needs.

Introduction: Rising cyber risk exposure among SMEs

Small and Medium-sized Enterprises (“SMEs”) are the backbone of Emerging Asia[1], accounting for 98.7% of all enterprises, 65% of the labour force and around 38% of the GDP[2]. SMEs have also rapidly expanded their digital footprint through e-commerce, digital payments and online marketing, especially after the pandemic.

That shift has created an opportunity, but it has also widened their cyber risk exposure. Faster digital adoption, combined with still developing cyber defences and tighter resources has increased vulnerabilities for many SMEs to cyber-attacks.

Peak Re’s Emerging Asia Middle-Class Consumer Survey (“Peak Re Consumer Survey”)[3] asked small business owners about their experience with cyber incidents.

• 84% said they had experienced a cyber threat (Exhibit 1). In India and Vietnam, the figure was even higher, at more than 90%.
  
  
• 28% of SMEs reported disruption to business due to a cyber incident.
  
  
• Data breaches (41%), followed by phishing and email fraud (36%) were the most commonly experienced cyber threats, with India notably also experiencing a high number of AI-driven frauds and scams (45%).
  
  
• 42% of SME owners believe a serious data breach or a cyberattack could significantly threaten the financial health of their company.

Exhibit 1: 84% of SMEs have experienced a cyber threat in the past

Source: Peak Re Consumer Survey 2025

A notable gap between cyber preparedness and confidence 

Despite their experience with cyber incidents and recognition of the threat in principle, around 80% of SME owners in Peak Re Consumer Survey believed their business is adequately protected from cyber attacks. This stands in contrast to larger firms, where a Gartner survey[4] found that 61% of CEOs were “very concerned” about cybersecurity threats to their business.

So why the disconnect?

• The top reason, cited by 50% of SMEs, was the belief that their size or limited digital footprint makes them a less attractive target for cyber attacks (Exhibit 2).
  Yet, broader industry data presents a different picture. The 2026 Verizon Data Breach Investigations Report found that 1 in 3 confirmed data breaches, globally, involved small organisations[5]. It also found that small firms face many of the same threats as larger ones, including ransomware, but usually with fewer resources to prevent, detect and respond to attacks.
  
  
• The perception of security among SMEs may also reflect a risk assessment gap. Around 43% of SME respondents said they believe their existing IT and cybersecurity measures are sufficient to fend off attacks. However, given how quickly cyber threats are evolving, this may indicate a potential overestimation of the effectiveness of existing cyber defenses. Outsourcing of IT services is another popular reason reported for feeling protected from cyber risks.
  
  
• SMEs may also not fully recognise the value or sensitivity of the data they hold, without conducting data sensitivity classification and vulnerability assessments. 
  
  

Exhibit 2: Top reasons stated by SMEs for feeling safe against cyber risks

Source: Peak Re Consumer Survey 2025. Q. What are the main reasons you feel your business is protected against cyber risks? (Select and rank up to 3 items).

Why cyber insurance still struggles to gain traction among SMEs?: The awareness factor

A study[6] estimated that only around 10% of SMEs globally have cyber insurance. In Emerging Asia, we believe that the share is likely even lower, and penetration remains highly uneven.

Awareness remains the primary factor.

• More than half of SME respondents (55%) said they were not familiar with cyber insurance, including 27% who said they had never heard of it (Exhibit 3).
  
  
• There is also ambiguity about what counts as insurance. 12% of respondents said they rely on cyber protection from a cloud provider or cybersecurity company. These services may facilitate access to third-party insurers but do not typically constitute cyber insurance products themselves. There could be potential misunderstandings with cyber warranties or incident response services sold by these vendors. Such guarantees are typically linked to the underlying product/service and may be different from comprehensive cyber insurance.
  
  
• Misunderstandings about existing insurance cover add to the gap. 11% believed cyber risk is covered by their business general liability or property policies, although, in practice, cyber cover is often excluded or limited under such policies.
  
  

Exhibit 3: Low awareness of cyber insurance (54%), and common misunderstandings (23%) are key drivers of cyber protection gaps

Source: Peak Re Consumer Survey 2025. Q3. Are you aware of cyber insurance policies that can protect you in case of cyber threats like data breaches, or ransom attack? Q3b. How familiar are you with such cyber insurance products?

Cyber insurance awareness and penetration varies by sector. SME respondents in the technology and IT sector reported higher awareness, with only 14% saying they are unaware of cyber insurance, in contrast with 53% professional services firms (such as legal and consulting businesses) that said so. This suggests that insurers may need to consider adopting more tailored approaches by sector, when it comes to awareness-building, distribution and underwriting.

Demand-side barriers to SMEs’ cyber insurance adoption

Awareness and trust: Our findings highlight several drivers of cyber protection gaps, including awareness and risk assessment gaps. Many SMEs may also struggle to work out what cover they actually need, or how to interpret policy wordings and exclusions. Trust is part of the problem too. According to the World Economic Forum’s Global Cybersecurity Outlook 2025[7], 64% of small organisations, globally, express low confidence in cyber insurance, compared with 30% of large organisations (Exhibit 4).

Exhibit 4: 64% of small organisations globally express low confidence in cyber insurance

Source: World Economic Forum Global Cybersecurity Outlook 2025

Affordability: To many SMEs, often working with tight budgets and limited discretionary spending, cyber losses may feel possible but remote, while insurance premium expenses are immediate and visible. Against competing business priorities, this can make the value proposition for cyber insurance more difficult for some SMEs to assess or justify.

Skill and capability constraints: Even where interest exists, some SMEs may struggle to meet the basic cyber hygiene, controls and documentation needed for eligibility. Resource constraints in maintaining robust controls can also mean higher premiums, lower limits or more restrictive cover, making meaningful protection harder to access.

What could help close the cyber protection gap?

A combination of stronger risk awareness measures, better support for cyber resilience and skills building, and simpler, modular, affordable insurance solutions can help address these gaps.

• Changing perceptions

• • Making the risk tangible: Peer benchmarking and case studies can help to showcase the cyber exposure for SMEs, while making the risk more tangible in terms of its business outcomes such as downtime costs, lost revenue, recovery costs and potential regulatory or third-party liability costs which may help improve risk awareness.
    
    
  • Education on cyber maturity as a journey rather than a binary decision. A simplified risk assessment of business cyber maturity can help SMEs lay out what basic versus comprehensive cyber resilience looks like for SMEs and at what costs.
    
    
  • Drawing a clearer distinction between insurance as risk transfer for both first-party and third-party risks, compared to the services and guarantees provided by cybersecurity or other platform vendors.
    
    

• Regulation, contracts and public support are acting as catalysts

• • Across Emerging Asia, expanding data protection, cybersecurity and incident notification regimes are increasing potential legal, regulatory and contractual obligations for SMEs, although the scope, triggers and enforcement vary significantly by jurisdiction (Exhibit 5).
    
    
  • At the same time, large corporates and regulated entities are cascading these obligations through supply chains, requiring SMEs to meet regional and global cybersecurity standards.
    This highlights that cyber risk is a management and governance issue, in addition to a technical one.
    
    
  • To support SMEs in meeting these rising obligations, government agencies and public-private partnerships are increasingly supporting capacity building, cybersecurity education, cyber risk assessments and skill development. Government issued guidance and standardised cybersecurity guidelines, practical resources for education and public subsidies for cyber audits and recovery services could help deepen cyber resilience, support greater awareness and cyber insurance adoption.

• Simpler underwriting and more product flexibility

• • Reducing frictions for insurance adoption by simplifying product language and purchase process, and exploring modular, sector-specific solutions with flexible pricing that may help lower upfront cost barriers for SMEs.
    
    
  • Partnerships with government schemes, technology providers and wider SME ecosystems can also help improve distribution efficiency and expand market reach.
    
    
  • Just as importantly, greater transparency may help build trust - from clearer guidance on what happens during and after a cyber incident to a more straightforward and easy-to-understand claims process.

• Bundling insurance with prevention and response services

Insurers may strengthen their value proposition by bundling cyber cover with prevention and response services. This could include insurer-led, pre-approved minimum-security packages that support SMEs in building a basic level of cyber resilience, alongside operational support and practical risk guidance that businesses can act on before and after an incident.

Note: This is a high-level summary for general information purposes only and does not constitute legal advice.

Conclusion

As SMEs in Emerging Asia are becoming more digitalised and more integrated with global supply chains, there is a growing need to strengthen their cyber preparedness and insurance protection. The challenge is not just that cyber threats are rising, but that many smaller firms may not fully gauge their changing exposure, may hold optimistic views about their cyber resilience, or face challenges in navigating what protection is available.

This creates both a cyber protection gap and a meaningful avenue for the insurance industry to support SMEs’ cyber resilience.

Regulatory expectations and supply-chain contractual requirements are likely to further increase cyber risk awareness and insurance demand from SMEs. Insurers and reinsurers also play a vital role in strengthening preparedness and converting risk exposure into protection.

Alongside risk assessments and support for cyber capability building; clearer insurance positioning, simpler underwriting, modular products and integrated cyber resilience solutions may help strengthen cyber protection for SMEs.