From Corner Shops to Corporates: Why Every Business Is Now a Tech Company
FC is a renowned ethical hacker and social engineer, as well as global keynote speaker. He has been working in the information security field for over 25 years and is motivated by a drive to make individuals, organisations, and countries more secure. When he is not legally breaking into companies, FC takes audiences on an eye-opening journey into the hacker’s mindset. He has delivered over 50 keynotes including CPX360, CERN and Intersec. FC demystifies security with his expertise, humour, and passion.
"Here’s the brutally honest truth: every company is a tech company now. You’re carrying cyber risk. whether you’ve accepted it yet or not.
Cyber insurance is not just for Fortune 500 companies, banks, or big tech. It’s for you. the SME that runs payroll on a cloud platform, the manufacturer dependent on a digital supply chain, the MSP juggling dozens of client environments, the local retailer with an e-commerce checkout.
At Black Hat and DEF CON 2025, the two largest hacker based conferences in the world, one thing that I kept hearing: “the game has changed”. Threat actors are leveraging AI to launch phishing campaigns at scale, ransomware operators are turning supply chains into attack surfaces, and insurers are no longer just talking payouts. they’re driving conversations about resilience and recovery. It’s easy to dismiss this as hearsay, but this is truly what people are thinking and talking about.
So, I want us to bust a couple of the myths, I will walk through the reality, and show why you as SMEs (and brokers) should treat cyber insurance as a survival tool. not a luxury."
Myth #1: “We’re too small to be targeted”
"I have heard this for decades, and it could not be more wrong. Attackers don’t care about your size. They care about their opportunity.
- Automated phishing campaigns don’t discriminate.
- Credential-stuffing bots will hammer any login page.
- Supply chain attacks will roll right through you, regardless of company size.
As one of my friends who spoke at Black Hat put it: “AI makes phishing industrial” Translation: attackers don’t need to handpick you anymore; the botnets will. We have gone from line fishing to trawlers."
That’s why brokers matter. You are not a surgeon so you wouldn’t do surgery, so why not get a professional to help you understand what actually matters?
Myth #2: “We’ve got an MSP, so we’re covered”
"It is very likely that your MSP might manage your firewalls, patching, backups. but if their environment gets breached, you’re in the blast radius. The worst part is that all liability for customer data, business interruption, or regulatory fines still sits with you. You can not pass that on to your MSP no matter how much you wish you could.
Insurance isn’t a replacement for good MSPs. it’s the safety net when MSPs get targeted (and they do, often)."
Myth #3: “We can’t afford cyber insurance”
"This is a hard one, because you are a business and you have to work out what you spend money on, I get that. But can you really afford not to have it? In some industries you will have to have it because of regulation, but for others it feels an unnecessary expense, until it saves your company and all its employees.
Premiums might sting, but compare them to:
- Average ransomware recovery: £700K+ for SMEs.
- Legal + regulatory fines: unpredictable and steep.
- Reputation damage: priceless, and often permanent."
Myth #4: “Most policies don’t pay out anyway”
"The data says otherwise. You do need to make sure you have the right policy, with the right wording, and you need to meet the baseline controls. That’s why brokers matter. You are not a surgeon so you wouldn’t do surgery, so why not get a professional to help you understand what actually matters?"
I don’t want you to just take my word, critical thinking and common sense seem not so common and less critical these days, so please do your own research. But I think the best way to truly see the changing landscape is to look at some small case studies of major breaches that happened in 2025, remember these are a small selection, many breaches never hit the headlines, thousands of victims go out of business silently overnight.
Case Studies: 2025 in Cyber Carnage
"Marks & Spencer: third-party breach chaos
In spring 2025, M&S’s contractor was compromised. Online services as well as store deliveries were disrupted for weeks, losses piled into the hundreds of millions, and reputational trust took a beating. Cyber insurance is expected to cover up to £100M of the damage. Lesson? Even giants fall via vendors. the same applies to SMEs with outsourced IT or SaaS dependencies.
United Natural Foods: food supply disruption
US wholesaler UNFI was hit by a cyberattack that disrupted distribution and generated massive operational costs. They expect cyber insurance to soften the financial blow. For SMEs, it’s a reminder: you don’t need customer data to bleed money. business interruption kills just as fast.
Kering (Gucci/Balenciaga/Alexander McQueen): luxury data breach
Hackers claimed access to luxury client data in June 2025. Even without confirmed financial data loss, the reputational costs, notifications, and legal wrangling are huge. SMEs face the same playbook when customer trust is shaken.
UK retail cluster: ripple effects
After M&S, Co-op, and Harrods all saw incidents, UK boards scrambled mid-term to raise cyber budgets. SMEs should see the pattern: one breach shifts the entire market. Waiting until renewal can leave you under-insured.
Farmers Insurance: supply-chain breach
A vendor (Salesforce-related) exposed millions of records. Big brand, yes. but it’s the supply chain exposure that matters. SMEs ride on the same SaaS rails as everyone else; if your SaaS goes down, your business is still accountable.
Macro 2025 data: fewer claims, nastier hits
Industry stats: total cyber claims dipped in 2025, but severity spiked. Translation? Attacks are rarer but harder and more expensive. Insurance is now about resilience to catastrophic events, not “little hacks.”"
What Black Hat & DEF CON 2025 Taught Us
Insurance = security benchmark
Underwriters are now measuring security maturity: MFA, backups, incident response. Insurance has become a yardstick for cyber resilience.
Premiums tied to shared risk
If thousands of companies rely on Vendor X and Vendor X looks risky, your premium rises. even if your own house is in order. Shared risk = higher exposure.
Post-incident services matter most
Payouts are only half the story. Insurers like Brit provide access to incident response teams, forensics, PR, legal. services most SMEs couldn’t afford on their own.
AI-assisted crime = bigger threat surface
Talks highlighted deepfake CEOs, phishing written by LLMs, and “shadow AI” inside companies. Expect insurers to start asking about AI governance.
6 Practical Steps for SMEs & Brokers
- Assess exposure: vendors, data, systems, MSPs.
- Baseline controls: MFA, backups, patching, awareness training.
- Document security posture: helps underwriting + claims.
- Shop early, shop smart: compare policies, exclusions, and services.
- Integrate insurance with BCP/DR plans.
- Educate leadership: cyber insurance is a business decision, not “just IT.”
Final Word
"Cyber insurance is not about fear, it’s about resilience. It’s your financial shock absorber when the worst happens. You, like myself, have probably worked hard to build your company, don’t let a lapse in security wipe it out in a single day.
SMEs who still believe “we’re too small” are the same SMEs who wake up to ransomware notes and business email compromises, then realize their MSP can’t foot the bill.
If you’re a broker: your clients need this wake-up call. If you’re an SME: don’t wait for your name in the headlines.
Cyber insurance is no longer a “big company” luxury. it’s your ticket to survival."
It's great to be working with FC and Cygenta again to help brokers and clients understand the pitfalls and perils of cyber risk protection. As you can see he gets straight to the issues with unnecessary preamble. We're so grateful to him for sharing this thoughts and experience.
