Cyber insurance now common among North American SMBs

ESET has published its 2026 SMB Cyber Readiness Index for North America, finding that cyber insurance is now widely used by small and medium-sized businesses in the United States and Canada.

The report draws on responses from 700 cybersecurity decision-makers at organisations with 25 to 1,000 endpoints, including 500 in the US and 200 in Canada. It examines cyber resilience, incident response, insurance, outsourced security services, AI adoption and budget plans across sectors such as manufacturing, construction, healthcare, retail, telecommunications and transport.

Most respondents said they felt confident about their cyber resilience. In the US, 87% of businesses said they were slightly to very confident, compared with 83% in Canada. Confidence was even higher among businesses that had suffered more than one cyber incident over the past year.

That confidence sits alongside a high level of attacks. In the US, 54% of surveyed SMBs said they had experienced an incident in the past 12 months, including 22% that reported multiple breaches. In Canada, 46% reported at least one incident and 12% said they had faced more than one.

Insurance featured prominently in the findings. Cyber insurance is now carried by 86% of US SMBs and 78% of Canadian SMBs, with adoption highest among businesses that had already experienced repeated incidents. Among those with multiple incidents, 95% in the US and 92% in Canada had cover.

Insurers are also shaping security measures within smaller businesses. Among insured US respondents, 55% said they were required to implement specific controls as a condition of coverage, compared with 41% in Canada. Those controls often included multifactor authentication, identity and access management, and endpoint or managed detection tools.

Threat gap

The research points to a gap between the threats businesses fear and the causes of the breaches they actually face. In both countries, AI-powered malware ranked as the top concern for the year ahead, cited by 32% of US respondents and 34% of Canadian respondents.

Actual breach drivers were more familiar. In the US, phishing, lack of security monitoring and unpatched vulnerabilities were the leading causes of incidents. In Canada, phishing, weak passwords and insufficient monitoring topped the list.

Supply chain compromise ranked lower among perceived risks despite its potential impact, placing eighth among US respondents and 10th among Canadian respondents. At the same time, 82% of SMBs across both countries said cyber warfare and global conflict posed a real threat to their business.

Tony Anscombe, Chief Security Evangelist at ESET, said the findings reflect a shift in how smaller companies approach risk.

"SMBs in the U.S. and Canada are entering a new phase of cybersecurity where attacks are becoming the new norm and an expected part of business operations," Anscombe said. "We've seen significant shifts in how SMBs perceive today's risks and how they prepare for them, relying more on cyber insurers to provide cybersecurity services and as a core part of their resilience strategy. While SMBs are worried about headline-catching AI-driven threats, most breaches are still a result of social engineering coupled with human error, including phishing, credential compromise and third-party/supply chain risk."

Outsourcing shift

A smaller share of respondents said they outsource some or all of their cybersecurity, with 16% in the US and 19% in Canada doing so. Among those companies, cyber insurers are emerging as a notable route to managed detection and response services.

In the US, 35% of SMBs that outsource security said they use a cyber insurer offering MDR, compared with 21% using an MDR vendor, 17% relying on an MSP or MSSP with MDR, and 27% using a traditional MSP. In Canada, 27% said they used a cyber insurer offering MDR, 8% used an MDR vendor, 27% relied on an MSP or MSSP with MDR, and 38% used a traditional MSP.

Anscombe said that trend brings its own risk.

"In cybersecurity, diversity is necessary to achieve a resilient ecosystem. While it's heartening to see SMBs adopt cyber risk insurance, there needs to be greater awareness of potential monoculture issues as North American cyber insurers that provide managed services typically offer a limited choice of services and products. In fact, 72% and 66% of US and Canadian businesses respectively are concerned with the implications of single-vendor ecosystems, or security monocultures," he said.

Budgets and AI

On spending, about half of respondents said they expected no change in cybersecurity budgets this year: 47% in the US and 52% in Canada. Businesses that had suffered repeated incidents were more likely to describe their budgets as more than sufficient and to expect further increases.

The report also found a difference in attitudes to AI applications. In Canada, 69% of respondents said they were integrating AI applications into their organisation, compared with 81% in the US, suggesting greater caution among Canadian businesses.

Training remained the leading area of planned investment. More than 90% of SMBs in both countries said training was critical or very important, while 42% of US respondents and 43% of Canadian respondents said they planned to increase spending on it over the next 12 months. Structured programmes that include phishing simulations were in place at 44% of US organisations and 47% of Canadian organisations.

"Confidence is growing, but the reality is that most breaches still come from preventable issues like phishing, weak passwords and monitoring gaps," Anscombe said. "If cyberattacks are the new normal, then getting the fundamentals right matters more than ever."