Willis Expands CyMax Facility As The SME Cyber Insurance Gap Persists

Estimated reading time: 6 minutes

The SME cyber insurance gap is stubborn. Willis just widened its answer to it. The broker has expanded its CyMax Facility across EMEA. Four insurers now share the risk. The promise is faster cover and higher limits for smaller firms. The gap it targets is the real story.

What Willis Changed

CyMax is now a panel facility. AXA XL, Beazley, HDI Global, and Markel supply the capacity. The old version leaned on a single insurer. That structure limited how high limits could climb.

The application also got shorter. Brokers face a one-page form and a short questionnaire. The questionnaire runs six to eight underwriting questions. Pre-agreed pricing grids replace the usual back-and-forth. A single vulnerability scan sits as the main subjectivity.

Eligibility widened too. The facility now accepts firms with partially built security controls. Fully mature controls are no longer the price of entry. That choice matters. The reason becomes clear below.

Brian Vosloh, Head of Cyber EMEA at Willis, framed the pitch. Smaller firms need cover that is “easier to access, quicker to place and better aligned to their evolving exposures.”

Dark EMEA map with a cyan and amber cyber shield and linked network nodes. Headline reads Mind the SME Cyber Gap, subhead reads fewer than half of UK SMEs carry cyber cover. Willis CyMax Facility SME cyber insurance graphic.

From Single Insurer To Panel

This is an expansion, not a debut. Willis built CyMax on its earlier Continental Europe facility. That facility ran on one carrier. The new panel pools four.

The shift is more than cosmetic. A panel spreads risk across several balance sheets. It lets limits rise and placement flex. Willis keeps its proprietary wordings at the core. Those are the EMEA CyCore Primary and Excess forms.

The CyCore name is not new to this publication. Willis first brought CyCore wording to international clients through its International CyCore Facility in 2024. That facility used Lloyd’s syndicates and a single lead. CyMax now carries the wording into a broader EMEA panel.

The SME Cyber Insurance Gap CyMax Is Chasing

Here is the problem Willis is selling into. Most European small firms still lack cyber cover. The data is blunt.

See also  INSURING OUR FUTURE: FIGHTING YESTERDAY’S BATTLES IN A CYBER-DRIVEN WORLD - Opinion

Just over 40% of UK SMEs hold cyber insurance, GlobalData found in its 2025 SME survey. Take-up sinks to 13% among sole traders. It reaches 63% among medium firms. The smaller the firm, the wider the gap.

The claims side is climbing fast. UK insurers paid £197 million in cyber claims in 2024, the ABI reports. That is up from £59 million a year earlier. Malware and ransomware drove 51% of those claims. The majority came from smaller organizations.

Government figures echo the shortfall. The 2025/2026 Cyber Security Breaches Survey found 47% of businesses hold some cyber cover. Small firms sit at 55%. Medium firms reach 61%.

Underwriters have made this point for a while. On the Cyber Insurance News & Information podcast, Willis’ Peter Foster rejected the idea that small firms are safe targets. Attackers hit the firms least able to rebuild. Confident boards often learn this the hard way.

See also Executives Underestimate Cyberattack Costs, Willis Warns in 2025 Report.

What The Cover Actually Does

CyMax reads like a modern cyber form. It funds crisis management and incident response. It answers business interruption and contingent business interruption. And it covers social engineering, telephone hacking, and invoice manipulation. Reputation harm and regulatory action also feature.

The wordings claim alignment with GDPR, NIS2 and DORA. Those three rules now shape any serious EMEA cyber policy. DORA targets financial firms. NIS2 widens security duties across sectors. GDPR still governs data and breach notification.

The services matter as much as the wording. Clients get pre-ransomware alerts and threat intelligence. They get onboarding calls and crisis exercises. Insurers now treat these as core, not extras.

That instinct has evidence behind it. A Marsh study ranked incident response planning among the top controls that cut cyber claims. Firms that drill are measurably less likely to face a material event. Underwriters now read tested response plans as a pricing signal.

See also  CrowdStrike Brings Cyber Insurance Into Project QuiltWorks to Counter Frontier AI Risk

Why EMEA, And Why Now

Europe is where cyber penetration still runs low. That makes it the growth frontier. Foster has pointed to Europe, Asia, and Latin America as the market’s next legs. Capital follows unmet demand.

The regional risk picture is also darkening. A Willis and Atlantic Council report mapped gray-zone attacks on European supply chains. Ports, rail, and cables now sit in the blast radius. Smaller suppliers rarely carry cover for that exposure.

Willis is not alone in the chase. Several carriers have launched SME cyber products through 2026. The segment is suddenly crowded. The prize is the same underserved base of small firms.

The label SME also stretches here. Eligibility runs up to €500m or CHF500m in turnover. That ceiling covers firms far larger than any standard SME. Willis is really reaching from small firms into the lower mid-market.

What It Means For Brokers And Buyers

The friction cuts are real. A one-page form and set pricing save brokers time. Faster placement helps clients who are delayed by paperwork. For thin-staffed firms, that speed is the selling point.

The two-tier controls approach is the shrewd move. Waiting for SMEs to reach full security maturity would exclude most of the market. Willis chose to ensure the imperfect and coach them upward. That is pragmatic. It mirrors where the market is heading.

None of this closes the gap on its own. A cheaper form does not harden an under-secured business. Coverage still hinges on controls and testing. CyMax lowers the barrier to entry. Whether small firms walk through the door is another question.

See also AI Cyber Insurance Coverage Gaps: The Losses Willis Says Your Policy Won’t Pay

See also  Cyber Attacks on Manufacturers Surge as IT-OT Convergence Expands Industrial Cybersecurity Risks

FAQ – SME Cyber Insurance And The Willis CyMax Facility

What Is The Willis CyMax Facility?

CyMax is a primary and excess cyber facility from Willis. It serves SMEs and mid-market firms across EMEA. Four insurers now supply its capacity.

Is CyMax A New Facility?

No. It is an expansion of an earlier Willis facility for Continental Europe. That version used a single insurer. CyMax now runs on a four-insurer panel.

Who Is Eligible For CyMax Cover?

Firms with turnover up to €500m or CHF500m qualify. Established security controls are preferred. Firms with partial controls can still apply.

What Does The CyMax Facility Cover?

It funds incident response, business interruption, and contingent business interruption. It also covers social engineering, invoice manipulation, and reputation harm. Regulatory action is included.

Why Does The SME Cyber Insurance Gap Matter?

Most small firms still lack cyber cover. Claims are rising fastest among smaller organizations. The gap leaves them exposed to ransomware and fraud.

Leave a Comment

×