Cyber insurers have become the single largest channel for outsourced security among US SMBs, according to the ESET.
Among SMBs that outsource any part of their cybersecurity, 35% now buy services directly from their insurer – ahead of traditional MSPs (27%), dedicated MDR vendors (21%), and MSP/MSSPs offering MDR (17%).
This marks a shift in how SMB security is delivered. Where MSPs and MSSPs once controlled the outsourced stack, insurers are increasingly absorbing the detection and response layer within the policy itself; potentially displacing traditional providers altogether.
ESET’s data also shows that 55% of insured US SMBs are now contractually required to deploy specific tools (typically continuous monitoring or MDR) as a condition of coverage.
This places insurers in a dual role. Underwriters that also provide preventive controls have a direct incentive to reduce the likelihood of claims, while SMBs benefit from a simplified, managed approach to security. However, it also concentrates decisions around tooling, posture, and incident response within the same organization underwriting the risk. This raises questions around independence and accountability when claims are contested.
US Leads, Canada Follows
Canadian adoption of the model is lower. Just 27% of outsourcing SMBs use an insurer for security, while 38% continue to rely on MSPs.
Tony Anscombe, Chief Security Evangelist at ESET, attributes the gap to market maturity.
“Insurers offered the option in the US first, acquiring service providers and then integrating them,” he said. “Coalition is custom-built from the ground up and is backed by numerous insurers. I expect the numbers in Canada to align with the US in time.”
Concentration Risk Builds Inside Insurers’ Books
The model introduces a new form of systemic risk.
If insurers deploy a standardized MDR stack across thousands of SMBs, a single vulnerability could create correlated losses across their portfolios. This is exactly the type of exposure that underwriting models are designed to avoid.
Concern around this kind of monoculture is already visible. 72% of US businesses and 66% of Canadian businesses surveyed said they are worried about the risks associated with single-vendor security ecosystems.
“While it’s heartening to see SMBs adopt cyber insurance, there needs to be greater awareness of potential monoculture issues,” Anscombe said. “North American cyber insurers that provide managed services typically offer a limited choice of services and products.”
Confidence Rises With Incident Count
The data also reveals a confidence paradox.
SMBs that experienced multiple breaches in the past year report the highest resilience confidence of any group surveyed. In the US, 52% of firms with repeat incidents describe themselves as “very confident.” This figure is higher than those with one or no incidents. This group also shows the highest insurance uptake (95%).
Repeat incidents often push SMBs into insurer-mandated MDR deployments, which may explain why confidence increases alongside breach history. These organizations may be more structured and better protected, but that structure is often imposed after failure, rather than proactively adopted.
