By Byron V. Acohido

The cyber insurance industry set out to manage financial risk. Along the way, it has quietly became the security operations provider for a significant share of American small businesses. An $11 billion acquisition agreement announced earlier this year suggests it intends to stay in that role.

Related: No easy AI security fixes

I sat down with Tony Anscombe, chief security evangelist at ESET, on the floor at RSAC 2026 to discuss this. Tony has spent years tracking the intersection of cyber insurance and SMB security from inside the insurance ecosystem. Here is what I learned that you should know.

The causality chain is not complicated, but it took about five years to play out. Around 2020, ransomware payouts started overwhelming cyber insurers. Losses mounted. The industry responded the way it always does — by tightening requirements.

Suddenly, policyholders had to demonstrate multi-factor authentication, endpoint detection and continuous monitoring before coverage would apply. For large enterprises with in-house security teams, that was manageable. For small and midsize businesses, the list of mandated controls read like a job posting for staff they could not afford to hire.

Insurers supplying security

So insurers stepped in. Beazley, Zurich and Coalition each built or acquired managed detection and response capabilities and began bundling them with coverage. As Anscombe put it on the conference floor: “The insurer is becoming the MSSP.�

ESET’s newly released SMB Cyber Readiness Index puts numbers on how far this has gone. In the U.S., 86 percent of SMBs now carry cyber insurance, and adoption runs higher among businesses that have already experienced an incident — they know the cost.

Among U.S. SMBs that outsource cybersecurity, the cyber insurer offering MDR is now the most popular destination, cited by 35 percent — ahead of traditional managed service providers at 27 percent, dedicated MDR vendors at 21 percent, and MSP/MSSPs offering MDR at 17 percent. For a market segment that has historically struggled to staff or afford enterprise-grade security, that is a real solution to a real problem.

What motivates the urgency is not hard to find. Anscombe walked through a string of high-profile supply chain attacks in 2024 and 2025 that demonstrated, in financial terms, what happens when a single vendor relationship becomes the attack surface.

The Jaguar Land Rover incident is the most instructive example. A social engineering attack on a third-party IT services provider gave threat actors privileged credentials, which they used to penetrate JLR’s production systems — not just the office environment. The factory shut down for nearly five weeks. Five thousand businesses in the JLR supply chain were disrupted. The UK government stepped in with a £1.5 billion loan guarantee to keep suppliers solvent. The entry point was a trusted third party with standing access. That is the supply chain problem in its most concrete form.

Single point of failure

Anscombe was careful not to let the insurer-as-MSSP development land as straightforward good news. The risk he flagged is concentration. Beazley, Zurich and Coalition are deploying overlapping product stacks to their SMB customer bases.

If a sophisticated threat actor finds a vulnerability in the underlying platform, the attack surface is not one company — it is the de facto security operations infrastructure for a significant share of American small business. Cyber insurers bundling a common MDR stack have built precisely the kind of monoculture that makes concentrated attacks viable. Diversity in the ecosystem, Anscombe argued, would be a good thing.

His concern acquired a concrete price tag in March 2026, when Zurich and Beazley reached agreement on a recommended all-cash offer valued at approximately $11 billion. Two of the three insurers Anscombe named on the conference floor — each already operating as a de facto MSSP for SMB customers — are now moving toward a single combined entity.

Consolidation downside

The transaction is pending regulatory approval, with closing expected in the second half of 2026. Whether consolidation accelerates or complicates the concentration risk Anscombe described is a question the industry has not yet answered.

Where this ends is genuinely unclear. Anscombe raised a possibility most enterprise security teams have not taken seriously: that actuarial modeling trained on breach telemetry, configuration data and attack pattern analysis could eventually produce precise prescriptions for which controls, architectures and policies minimize financial exposure.

If that happens, the actuary becomes a standing figure in enterprise security strategy. The infrastructure to make it possible is being assembled right now, acquisition by acquisition, MDR contract by MDR contract.

Listen to the full podcast for Anscombe’s complete breakdown.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

May 12th, 2026 | RSAC | Top Stories | Uncategorized