This Week's Cyber Pulse — May 5, 2026

Your weekly intelligence brief for small and mid-size businesses. Sourced, rated, and written in plain English.

Threat Roundup

🔴 HIGH SEVERITY: Business Email Compromise (BEC) Q2 2026 Surge

The FBI's Internet Crime Complaint Center (IC3) recorded a 31% increase in Business Email Compromise (BEC) losses in Q1 2026, with the highest concentration targeting SMBs in construction, professional services, and real estate. Total losses exceeded $2.9 billion in the quarter alone.

How BEC works: Attackers compromise or spoof a business email account — often the CEO, CFO, or a trusted vendor — and redirect wire transfers, change bank account details, or intercept invoice payments.

Why it's booming: AI-generated emails have made BEC campaigns dramatically more convincing. Attackers now generate contextually accurate emails that reference real projects, real personnel, and real relationship history extracted from compromised accounts.

What to do:

• Implement a verbal confirmation policy for any wire transfer, ACH change, or banking detail modification requested via email — no exceptions


• Enable email authentication: SPF, DKIM, and DMARC (DMARC at p=reject prevents your domain from being spoofed)


• Use Microsoft 365 or Google Workspace built-in BEC detection (Defender for Office 365, Google's Advanced Phishing Protection)

Severity: Critical | Affected: All SMBs, especially those with active vendor payment workflows | Source: FBI IC3 2026 Q1 Report

🟡 MEDIUM SEVERITY: Credential Stuffing Attacks Targeting SMB SaaS

Credential stuffing — using leaked username/password pairs from previous breaches to attempt login to other services — is surging against business SaaS applications. QuickBooks Online, Salesforce, HubSpot, and various HR platforms are the primary targets.

The leaked credentials come from prior consumer breaches (LinkedIn, Adobe, past retail breaches) where employees reused their work email and a recycled password.

What to do:

• Require unique passwords for all work accounts (password manager mandate)


• Enable MFA on all SaaS platforms — especially financial and HR systems


• Use haveibeenpwned.com's domain search to see if your company's email addresses appear in known breaches

Severity: Medium | Affected: All businesses using SaaS | Source: Akamai Security Intelligence Report Q1 2026

🟢 LOW SEVERITY: Fake IT Support Vishing Campaign Targeting SMB Employees

A vishing (voice phishing) campaign is cold-calling SMB employees claiming to be Microsoft or company IT support, requesting remote access via TeamViewer or AnyDesk to "fix a security alert." Once access is granted, attackers install keyloggers or remote access trojans.

What to do:

• Brief all employees: legitimate IT support (including Microsoft) will never call you unsolicited requesting remote access


• Establish a known verification number employees should use to confirm any IT support request is legitimate

Severity: Low | Affected: All businesses | Source: CISA Alert AA26-112A

The $4.4M Question: What a Breach Actually Costs

The IBM Cost of a Data Breach Report puts the average breach cost at $4.4M globally — but that number obscures the SMB reality, where the impact is often company-ending even at smaller absolute dollar figures.

Where the costs come from:

| Cost Category | Typical SMB Range |
|---|---|
| Incident response & forensics | $50,000–$250,000 |
| Legal notification requirements | $25,000–$150,000 |
| Regulatory fines (HIPAA/PCI/state) | $10,000–$1,000,000+ |
| Business interruption (downtime) | $15,000–$500,000 |
| Customer notification & credit monitoring | $5,000–$100,000 |
| Reputational damage (lost contracts) | Hard to quantify — often the largest |
| Cyber insurance deductible | $2,500–$50,000 |

The deductible problem: Most SMB cyber policies have deductibles of $10,000–$25,000. With the average ransomware demand for SMBs now at $250,000–$750,000, even a partial recovery scenario exceeds most policies' expectation.

The coverage gap problem: Policies often exclude: acts of war (including nation-state attacks), regulatory fines above a specific cap, betterment (you can't upgrade your systems during recovery), and losses caused by unpatched known vulnerabilities.

What to do before your renewal:

• Review your policy's exclusions carefully — especially the unpatched vulnerability exclusion


• Run an insurance readiness check to ensure your controls match what your policy requires


• Document your security controls formally (don't just have them — prove you have them)

Compliance Deadline Watch

Cyber Insurance Renewal Season — Q2/Q3 Prep

Most SMB cyber insurance policies renew in the May–September window. Renewal prep should start 60–90 days before your renewal date.

Pre-renewal checklist:

• ✅ EDR deployed on all endpoints


• ✅ MFA on email, VPN, and financial systems


• ✅ Offsite backups with immutability (tested in the past 90 days)


• ✅ Incident response plan documented


• ✅ Employees trained on phishing in the past 12 months


• ✅ Vendor risk documentation for top vendors


• ✅ Network segmentation between critical systems

Each of these controls has direct impact on your premium and coverage limits. Missing 3+ is typically a 20–40% premium surcharge.

CyberStackHub's Cyber Insurance Readiness Tool runs through every carrier requirement and tells you exactly where you stand.

SOC 2 Type II — Mid-Year Evidence Review

If you started your SOC 2 observation period in January 2026, you're now 4 months in. This is a good time to review your evidence collection to date and identify any controls with missing documentation before the audit window closes.

Key areas that commonly have evidence gaps at mid-year review:

• User access reviews (were they actually conducted monthly or just once?)


• Vulnerability remediation tracking (was every scan finding tracked to closure?)


• Change management records (do all system changes have a ticket?)

Insurance Market Update

Renewal season 2026 is shaping up to be a pivotal market shift. After two years of significant premium decreases (2024–2025), the market is hardening again. Coalition's broker update for Q2 2026 shows:

• Frequency of claims up 28% YoY
• BEC losses now exceeding ransomware claims by volume
• Carriers reducing coverage sublimits for "social engineering" (BEC) losses at standard tier policies

Action: If your current policy has a "social engineering" sublimit below $500,000, request a limit increase at renewal — BEC losses for SMBs average $130,000 per incident, and a $25,000 sublimit leaves you dramatically underinsured.

Tool Spotlight: Cyber Insurance Readiness Tool

This week's spotlight again — because it's renewal season and this is the highest-leverage free resource we offer.

The Cyber Insurance Readiness Tool maps your current security posture to specific carrier requirements and tells you exactly which gaps are costing you money or coverage. Most users find 2–3 actionable items within their first session.

→ Run your insurance readiness check free

Run The Cyber Pulse Stack — Free

The Cyber Pulse Stack is your personalized weekly brief: threats relevant to your industry, compliance deadlines you're actually facing, and your insurance readiness score. Delivered to your inbox, your phone, or as a downloadable PDF.

Going into insurance renewal season with a documented security posture is the difference between a flat renewal and a 30% increase.

→ Run The Cyber Pulse Stack free

Frequently Asked Questions

What is the average cost of a data breach for a small business?
IBM's 2025 Cost of a Data Breach Report put the global average at $4.4M, though smaller organizations ($100M or less in revenue) averaged $3.3M. For very small businesses (under 500 employees), costs are lower in absolute terms but often represent a higher percentage of annual revenue — making them more company-threatening proportionally.

What does cyber insurance actually cover for SMBs?
A standard SMB cyber policy covers: first-party costs (incident response, forensics, notification, credit monitoring, business interruption), third-party liability (lawsuits from affected customers or partners), and often cyber extortion (ransomware demands). Common exclusions: unpatched known vulnerabilities, war/nation-state exclusions, betterment, and regulatory fines above a sublimit.

What is business email compromise (BEC) and how common is it?
BEC is when attackers impersonate a trusted executive or vendor to trick employees into transferring money or changing payment details. It's the most expensive cybercrime by total dollar losses — more than ransomware. The FBI reported $2.9B in BEC losses in Q1 2026 alone. It doesn't require any malware — just a convincing email and a process with no verbal confirmation step.

How do I prepare for cyber insurance renewal as a small business?
Start 90 days before your renewal date. Document your security controls (don't just have them, prove them). Specifically focus on EDR, MFA, backup testing, phishing training records, and incident response plan documentation. Run CyberStackHub's Cyber Insurance Readiness Tool to see exactly which controls your insurer requires.

More editions: This Week's Cyber Pulse Archive