Cyber Insurance for Small Business: What It Covers, What It Costs, and What to Ask

One in three small businesses experienced a cyberattack last year. The average breach costs $200,000. Most small businesses that suffer a major cyber incident do not reopen. Yet 82 percent of businesses with fewer than 500 employees carry no dedicated cyber insurance policy.

The gap is not awareness. Most small business owners understand that cyber risk is real. The gap is the insurance conversation that never happened at renewal.

This page explains what cyber insurance covers, how much coverage a small business actually needs, what drives the cost, and the questions every business owner should raise with their agent before the next renewal.

What Cyber Insurance Covers

Cyber insurance divides into two fundamental categories.

First-party coverage pays for your direct costs when an incident occurs: the forensic investigation to determine what happened, the legal review of your notification obligations, the cost of notifying affected customers, credit monitoring for individuals whose data was compromised, and the lost revenue during the period your systems are offline or unavailable.

Third-party coverage pays for claims made against your business: legal defense costs when customers or regulators come after you, settlement payments, and certain regulatory fines and penalties arising from the incident.

Most small businesses need both. A single breach generates direct response costs and potential liability exposure simultaneously. A policy that addresses one without the other leaves a significant gap.

Two types of protection. One policy that should deliver both.

What cyber insurance specifically covers:

First-party coverage includes forensic investigation costs, attorney fees for breach notification review, customer notification expenses, credit monitoring for affected individuals, ransomware payments and professional negotiation services, system restoration and rebuild costs, and lost revenue during downtime caused by the cyber event.

Third-party coverage includes legal defense costs for lawsuits brought by customers or regulators, settlements and judgments, certain regulatory fines under state privacy laws and federal frameworks including HIPAA, and Payment Card Industry penalties for businesses handling credit card data.

What cyber insurance does not cover:

General liability policies exclude cyber incidents in the overwhelming majority of policies issued after 2019. Business Owner's Policies similarly exclude cyber-caused business interruption in most cases. If your only coverage is a general liability or BOP policy, you have no meaningful cyber protection regardless of what you paid for it.

Within cyber policies themselves, standard exclusions include losses from unpatched systems when patches were available, attacks resulting from failure to maintain required security controls, losses from prior incidents not disclosed at underwriting, and attacks attributed to nation-state or state-sponsored actors.

Breach response costs cover the immediate expenses of finding out what happened and complying with legal notification requirements. Forensic investigation for a small business typically runs $15,000 to $50,000 depending on the complexity of the incident. Notification costs, including legal review, printing, mailing, and call center setup, run $8 to $15 per customer notified. For a business with 5,000 customer records, notification alone reaches $40,000 to $75,000 before credit monitoring is added.

Ransomware and extortion costs extend well beyond the ransom payment itself. System restoration after a ransomware attack, including server rebuilds, data recovery, security hardening, and validation testing, typically costs three to four times the ransom payment. A business that pays a $35,000 ransom often incurs $105,000 to $140,000 in total restoration expenses. Most cyber policies include ransom payment coverage but cap it at a sub-limit, often $100,000 to $500,000, regardless of total policy limits.

The Four Costs of a Cyber Incident

Most small businesses only plan for one.

When business owners think about cyber insurance, they tend to think about the ransom payment or the data breach notification. Those are two of four cost categories. Most businesses underestimate the full picture.

Business interruption costs represent the lost revenue during the period systems are offline or inaccessible. Most policies calculate daily coverage based on historical revenue and operating expenses. For a business generating $3 million annually, a seven-day outage produces approximately $37,000 in covered lost revenue. The waiting period before coverage activates is typically 8 to 24 hours, and maximum coverage periods run 30 to 90 days.

Liability costs are the category that most surprises small business owners. Legal defense alone for a data breach lawsuit runs $145,000 to $280,000 before any settlement. Class action settlements for small business breaches involving payment card data range from $200,000 to $800,000 depending on the number of affected individuals and the sensitivity of the data.

The right coverage limit for a small business depends on how many customer records it holds, what type of data those records contain, and what industry it operates in.

A practical starting framework: multiply your number of customer records by the per-record cost in your industry, then add $500,000 for the fixed base costs of forensics, legal defense, and business interruption that exist independent of record count.

General business data carries an estimated per-record cost of $150 to $200. Payment card data runs $180 to $250 per record. Healthcare data regulated under HIPAA runs $240 to $400 per record due to mandatory regulatory penalties and notification costs.

A professional services firm with 3,000 client records needs a minimum of $1,000,000 in coverage. A retailer with 10,000 customer records and payment card data needs $2,500,000 to $3,000,000. A healthcare practice with 5,000 patient records needs $2,000,000 to $2,500,000.

How Much Insurance Does a Small Business Need?

The answer depends on three variables.

Minimum recommended limits by industry:

Retail and e-commerce businesses should carry a minimum of $1,000,000 to $2,000,000, with higher limits warranted for businesses processing significant payment card volume. Professional services firms carrying client data should carry a minimum of $1,000,000. Healthcare providers should carry $2,000,000 to $3,000,000 given HIPAA penalty exposure. Financial services firms should carry $2,000,000 to $5,000,000.

Most small businesses are underinsured relative to their actual exposure. The reason is not cost. A $1,000,000 cyber policy for a professional services firm with strong security controls typically costs $1,200 to $1,800 per year. The reason is that the coverage conversation never happened at renewal with enough specificity to surface the gap.

Industry and data type.

Businesses holding health records, payment card data, or financial account information pay meaningfully more than businesses holding general contact and business data, because the regulatory and liability exposure is higher.

Security controls.

Carriers evaluate five specific controls when underwriting cyber risk: multi-factor authentication on all accounts and email, endpoint detection and response tools across all devices, offline or immutable backups tested within the past 90 days, annual security awareness training, and a documented incident response plan. Implementing all five typically produces premium reductions of 25 to 35 percent compared to businesses that have not addressed them.

What Cyber Insurance Costs for a Small Business

And what changes the price in either direction.

Small businesses typically pay $750 to $2,500 per year for $1,000,000 in cyber coverage. Healthcare and financial services firms pay 30 to 40 percent above the baseline due to regulatory exposure and data sensitivity.

Five factors drive the cost of a cyber policy.

Revenue and record volume.

Higher revenue businesses and businesses holding more customer records pay proportionally more, though not linearly. Coverage limits should scale with exposure, not just with revenue.

Claims history.

A prior cyber claim increases renewal premiums by 15 to 40 percent for three to five years.

Deductible selection.

Deductibles typically range from $1,000 to $25,000. A $25,000 deductible reduces annual premiums by 25 to 30 percent compared to a $1,000 deductible. Select the deductible based on available cash reserves. If a major incident occurred tomorrow, the deductible must be paid before coverage activates.

The cyber insurance underwriting environment has tightened significantly since 2022. Most carriers now require specific security controls as a condition of coverage, not just as a factor in pricing.

Multi-factor authentication is required by 98 percent of carriers. A business that does not have MFA deployed on email and all privileged accounts will either be declined, placed in a specialty market at significantly higher rates, or find that a claim is denied because the control was misrepresented on the application.

Tested offline or immutable backups are required by 92 percent of carriers. Backups must be tested, not merely maintained. A backup that has never been restored is not a backup from an underwriting standpoint.

Security Controls That Affect Coverage

Most carriers now require these before issuing a policy.

Endpoint detection and response tools are required by 87 percent of carriers. Antivirus alone does not meet this requirement at most carriers.

Annual security awareness training is required by 76 percent of carriers. Documentation of training completion is commonly requested at renewal.

These requirements exist because the data is clear. MFA alone reduces the likelihood of a successful attack by more than 99 percent. Businesses that implement these controls file significantly fewer claims, which is why carriers price them so favorably.

Most small businesses are sold cyber insurance by producers who have limited specialist knowledge of the line. The result is coverage placed without a meaningful review of the business's actual operations, its data profile, or whether the policy's exclusions apply to the specific scenarios the business faces.

Next Steps

The right coverage conversation starts with the right agent.

The right coverage conversation covers four things: what the policy actually covers for a business in your industry, what exclusions would prevent a claim from being paid, whether the limits are adequate given the cost of a real incident in your sector, and what the claims process looks like when something happens.

Frequently asked questions

What is UKON?

UKON is the Cyber Practice Operating System for independent insurance agencies. Built on the foundation of FifthWall Solutions, the first cyber-only wholesale specialist in the independent agency channel, UKON installs a complete outsourced cyber practice inside agencies through its Cyber Practice Leadership model — combining human-supervised AI with a bench of seasoned cyber specialists, commission-aligned with no upfront cost.

What does cyber insurance cover for a small business?

Cyber insurance for small businesses covers two categories of costs. First-party coverage pays your direct costs when an incident occurs: forensic investigation, breach notification, credit monitoring for affected customers, ransomware payments and system restoration, and lost revenue during downtime. Third-party coverage pays claims made against your business: legal defense, settlements, and certain regulatory fines. Most small businesses need both coverage types because a single incident generates direct costs and potential liability simultaneously.

How much does cyber insurance cost for a small business?

Small businesses typically pay $750 to $2,500 per year for $1,000,000 in cyber insurance coverage. Healthcare and financial services firms pay 30 to 40 percent above the baseline. Businesses that implement multi-factor authentication, endpoint detection and response tools, tested offline backups, and annual security training typically receive premium reductions of 25 to 35 percent. The average small business with strong security controls pays $1,200 to $1,500 per year for $1,000,000 in coverage.

How much cyber insurance does a small business need?

Calculate minimum coverage by multiplying your number of customer records by the per-record cost in your industry ($150 to $200 for general business data, $180 to $250 for payment card data, $240 to $400 for healthcare data) and adding $500,000 for fixed base costs. Most small businesses need $1,000,000 to $3,000,000 in coverage depending on data volume and industry. Healthcare and financial services firms with significant regulated data exposure should carry $2,000,000 to $5,000,000.

Does cyber insurance cover ransomware?

Yes. Most cyber insurance policies cover ransomware payments, professional negotiation services, and system restoration costs. However, 73 percent of policies include sub-limits capping ransom payments at $100,000 to $500,000 regardless of total policy limits. Total incident costs including restoration typically run three to four times the ransom payment. Policies exclude ransomware if required security controls were not maintained or if the attack is attributed to a sanctioned entity or nation-state actor.

How much does cyber insurance cost for a small business?

Small businesses typically pay $750 to $2,500 per year for $1,000,000 in cyber insurance coverage. Healthcare and financial services firms pay 30 to 40 percent above the baseline. Businesses that implement multi-factor authentication, endpoint detection and response tools, tested offline backups, and annual security training typically receive premium reductions of 25 to 35 percent. The average small business with strong security controls pays $1,200 to $1,500 per year for $1,000,000 in coverage.

Does a small business need cyber insurance if it already has general liability?

Yes. General liability policies exclude cyber incidents in the overwhelming majority of policies issued after 2019. Business Owner's Policies similarly exclude cyber-caused business interruption in most cases. Cyber insurance is a separate, standalone coverage requirement. A business that experienced a data breach or ransomware attack and held only a general liability policy would find that policy does not respond to any of the incident costs.

What security controls do small businesses need to get cyber insurance?

Most carriers now require four controls as a condition of coverage: multi-factor authentication on all accounts and email (required by 98 percent of carriers), tested offline or immutable backups (required by 92 percent), endpoint detection and response tools on all devices (required by 87 percent), and annual security awareness training (required by 76 percent). Businesses without these controls will either be declined or placed at significantly higher rates. Implementing all four typically reduces premiums by 25 to 35 percent.

What questions should a small business ask its agent about cyber insurance?

Four questions every small business should raise at renewal: What does this policy actually cover for a business in our industry and what are the exclusions that would prevent a claim from being paid? Are the limits adequate given the cost of a real incident in our sector? What security controls are required to maintain coverage? When something happens, what is the claims process and who coordinates the response? An agent who cannot answer all four specifically is not equipped to place this coverage properly.

What is the difference between first-party and third-party cyber coverage?

First-party cyber coverage pays costs your business incurs directly: forensic investigation, breach notification, credit monitoring, ransom payments, system restoration, and lost revenue during downtime. Third-party cyber coverage pays claims made against your business: legal defense costs, settlements, and regulatory fines. Most small businesses need both. First-party coverage without third-party coverage leaves the business exposed to lawsuits and regulatory action. Third-party coverage without first-party coverage leaves the business paying all response costs out of pocket.