Cyber Insurance Explained: What Small Businesses Actually Get for Their Premium
Ransomware and phishing don't respect business size. Here's what cyber insurance actually covers, what it costs, and how to get the best rates in a tightening market.

Small businesses used to think cyber insurance was for tech companies and hospitals. Then ransomware operators discovered that a 30-person dental practice, a family accounting firm, and a regional manufacturer all have valuable data, weaker defenses, and enough cash flow to pay ransoms. Today, cyber insurance is one of the fastest-growing categories in commercial insurance — and one of the most misunderstood. Here's a plain-English guide to what a modern policy really covers.
The Two Halves of a Cyber Policy
First-Party Coverage (Your Costs)
Pays your business's direct expenses after a cyber incident:
- Forensic investigation to determine what happened
- Legal fees and breach notification costs
- Credit monitoring for affected customers
- PR and reputation management
- Ransomware payments and negotiation costs
- Business interruption from downtime
- Data restoration
Third-Party Coverage (Others' Claims)
Defends and pays claims from customers, partners, and regulators:
- Class-action lawsuits from breached customers
- Regulatory fines and penalties (where insurable)
- Contractual liability to business partners
- Media liability (content published on your website)
Why General Liability Doesn't Help
Standard general liability policies exclude "electronic data" and cyber events explicitly. A ransomware attack, a customer data breach, or a business email compromise falls squarely outside their coverage. Cyber insurance exists precisely because the standard commercial policy suite doesn't touch these losses.
The Underwriting Controls That Move Your Premium
Cyber underwriting has professionalized dramatically in the past few years. Carriers now require, or heavily reward, specific security controls:
- Multi-factor authentication (MFA) on email, VPN, and admin accounts
- Endpoint Detection and Response (EDR) on all workstations and servers
- Offline or immutable backups tested at least quarterly
- Email filtering with anti-phishing and impersonation protection
- Written incident response plan
- Annual security awareness training
- Patch management with a documented cadence
Missing MFA alone can disqualify you from many carriers today. Documenting each of these before applying often reduces premiums by 20% or more.
How Much Coverage Do You Need?
A useful starting framework:
- $1M — service businesses with limited customer data
- $2M–$3M — e-commerce, healthcare, professional services with PII
- $5M+ — MSPs, fintech, or any business holding payment or health data at scale
Cross-check against your worst-case downtime cost: if a 10-day outage would cost $400,000 in revenue and recovery, a $250,000 business interruption sublimit isn't enough.
Common Exclusions to Watch
- Failure to maintain the security controls disclosed on the application
- Prior known incidents
- Acts of war (increasingly relevant with state-linked ransomware groups)
- Fines that public policy makes uninsurable
- Physical bodily injury or property damage (covered under general liability)
How to Save Money Without Cutting Real Coverage
- Deploy MFA everywhere — biggest single underwriting credit available.
- Document your controls with screenshots and policies before applying.
- Raise retention from $1,000 to $5,000 if cash reserves allow.
- Use a specialty cyber broker who accesses markets direct agents can't.
- Bundle only when a carrier offers a true standalone cyber form — some BOP endorsements are meaningfully narrower.
Real-World Example
A 15-employee accounting firm in Georgia experienced a business email compromise: an attacker impersonated a partner and rerouted a $220,000 client wire. Their cyber policy paid the wire fraud loss (subject to a $10k retention), covered forensic investigation, and paid legal fees for notifying affected clients. Total payout: roughly $215,000 on a policy that cost $2,400 per year.
Expert Insight
"Cyber underwriting has become a lot like commercial property. Show up with modern controls documented, and you get real coverage at fair prices. Show up without them, and you either can't buy at all or pay 3× the going rate." — Marcus Levine, cyber practice lead at a national brokerage
Quick Summary
- Cyber policies cover first-party (your costs) and third-party (others' claims).
- General liability excludes cyber events.
- MFA, EDR, and offline backups are baseline underwriting requirements.
- Start at $1M for services; more for businesses handling PII or payment data.
- Document controls before applying to earn premium credits.
Key Takeaways
- 1Cyber policies split into first-party (your costs) and third-party (others' claims) coverage.
- 2Ransomware, phishing, and business email compromise are the top loss drivers.
- 3MFA, EDR, and offline backups are now the baseline underwriting requirements.
- 4$1M is a reasonable floor for most small businesses; higher for those handling PII.
Frequently Asked Questions
Do I really need cyber insurance if I'm a small business?
Yes. Small businesses are the most-targeted segment because they combine valuable data with weaker defenses.
Does my general liability cover a data breach?
Almost never. Standard general liability policies exclude cyber and data-related losses.
How much does cyber insurance cost?
Small business policies typically start at $1,000 to $3,500 per year for $1M in coverage, subject to security controls.
Found this guide helpful?
Share it with a friend who's shopping for insurance, or explore more guides in this category.
Related articles
Small Business Cyber Insurance in 2026: Why Premiums Are Surging — and How to Stay Covered
Ransomware attacks on small businesses jumped again this year — and insurers are responding with stricter underwriting and higher premiums. Here is how to lock in affordable cyber coverage in 2026.

The Business Owner's Policy (BOP): The Small Business Insurance Bundle Explained
A BOP bundles the three most common small business coverages at a discount. Here's what's inside, who qualifies, and how to size it properly.

Professional Liability Insurance: A Practical Guide for Consultants, Firms, and Freelancers
Any professional who gives advice, delivers work, or holds a license can be sued for a mistake — real or perceived. Here's how professional liability insurance really works.