Get a quote
Cyber Insurance

Cyber Insurance for Small Businesses: What It Actually Covers and Whether You Need It

Data breaches, ransomware, and wire fraud aren't just big-company problems anymore. Here's a practical guide to cyber liability insurance — what it covers, what it doesn't, who needs it, and what it costs.

March 2026 · 12 min read

Most small business owners think of cyber attacks as something that happens to large corporations — Target, Equifax, Colonial Pipeline. The headlines reinforce this impression. But the data tells a different story. According to the FBI's Internet Crime Complaint Center, small and mid-size businesses are the most frequent targets of cyber crime. The reason is straightforward: they have valuable data and weak defenses. A 50-person accounting firm holds the same types of sensitive financial data as a multinational bank, but with a fraction of the security infrastructure.

Cyber insurance exists to cover the financial fallout when a breach, attack, or digital failure hits your business. It's a relatively young insurance product — most policies have been written in the last 15 years — and the coverage is still evolving as the threat landscape changes. That means the policies are less standardized than, say, a general liability policy, and the details matter more.

This guide covers what cyber insurance is, what it covers, what it excludes, who needs it, and what it costs. If you're a small business owner evaluating whether to add cyber coverage to your insurance program, this will give you the information to make that decision.

What Cyber Insurance Is

Cyber insurance — also called cyber liability insurance or data breach insurance — is a standalone policy that covers financial losses resulting from cyber events. These events include data breaches, ransomware attacks, business email compromise, network security failures, and privacy violations.

It is not covered by your general liability policy, your property policy, or your professional liability (E&O) policy. Courts and carriers have been litigating this for years, and the consistent result is that traditional business insurance policies were not designed to cover cyber events and generally don't. If you want coverage for digital risks, you need a cyber policy.

Cyber policies are divided into two broad categories of coverage: first-party and third-party. Most standalone policies include both, but the limits, sublimits, and specific coverages within each category vary significantly between carriers.

First-Party Coverage: Your Own Losses

First-party coverage pays for the direct costs your business incurs as a result of a cyber event. This is where the immediate, out-of-pocket impact of a breach gets addressed.

Data breach response costs

When a breach occurs, the clock starts immediately. You need to hire a forensic investigation firm to determine what happened, how the attackers got in, what data was accessed, and whether they're still in your systems. That alone typically costs $20,000 to $100,000 for a small business breach.

Then you have notification obligations. Nearly every state has a data breach notification law requiring you to notify affected individuals within a specific timeframe — often 30 to 60 days. For a breach affecting thousands of records, notification costs (printing, mailing, call center setup) can be $5 to $20 per affected record. A breach of 10,000 customer records means $50,000 to $200,000 just in notification costs.

You'll also need to provide credit monitoring services to affected individuals — typically 12 to 24 months. And you'll almost certainly want a public relations firm to manage the communications and limit reputational damage. First-party breach response coverage pays for all of this.

Breach coach / incident response panel: Most cyber policies come with access to a pre-approved panel of breach response vendors — forensic investigators, breach notification firms, PR firms, and legal counsel who specialize in data breach response. These are called "panel vendors" or "breach coaches." Using panel vendors typically streamlines the claims process and can reduce costs because the carrier has pre-negotiated rates. When evaluating policies, ask who's on the panel and whether you're required to use them.

Ransomware and extortion

Ransomware is the single biggest driver of cyber insurance claims right now. An attacker encrypts your files and demands payment — typically in cryptocurrency — to provide the decryption key. Without the key, your data is inaccessible. For many businesses, this means operations stop completely.

Cyber extortion coverage pays for the ransom itself (if you and the carrier decide paying is the best option), the cost of negotiating with the attacker (often handled by specialized negotiation firms), and the cost of restoring your systems whether or not you pay the ransom.

Ransom demands for small businesses typically range from $10,000 to $500,000. The total cost of a ransomware incident — including downtime, restoration, and lost business — averages $150,000 to $400,000 for small and mid-size businesses. This is frequently an existential event for businesses without insurance.

Business interruption

Cyber business interruption covers the income you lose and the extra expenses you incur while your systems are down following a cyber event. If ransomware takes your systems offline for two weeks and you can't process orders, serve customers, or access your files, business interruption coverage pays for the lost revenue and the additional costs of operating in a degraded state — renting temporary systems, paying overtime, using manual workarounds.

This is separate from the business interruption coverage on your property policy, which is triggered by physical events like fire or storm damage. A cyber event that takes your systems offline without any physical damage won't trigger traditional business interruption coverage. You need the cyber-specific version.

Data restoration

After an attack, you need to rebuild. Data restoration coverage pays to recover, recreate, or restore data and software that was destroyed, corrupted, or encrypted during the attack. This includes the cost of restoring from backups, rebuilding databases, reinstalling software, and verifying data integrity. For businesses without clean backups — which is more common than anyone wants to admit — this can be the most expensive part of the recovery.

Funds transfer fraud

Business email compromise (BEC) is the most financially damaging form of cyber crime. An attacker impersonates a vendor, executive, or client via email and tricks an employee into wiring money to a fraudulent account. The FBI reports that BEC losses exceed $2.7 billion annually in the U.S. alone.

Social engineering and funds transfer fraud coverage pays when your employee is deceived into transferring money. This coverage is sometimes included in the base cyber policy and sometimes offered as an endorsement. Verify it's included and check the sublimit — many policies cap this coverage at $100,000 to $250,000 even when the overall policy limit is $1 million.

Third-Party Coverage: Claims Against You

Third-party coverage pays for claims brought against your business by others as a result of a cyber event. This is the liability side of the policy.

Privacy liability

If you experience a data breach and individuals whose data was exposed sue you, privacy liability coverage pays the defense costs and any settlements or judgments. Class action lawsuits following data breaches are common, even against small businesses. A breach of customer payment card data, health records, or Social Security numbers will almost certainly generate litigation.

Network security liability

If a security failure on your network causes harm to a third party, this coverage responds. Example: your email system is compromised and used to send malware to your clients, who then suffer their own data loss. Or your network is used as a staging point for an attack on one of your business partners. Network security liability covers the resulting claims.

Regulatory proceedings

Data breaches trigger regulatory investigations. The FTC, state attorneys general, HHS (for healthcare data), and industry regulators all have enforcement authority. Regulatory coverage pays for the cost of responding to investigations — legal defense, document production, and any fines or penalties that are insurable in your jurisdiction. Note that some states prohibit insurance for certain regulatory fines, so this coverage varies by location.

Payment card industry (PCI) assessments

If you process credit card payments and suffer a breach of cardholder data, the card brands (Visa, Mastercard) can assess fines and penalties against your acquiring bank, who will pass them to you. These PCI assessments can range from $5,000 to $500,000 depending on the size and scope of the breach. Many cyber policies include coverage for PCI fines and assessments, but verify this if you accept credit card payments.

Who Needs Cyber Insurance

The short answer: any business that uses computers, email, or the internet to operate — which is effectively every business. But the urgency varies based on your exposure.

High priority

Medium priority

Don't assume you're too small

Forty-three percent of cyber attacks target businesses with fewer than 250 employees. Attackers use automated tools that scan for vulnerabilities indiscriminately — they don't check your revenue before deploying ransomware. A 20-person accounting firm is just as likely to be hit by a phishing attack as a Fortune 500 company. The difference is that the Fortune 500 company has a security operations center, an incident response team, and a $10 million cyber policy. The 20-person firm has an IT guy who comes in on Tuesdays.

Contractual requirements are growing: Even if you're not convinced by the risk alone, your clients may decide for you. An increasing number of businesses — particularly in technology, finance, and healthcare — now require their vendors and partners to carry cyber insurance as a contract condition. If you provide services to mid-size or large companies, expect to see cyber insurance requirements in your contracts within the next one to two years if they're not there already.

What Cyber Insurance Costs

Cyber insurance premiums have stabilized after significant increases during 2021-2023, driven by the ransomware surge. For small businesses, here are realistic cost ranges for a standalone cyber policy.

Premiums are influenced by your industry, revenue, number of records you hold, security posture, and claims history. Carriers will ask about specific security controls during underwriting — multi-factor authentication, endpoint detection, backup procedures, employee training, and patch management. Having these controls in place lowers your premium. Not having them can make you uninsurable with some carriers.

MFA is the new minimum: Multi-factor authentication on email, VPN, and remote access is now a baseline requirement for most cyber insurance carriers. If you don't have MFA deployed, many carriers will either decline to quote you or add a significant surcharge. This is the single most impactful security control you can implement — both for reducing your actual risk and for qualifying for better insurance terms.

Common Exclusions

Cyber policies have exclusions, and understanding them is critical. Here are the ones that catch businesses most often.

Prior and pending events

If a breach occurred before your policy inception date, it's not covered — even if you don't discover it until after the policy is in force. Most policies have a retroactive date that limits coverage to events occurring after a specified date. If you're buying cyber insurance for the first time, understand that any breach that already happened (discovered or not) is likely excluded.

Unencrypted devices

Many policies exclude or limit coverage for breaches involving data on unencrypted laptops, phones, or portable devices. If an employee's unencrypted laptop is stolen and it contains customer data, the claim may be denied or reduced. Encrypting all devices is both a security best practice and an insurance requirement.

Failure to maintain security standards

If your application stated that you have certain security controls in place and the carrier discovers during a claim that you didn't, they can deny the claim based on material misrepresentation. This is the cyber equivalent of saying your building has a sprinkler system when it doesn't. Be honest and accurate on your application.

War and nation-state attacks

The war exclusion in cyber policies has become a significant area of dispute. Carriers have attempted to deny claims for attacks attributed to nation-state actors (Russian, Chinese, North Korean government hackers) under the war exclusion. Some policies now include explicit "cyber war" exclusions. If your business is in a sector targeted by state-sponsored attackers — critical infrastructure, defense supply chain, energy — pay close attention to how the war exclusion is worded.

Voluntary shutdown

If you proactively shut down your systems as a precaution — even a reasonable one — rather than as a direct result of an attack, some policies won't cover the business interruption. The distinction between "systems were taken down by the attack" and "we shut systems down to prevent spread" matters for coverage. Check your policy's trigger language.

Infrastructure and utility outages

If your systems go down because your cloud provider, ISP, or power utility has an outage — not because of an attack on your network — many cyber policies won't respond. Some policies offer "dependent business interruption" or "system failure" coverage that extends to third-party infrastructure failures, but these are often endorsements with separate sublimits.

How to Buy Cyber Insurance

The cyber insurance market is competitive, and the product varies meaningfully between carriers. Here's how to approach the purchase.

Work with a broker who knows cyber

Cyber insurance is a specialty line. The coverage forms are not standardized across carriers the way general liability or workers' comp forms are. Two policies with the same limit and similar premiums can have dramatically different coverage. Your broker needs to understand the differences and know which carriers are best for your industry and size.

Be honest on the application

The application will ask about your security controls — MFA, backups, endpoint protection, employee training, patch management, access controls. Answer accurately. Overstating your security posture to get a better rate is a path to a denied claim. If you don't have a control in place, say so. The carrier may still quote you — possibly with an exclusion or higher deductible for that specific gap — and that's better than a denial when you need the coverage.

Understand your sublimits

A $1 million cyber policy doesn't mean you have $1 million available for every type of loss. Most policies have sublimits — caps on specific coverage components. You might have $1 million overall but only $250,000 for ransomware payments, $100,000 for funds transfer fraud, and $50,000 for regulatory fines. Read the sublimits and make sure the areas where you have the most exposure have adequate limits.

Get the incident response resources

The best cyber policies aren't just about money — they're about getting expert help fast when you're under attack. Breach coaches, forensic investigators, legal counsel, PR firms, and negotiation specialists are all available through your policy's panel. Some carriers also offer pre-breach services: security assessments, employee phishing simulations, and incident response planning. These services have real value and should factor into your carrier selection.

Cyber risk is not going away, and for most small businesses, a data breach or ransomware attack is not a question of if but when. The businesses that survive these events are the ones that prepared — both with security controls and with insurance to cover the costs that security alone can't prevent.

Find out what cyber coverage makes sense for your business.

We'll assess your exposure, explain the options in plain language, and get you quotes from carriers that know cyber. No jargon, no pressure.

Get a quote