iDInsuranceDaily
💼 Business Insurance

Cyber Insurance Explained: What Small Businesses Actually Get for Their Premium

Ransomware and phishing don't respect business size. Here's what cyber insurance actually covers, what it costs, and how to get the best rates in a tightening market.

Priya Natarajan··10 min read
Close-up of hands typing on a laptop with security theme

Small businesses used to think cyber insurance was for tech companies and hospitals. Then ransomware operators discovered that a 30-person dental practice, a family accounting firm, and a regional manufacturer all have valuable data, weaker defenses, and enough cash flow to pay ransoms. Today, cyber insurance is one of the fastest-growing categories in commercial insurance — and one of the most misunderstood. Here's a plain-English guide to what a modern policy really covers.

The Two Halves of a Cyber Policy

First-Party Coverage (Your Costs)

Pays your business's direct expenses after a cyber incident:

  • Forensic investigation to determine what happened
  • Legal fees and breach notification costs
  • Credit monitoring for affected customers
  • PR and reputation management
  • Ransomware payments and negotiation costs
  • Business interruption from downtime
  • Data restoration

Third-Party Coverage (Others' Claims)

Defends and pays claims from customers, partners, and regulators:

  • Class-action lawsuits from breached customers
  • Regulatory fines and penalties (where insurable)
  • Contractual liability to business partners
  • Media liability (content published on your website)
Hands typing on a laptop with security theme
Cyber insurance covers both your recovery costs and third-party claims.

Why General Liability Doesn't Help

Standard general liability policies exclude "electronic data" and cyber events explicitly. A ransomware attack, a customer data breach, or a business email compromise falls squarely outside their coverage. Cyber insurance exists precisely because the standard commercial policy suite doesn't touch these losses.

The Underwriting Controls That Move Your Premium

Cyber underwriting has professionalized dramatically in the past few years. Carriers now require, or heavily reward, specific security controls:

  • Multi-factor authentication (MFA) on email, VPN, and admin accounts
  • Endpoint Detection and Response (EDR) on all workstations and servers
  • Offline or immutable backups tested at least quarterly
  • Email filtering with anti-phishing and impersonation protection
  • Written incident response plan
  • Annual security awareness training
  • Patch management with a documented cadence

Missing MFA alone can disqualify you from many carriers today. Documenting each of these before applying often reduces premiums by 20% or more.

How Much Coverage Do You Need?

A useful starting framework:

  • $1M — service businesses with limited customer data
  • $2M–$3M — e-commerce, healthcare, professional services with PII
  • $5M+ — MSPs, fintech, or any business holding payment or health data at scale

Cross-check against your worst-case downtime cost: if a 10-day outage would cost $400,000 in revenue and recovery, a $250,000 business interruption sublimit isn't enough.

Common Exclusions to Watch

  • Failure to maintain the security controls disclosed on the application
  • Prior known incidents
  • Acts of war (increasingly relevant with state-linked ransomware groups)
  • Fines that public policy makes uninsurable
  • Physical bodily injury or property damage (covered under general liability)

How to Save Money Without Cutting Real Coverage

  1. Deploy MFA everywhere — biggest single underwriting credit available.
  2. Document your controls with screenshots and policies before applying.
  3. Raise retention from $1,000 to $5,000 if cash reserves allow.
  4. Use a specialty cyber broker who accesses markets direct agents can't.
  5. Bundle only when a carrier offers a true standalone cyber form — some BOP endorsements are meaningfully narrower.

Real-World Example

A 15-employee accounting firm in Georgia experienced a business email compromise: an attacker impersonated a partner and rerouted a $220,000 client wire. Their cyber policy paid the wire fraud loss (subject to a $10k retention), covered forensic investigation, and paid legal fees for notifying affected clients. Total payout: roughly $215,000 on a policy that cost $2,400 per year.

Expert Insight

"Cyber underwriting has become a lot like commercial property. Show up with modern controls documented, and you get real coverage at fair prices. Show up without them, and you either can't buy at all or pay 3× the going rate." — Marcus Levine, cyber practice lead at a national brokerage

Quick Summary

  • Cyber policies cover first-party (your costs) and third-party (others' claims).
  • General liability excludes cyber events.
  • MFA, EDR, and offline backups are baseline underwriting requirements.
  • Start at $1M for services; more for businesses handling PII or payment data.
  • Document controls before applying to earn premium credits.

Key Takeaways

  • 1Cyber policies split into first-party (your costs) and third-party (others' claims) coverage.
  • 2Ransomware, phishing, and business email compromise are the top loss drivers.
  • 3MFA, EDR, and offline backups are now the baseline underwriting requirements.
  • 4$1M is a reasonable floor for most small businesses; higher for those handling PII.

Frequently Asked Questions

Do I really need cyber insurance if I'm a small business?

Yes. Small businesses are the most-targeted segment because they combine valuable data with weaker defenses.

Does my general liability cover a data breach?

Almost never. Standard general liability policies exclude cyber and data-related losses.

How much does cyber insurance cost?

Small business policies typically start at $1,000 to $3,500 per year for $1M in coverage, subject to security controls.

Found this guide helpful?

Share it with a friend who's shopping for insurance, or explore more guides in this category.

Related articles