Cyberattacks are now the most common threat facing small businesses. Cyber insurance covers the full cost of a breach — from forensic investigation and notification expenses to ransomware payments and regulatory fines. Learn what coverage you need and what it costs in 2026.
Cybercriminals have shifted their primary focus to small and medium-sized businesses. Large enterprises have dedicated security teams and sophisticated defenses — SMBs often do not. According to the Verizon Data Breach Investigations Report, over 43% of all reported breaches in 2024–2025 involved small businesses.
The average cost of a data breach for an SMB now exceeds $120,000 — and in industries handling sensitive data like healthcare or financial services, that figure climbs well above $500,000. Standard commercial insurance policies (GL, BOP, commercial property) do not cover cybersecurity incidents. Cyber insurance is the only product specifically designed to fill this gap.
ℹ The Coverage Gap in Standard Policies
Covers costs your business directly incurs as a result of a cyber incident:
Covers claims made against your business by third parties due to a cyber event:
Ransomware attacks — where cybercriminals encrypt your data and demand payment to restore access — are now the most common and costly type of cyber incident for SMBs. Average ransomware demands for small businesses range from $50,000 to $500,000+, and even if you refuse to pay, recovery costs can be just as high.
⚠ OFAC Compliance — Ransomware Payments to Sanctioned Groups
Business Email Compromise (BEC) and social engineering attacks trick employees into transferring funds, paying fake invoices, or sharing credentials. BEC is now the single largest source of financial losses from cybercrime according to the FBI IC3 report — with losses exceeding $3 billion in 2024.
💡 Social Engineering Coverage Is Usually a Sublimit Add-On
CEO Fraud / BEC
Spoofed exec email directing wire transfer
Vendor Invoice Scam
Fake invoices mimicking real suppliers
Payroll Diversion
Changing direct deposit to attacker account
Phishing
Credential theft via fraudulent login pages
Voice Phishing (Vishing)
Phone calls impersonating IT or banks
SMS Phishing (Smishing)
Text messages with malicious links
Cyber insurance premiums are driven by your industry, revenue, data volumes, security controls, and claims history. After years of significant rate increases (2021–2023), the market has stabilized somewhat — but carriers now conduct more rigorous security assessments before binding.
| Business Type | Limit | Est. Annual Premium | Notes |
|---|---|---|---|
| Small retail / boutique | $500K | $700 – $1,400 | Low PII volume |
| Professional services firm | $1M | $1,200 – $2,500 | Client data exposure |
| Small medical / dental practice | $1M | $3,000 – $6,000 | HIPAA regulated; high risk |
| E-commerce store (<$5M revenue) | $1M | $1,500 – $3,500 | Payment card data |
| Financial services firm | $2M | $4,000 – $9,000 | High-value target |
| K-12 school / education | $1M | $2,500 – $5,000 | Student records |
| Tech company (SaaS/software) | $2M | $3,000 – $7,500 | Network security exposure |
| Restaurant chain (POS data) | $1M | $1,800 – $4,000 | Credit card data |
As of 2025–2026, cyber insurers have significantly raised the bar for minimum security controls. Failing to have these in place will result in declined applications, restricted coverage, or significantly higher premiums.
Multi-Factor Authentication (MFA)
RequiredRequired on all email (O365/Gmail), remote access (VPN, RDP), and privileged/admin accounts. Some carriers require MFA on all systems, not just critical ones.
Endpoint Detection & Response (EDR)
RequiredBasic antivirus is no longer sufficient. EDR tools (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) provide the behavioral monitoring carriers now require.
Encrypted Backups (Offline/Immutable)
RequiredBackups must be encrypted and stored offline or in immutable cloud storage where ransomware cannot reach them. The 3-2-1 backup rule is the minimum: 3 copies, 2 media types, 1 offsite.
Patch Management
RequiredCritical patches applied within 30 days. No unpatched internet-facing systems with known critical CVEs. This is a common cause of ransomware intrusion.
Employee Security Training
Strongly RecommendedAnnual security awareness training with phishing simulations. Some carriers offer premium discounts for documented training programs.
Incident Response Plan
Strongly RecommendedA written IR plan reduces breach costs and speeds recovery. Some carriers require an IR plan for limits above $1M.
Healthcare & Dental Practices
HIPAA breach penalties + patient PHI exposure. Average healthcare breach: $10.9M (IBM 2024).
Financial Services & Accounting
High-value targets for BEC and financial fraud. Regulatory requirements (SOX, GLBA).
Law Firms
Confidential client data, wire transfer risk. ABA Ethics Rules require data security.
E-Commerce Retailers
Payment card data (PCI DSS obligations) and customer PII.
Technology Companies
Network security liability to downstream clients. Software defect risk.
School Districts / Universities
Student records (FERPA), vulnerable IT infrastructure, frequent ransomware targets.
Nonprofits
Donor data, grant records, often under-resourced for IT security.
Real Estate / Property Management
Wire fraud risk, tenant data, escrow account exposure.
Cyber insurance covers two broad categories. First-party coverage pays costs your business directly incurs: forensic investigation costs, data breach notification expenses, credit monitoring for affected customers, ransomware payments and negotiation costs, business interruption from a cyber event, and data recovery. Third-party coverage pays when you are liable to others: legal defense, regulatory fines, settlements from lawsuits filed by customers or partners whose data was compromised.
A small business with under $5M in revenue and moderate data exposure typically pays $1,000–$3,500 per year for $1M in cyber coverage. Businesses handling sensitive health data (HIPAA), financial records, or large volumes of payment card data pay more — often $3,500–$7,500+. The cost has stabilized in 2025–2026 after significant increases in 2021–2023, but carriers now require more security controls before binding coverage.
Yes, virtually all cyber insurers now require MFA as a baseline security control — especially for email, remote access (VPN, RDP), and privileged accounts. Many applications on applications that cannot confirm MFA is deployed will either be declined or face significant premium increases. Other near-universal requirements include encrypted backups, endpoint detection and response (EDR), and patching policies.
It depends on your policy. Social engineering coverage (business email compromise/BEC, wire fraud, phishing-induced fund transfers) is typically an optional add-on, not a standard inclusion. Some policies cap social engineering coverage at $100K–$250K even if your overall cyber limit is $1M. If your business regularly initiates wire transfers, verify that social engineering coverage is included and the sublimit is adequate.
If you store customer information (names, emails, addresses, payment data, health records, SSNs), accept credit cards, or use cloud software to run your business — yes. Small businesses are disproportionately targeted because they often have less security infrastructure. The average cost of a data breach for a small business exceeded $120,000 in 2025 according to IBM and Ponemon Institute research — enough to put many businesses under. Even a basic $500K cyber policy can be the difference between surviving and closing.
Michael Torres
Commercial Lines Insurance Specialist
This article was researched and written by the Cover Forge USA editorial team against federal sources (NAIC, CMS, FEMA, DOL, SSA, state DOIs) and standard policy forms. Bylines organize content by topic — they do not assert individual licensure. See our editorial-policy for details.
Reviewed 2026-06-14
We monitor rate filings in all 50 states. Get notified when rates change in your area — and discover new ways to save.
Free forever. Unsubscribe with one click. No spam, ever.
Important Disclaimer
This site provides general educational information only and is not a substitute for professional insurance advice. All rates, data, and coverage details are estimates and may not reflect your actual premiums. Insurance availability and pricing vary by state, insurer, and individual risk factors. Always consult a licensed insurance professional in your state before making coverage decisions.