⚡ Quick Answer
Small businesses (under $5M revenue) typically pay $1,000 to $7,500 annually for cyber insurance, with coverage limits of $500,000 to $2,000,000. Key cost factors include revenue, number of sensitive records held, industry type, and security controls. Businesses with MFA, documented backup procedures, and incident response plans can reduce premiums by 20-40%.
📌 Key Takeaways
- Small business cyber insurance starts around $1,000/year: Micro-businesses with minimal data exposure pay $1,000-$2,500; businesses handling customer data pay $2,500-$7,500
- $1M coverage is the most common starting limit: Sufficient for most SMBs with fewer than 100,000 customer records
- Three factors dominate pricing: Annual revenue, number of sensitive records, and industry type account for 70%+ of premium calculation
- MFA alone can reduce premiums 5-10%: The single most impactful security control for small business pricing
- Bundle coverage for savings: Combining cyber with a BOP (Business Owner's Policy) can save 10-15%
- Don't skip coverage because you're small: 43% of cyberattacks target small businesses, and 60% of breached SMBs close within 6 months
Small Business Cyber Insurance Cost Ranges
By Revenue Tier
| Annual Revenue | Typical Premium | Recommended Limit | Typical Deductible |
|---|---|---|---|
| Under $250K | $1,000-$2,000 | $500K | $1,000-$2,500 |
| $250K-$1M | $1,500-$3,500 | $500K-$1M | $2,500-$5,000 |
| $1M-$5M | $2,500-$7,500 | $1M-$2M | $5,000-$10,000 |
| $5M-$25M | $5,000-$15,000 | $1M-$5M | $10,000-$25,000 |
By Industry
| Industry | Premium Range | Why |
|---|---|---|
| Professional services | $1,500-$5,000 | Lower data volume, moderate risk |
| Retail / e-commerce | $2,500-$10,000 | Payment card data, PCI requirements |
| Healthcare (small practice) | $5,000-$15,000 | PHI, HIPAA obligations |
| Financial services | $5,000-$20,000 | Financial data, regulatory requirements |
| Technology / SaaS | $3,000-$12,000 | Customer data custody, platform risk |
| Construction / trades | $1,000-$3,000 | Low data volume, minimal exposure |
| Nonprofit | $1,500-$5,000 | Donor data, limited budgets |
By Number of Records Held
| Records Held | Premium Impact |
|---|---|
| Under 1,000 | Base rate |
| 1,000-10,000 | +10-15% |
| 10,000-50,000 | +20-30% |
| 50,000-100,000 | +30-50% |
| Over 100,000 | Custom pricing required |
What Small Business Cyber Insurance Covers
First-Party Coverage (Your Direct Losses)
| Coverage | What It Pays | Typical Sub-Limit |
|---|---|---|
| Data breach response | Forensics, notification, credit monitoring | Up to policy limit |
| Business interruption | Lost revenue during downtime | 25-50% of total limit |
| Ransomware / extortion | Ransom payment, negotiation, recovery | 25-50% of total limit |
| Data recovery | Restoring systems and data | Up to policy limit |
| Crisis management | PR, legal guidance, communication | $25,000-$100,000 |
Third-Party Coverage (Claims Against You)
| Coverage | What It Pays | Typical Sub-Limit |
|---|---|---|
| Legal defense | Attorney fees, court costs | Up to policy limit |
| Settlements / judgments | Payments to affected parties | Up to policy limit |
| Regulatory fines | HIPAA, PCI, state AG penalties (where insurable) | Varies by state |
| Media liability | Content-related claims | $100,000-$250,000 |
How to Use the Calculator
Step 1: Enter Your Business Profile
Use the cyber insurance calculator on our homepage to input:
- Annual revenue — Primary premium driver
- Industry — Determines risk classification
- Number of employees — Affects attack surface
- Sensitive records held — Customer PII, financial data, health data
- Current security controls — MFA, backups, encryption, training
Step 2: Review Your Estimate
The calculator provides a premium range based on market data. Remember:
- This is a planning estimate, not a binding quote
- Actual premiums depend on underwriting review
- Use it to budget and prioritize security investments
Step 3: Model Security Improvements
Create a second scenario with improved controls:
| Control Added | Estimated Premium Reduction |
|---|---|
| MFA on all email & VPN | 5-10% |
| Endpoint detection (EDR) | 5-10% |
| Documented backup testing | 5-15% |
| Incident response plan | 5-10% |
| Security awareness training | 3-5% |
| All of the above combined | 20-40% |
Step 4: Get Real Quotes
Use your estimate to:
- Validate that quotes you receive are reasonable
- Demonstrate to brokers that you understand market pricing
- Compare at least 3 carrier quotes
Cost Reduction Strategies for Small Businesses
Immediate Actions (Free or Low Cost)
- Enable MFA everywhere — Most email and cloud platforms include MFA at no extra cost
- Update all software — Patch management eliminates known vulnerabilities that insurers penalize
- Document your backup procedures — Even simple documentation counts with underwriters
- Review data collection — Stop collecting data you don’t need; less data = lower risk = lower premium
Short-Term Investments (1-3 months)
- Deploy basic endpoint protection — EDR solutions start at $3-5/device/month
- Create an incident response plan — Use free templates from NIST or SANS
- Implement email authentication — SPF, DKIM, and DMARC records reduce BEC risk
- Start security awareness training — Monthly phishing simulations run $2-5/user/month
Medium-Term Improvements (3-6 months)
- Pursue basic security certification — SOC 2 Type I or Cyber Essentials
- Implement network segmentation — Separate guest WiFi, POS, and corporate networks
- Establish vendor risk management — Document security requirements for key vendors
Common Small Business Coverage Mistakes
Mistake 1: Relying on General Liability
General liability policies exclude cyber events. A data breach, ransomware attack, or business email compromise is not covered without a dedicated cyber policy or endorsement.
Mistake 2: Underinsuring Due to “We’re Too Small to Target”
43% of cyberattacks target small businesses. Automated attacks don’t discriminate by company size. If you have email, a website, or customer data, you’re a target.
Mistake 3: Ignoring Business Interruption
A ransomware attack can take a small business offline for 2-3 weeks. Without BI coverage, lost revenue during recovery comes entirely from your pocket.
Mistake 4: Skipping the Application Homework
Incomplete applications lead to higher quotes or denials. Take time to document your security controls thoroughly. Underwriters reward businesses that can demonstrate proactive security.
Mistake 5: Not Comparing Multiple Quotes
Cyber insurance pricing varies widely between carriers. The same business can receive quotes ranging from $3,000 to $8,000 for identical coverage. Always compare at least 3 quotes.
Practical Workflow
- Run the homepage calculator with your current security posture
- Save a second scenario with improved controls to see potential savings
- Compare deductible and limit trade-offs — higher deductibles reduce premiums
- Turn gaps into a 90-day remediation checklist — prioritize MFA, backups, and IRP
Decision Checklist
- Verify first-party and third-party limits separately
- Confirm sub-limits for ransomware and social engineering
- Validate waiting periods for business interruption
- Ensure panel counsel and breach coach terms fit your operations
- Check that coverage extends to remote workers and cloud services
- Verify policy covers your specific industry risks
- Compare at least 3 carrier quotes
자주 묻는 질문 (FAQ)
Is this a quote?
No. This is a directional model for planning and negotiation. Actual premiums require underwriting review of your specific risk profile.
How often should we revisit our premium?
At least annually during renewal. Also revisit after major changes: new cloud services, significant revenue growth, acquisitions, or security incidents.
Can stronger controls really lower my premium?
Yes. Underwriters consistently reward MFA deployment, backup testing, EDR implementation, and documented incident response plans. Combined savings of 20-40% are achievable.
Do I need cyber insurance if I use cloud services?
Yes. Cloud providers (AWS, Azure, Google Cloud) operate under a shared responsibility model. They secure the infrastructure; you are responsible for your data, access controls, and configurations. Cloud outages and misconfigurations can cause losses that your cyber policy covers.
What’s the minimum coverage a small business should carry?
Most experts recommend at least $1M in combined limits for any business handling customer data. The cost is typically $2,000-$5,000/year — far less than the average SMB breach cost of $100,000-$200,000.
Can I get cyber insurance if I’ve had a prior breach?
Yes, but expect higher premiums (20-50% increase). Demonstrating post-breach security improvements can mitigate the increase. Be transparent — failing to disclose prior incidents can void coverage.
How long does it take to get a cyber insurance policy?
Simple applications for small businesses can be approved in 1-2 weeks. Complex applications requiring additional underwriting review may take 3-4 weeks. Start the process at least 30 days before you need coverage.
What happens if I need to file a claim?
Most carriers require notification within 24-72 hours of discovering an incident. They typically assign a breach coach and provide pre-approved forensic, legal, and communication vendors. See our Claims Process Guide for detailed steps.
Related Guides
- Cyber Liability Coverage Gap Analysis: Practical Framework for SMB Teams
- Small Business Cyber Insurance Premium Estimator Guide
- Ransomware Insurance Coverage Check Tool: What to Validate Before Renewal
- Cyber Insurance Cost Guide 2026
- Cyber Insurance Cost by Industry Estimator
- Cyber Insurance Annual Premium Breakdown