Quick Answer

Small business cyber insurance premiums typically range from $1,000 to $7,500 annually for $1 million in coverage, with exact costs determined by your industry risk profile, annual revenue, data sensitivity, and documented security controls. Businesses with multi-factor authentication, tested backups, and incident response plans can often secure premiums 15-30% lower than those without these controls.

Key Takeaways

Industry risk classification is the primary premium driver — healthcare, financial services, and retail face higher base rates due to sensitive data exposure and regulatory requirements
Security controls can reduce premiums by 15-30% — MFA, endpoint detection, backup testing, and documented incident response plans are the most impactful factors
Coverage limits and deductibles have non-linear cost relationships — doubling your limit rarely doubles your premium, and higher deductibles can yield significant savings
Data type and volume significantly affect pricing — storing PCI, PHI, or PII data increases premiums due to breach notification and remediation costs
Annual policy review is essential — underwriting requirements evolve rapidly, and controls that satisfied carriers last year may be insufficient today

TL;DR

Use this guide with the homepage estimator to model premium impact, identify likely exclusions, and prioritize controls that reduce underwriting friction. The estimator provides directional guidance based on industry benchmarks and helps you understand which factors have the greatest impact on your quote.

Why This Matters

Cyber insurance pricing is heavily influenced by business profile and proof of security controls. Teams that document MFA coverage, backup testing, and incident response readiness typically secure better quotes and fewer restrictive endorsements. Unlike general liability insurance, cyber coverage underwriting scrutinizes your actual technical environment, making preparation essential before engaging brokers or carriers.

The cyber insurance market has hardened significantly since 2020, with premiums increasing 50-100% in many segments. However, well-prepared organizations with strong security postures continue to secure competitive rates. Understanding the factors that drive pricing allows you to focus your efforts on the controls that matter most to underwriters.

Factors That Affect Cyber Insurance Premiums

Industry Risk Classification

Your industry is the starting point for underwriting assessment. Carriers classify industries based on historical breach data, regulatory requirements, and typical attack surfaces.

Industry	Risk Level	Typical Annual Premium Range*	Key Risk Factors
Healthcare	High	$3,000 - $15,000	PHI exposure, HIPAA compliance, ransomware targets
Financial Services	High	$2,500 - $12,000	Financial data, regulatory scrutiny, wire fraud risk
Retail/E-commerce	Medium-High	$1,500 - $8,000	PCI data, high transaction volume, third-party integrations
Technology/SaaS	Medium	$1,200 - $6,000	IP exposure, customer data, development environments
Manufacturing	Medium	$1,000 - $5,000	OT/IT convergence, supply chain risk, trade secrets
Professional Services	Medium	$1,000 - $4,500	Client data, email compromise risk, regulatory clients
Construction	Low-Medium	$800 - $3,500	Limited data exposure, fewer digital touchpoints
Hospitality	Medium	$1,200 - $5,000	Payment data, guest PII, booking system integrations

*Based on $1M coverage limit for businesses with $1-5M annual revenue

Annual Revenue and Business Size

Revenue serves as a proxy for data volume, transaction complexity, and potential loss severity. Higher revenue generally correlates with higher premiums, but not linearly.

Annual Revenue	Expected Premium Range*	Typical Coverage Limit
Under $500K	$800 - $2,000	$500K - $1M
$500K - $1M	$1,200 - $3,500	$1M
$1M - $5M	$1,500 - $5,000	$1M - $2M
$5M - $25M	$3,000 - $12,000	$2M - $5M
$25M - $100M	$8,000 - $35,000	$5M - $10M
Over $100M	$25,000+	$10M+ (often layered)

*Varies significantly by industry and security posture

Data Type and Sensitivity

The type of data you collect, process, and store directly impacts your risk profile and premium.

Highest Impact Data Types:

Protected Health Information (PHI): Subject to HIPAA; breach notification costs average $10.93M per incident
Payment Card Data (PCI): Subject to PCI-DSS; card brand fines and forensic investigation costs
Personally Identifiable Information (PII): State breach notification laws; class action litigation risk
Financial Account Data: Bank account numbers, tax IDs; direct financial fraud potential

Moderate Impact:

Intellectual property and trade secrets
Customer behavioral data
Employee HR records
Vendor/supplier information

Lower Impact:

Aggregated/anonymized data
Publicly available information
Internal operational data without PII

Security Controls and Documentation

Security controls are the factor most within your control. Well-documented controls can reduce premiums by 15-30% and improve coverage terms.

High-Impact Controls (10-15% reduction each):

Multi-factor authentication on all privileged accounts and remote access
Endpoint detection and response (EDR) solutions
Regular backup testing with offline copies
Documented incident response plan with tabletop exercises
Security awareness training for all employees

Moderate-Impact Controls (5-10% reduction each):

Email filtering and anti-phishing solutions
Patch management program
Network segmentation
Vendor risk management program
Cybersecurity insurance requirement in vendor contracts

Emerging Requirements:

Privileged access management (PAM)
Zero trust architecture elements
Cybersecurity certifications (SOC 2, ISO 27001)
Regular penetration testing

Premium Examples by Scenario

Scenario 1: Low-Risk Professional Services Firm

Industry: Accounting firm
Revenue: $2M annually
Data: Client financial records, some PII
Security: Basic MFA on email, annual training, cloud backup
Estimated Premium: $2,800 - $4,200/year for $1M coverage
Key Factors: Professional services classification, moderate data sensitivity, basic controls

Scenario 2: Medium-Risk Healthcare Practice

Industry: Medical practice (15 physicians)
Revenue: $4M annually
Data: PHI for 25,000 patients, billing information
Security: HIPAA compliance program, MFA, EDR, annual risk assessment
Estimated Premium: $6,500 - $12,000/year for $1M coverage
Key Factors: Healthcare classification, PHI exposure, regulatory requirements

Scenario 3: High-Risk E-commerce Retailer

Industry: Online retail
Revenue: $8M annually
Data: Payment cards, customer PII, 100,000+ records
Security: PCI-DSS compliance, MFA, WAF, SOC 2 Type II, pen testing
Estimated Premium: $9,000 - $16,000/year for $2M coverage
Key Factors: High transaction volume, PCI exposure, strong security posture

Scenario 4: Well-Prepared Technology Company

Industry: B2B SaaS provider
Revenue: $5M annually
Data: Customer data, limited PII
Security: SOC 2 Type II, MFA everywhere, EDR, IR plan, pen testing, zero trust elements
Estimated Premium: $3,200 - $5,500/year for $2M coverage
Key Factors: Strong security documentation offsets industry risk, SOC 2 certification

Coverage Options Comparison

Coverage Type	What It Covers	Typical Sub-Limit	Importance Level
Business Interruption	Lost income during system downtime	100% of limit or separate sub-limit	Critical for revenue-dependent businesses
Data Restoration	Costs to recover/restore data	25-50% of limit	High if data is core to operations
Ransomware Extortion	Ransom payments and negotiation	$250K - $1M sub-limit	High for targeted industries
Regulatory Defense	Legal costs for regulatory actions	$250K - $500K sub-limit	Critical for regulated industries
Media Liability	Website content liability	$100K - $250K sub-limit	Moderate for most businesses
Social Engineering	Fraudulent transfer losses	$100K - $500K sub-limit	High for finance functions
Reputation Management	PR costs after breach	$50K - $100K sub-limit	Moderate, often overlooked
Third-Party Liability	Claims from affected parties	Part of aggregate limit	Essential for B2B businesses

First-Party vs. Third-Party Coverage

First-Party Coverage protects your own losses:

Incident response and forensic investigation
Data recovery and restoration
Business interruption losses
Ransomware payments
Crisis management and notification costs
Cyber extortion negotiations

Third-Party Coverage protects against claims from others:

Privacy liability claims
Security failure claims
Media liability claims
Regulatory fines and penalties (where insurable)
Contractual liability to customers

Most small businesses should prioritize first-party coverage, as immediate response costs often exceed liability claims in the early stages of an incident.

How to Reduce Premiums Through Security Improvements

Immediate Impact Actions (0-90 days)

Implement MFA everywhere
- Email, remote access, cloud services, administrative consoles
- Document the implementation with screenshots and policies
- Estimated impact: 10-15% premium reduction
Test your backups
- Document quarterly restore tests with dates and results
- Include offline/air-gapped backup copies
- Estimated impact: 10-12% premium reduction
Deploy endpoint detection (EDR)
- Replace basic antivirus with EDR solutions
- Document coverage percentage across all endpoints
- Estimated impact: 8-12% premium reduction
Create incident response plan
- Document roles, communication channels, and escalation paths
- Include contact information for breach counsel and forensics
- Estimated impact: 5-10% premium reduction

Medium-Term Improvements (90-180 days)

Conduct tabletop exercises
- Simulate ransomware and business email compromise scenarios
- Document lessons learned and plan updates
- Estimated impact: 5-8% premium reduction
Implement vendor risk management
- Assess critical vendor security practices
- Require cyber insurance in vendor contracts
- Estimated impact: 3-5% premium reduction
Achieve security certification
- SOC 2 Type I, then Type II
- ISO 27001 for international operations
- Estimated impact: 10-15% premium reduction
Network segmentation
- Separate critical systems from general network
- Limit lateral movement potential
- Estimated impact: 5-8% premium reduction

Documentation Best Practices

Underwriters can’t give credit for controls they can’t verify. Prepare a security documentation package including:

Security policy documents
MFA implementation screenshots
Backup test results and logs
Incident response plan with contact information
Training completion records
Recent penetration test or vulnerability assessment results
Security certifications and audit reports

Pre-Quote Checklist

Before requesting quotes from brokers or carriers, gather this information to ensure accurate pricing:

Business Information

Annual revenue (last 3 years if available)
Number of employees and locations
Industry classification and NAICS code
Geographic footprint (domestic/international)

Data Profile

Types of data collected and stored (PHI, PCI, PII, etc.)
Number of records (customers, patients, employees)
Data retention policy
Third-party data processors and cloud providers

Security Controls

MFA deployment scope and coverage
Backup procedures and test frequency
Endpoint protection details
Patch management process
Security awareness training program
Incident response plan status
Recent security assessments or certifications

IT Environment

Cloud services used (AWS, Azure, GCP, SaaS applications)
Remote work arrangements
Network architecture overview
Third-party vendor access

Claims History

Previous cyber incidents (whether claimed or not)
Prior cyber insurance coverage details
Any coverage declinations or policy cancellations

Practical Workflow

Run the homepage calculator with your current posture. Input your industry, revenue, data types, and current security controls to establish a baseline estimate.
Save a second scenario with improved controls. Model the impact of adding MFA, EDR, or backup testing to see potential premium reductions.
Compare deductible and limit trade-offs. Higher deductibles can reduce premiums by 10-20%, while doubling limits typically increases premiums by 40-60%.
Turn gaps into a 90-day remediation checklist. Prioritize controls that have the greatest premium impact and security value.
Document everything before engaging brokers. Prepare your security documentation package to support favorable underwriting.
Request quotes from multiple carriers. Work with a broker who specializes in cyber insurance and has relationships with multiple markets.
Review policy language carefully. Pay attention to exclusions, waiting periods, and sub-limits, not just the premium and aggregate limit.

Decision Checklist

When evaluating cyber insurance quotes, verify these key elements:

Coverage Limits
- Verify first-party and third-party limits separately
- Confirm per-occurrence vs. aggregate limits
- Check retroactive date and prior acts coverage
Sub-Limits
- Confirm sub-limits for ransomware and social engineering
- Verify business interruption waiting period (typically 8-72 hours)
- Check data restoration and recovery sub-limits
Policy Terms
- Validate waiting periods for business interruption coverage
- Ensure panel counsel and breach coach terms fit your operations
- Review consent provisions for settlements and defense costs
Exclusions
- Check for infrastructure-as-a-service exclusions
- Verify unencrypted device exclusions
- Review state-sponsored attack exclusions
- Understand waiting period for coverage triggers
Claims Process
- Identify required notice periods for claims
- Confirm carrier’s incident response capabilities
- Verify breach coach and panel counsel availability

자주 묻는 질문 (FAQ)

Is this a quote?

No. This guide and the homepage estimator provide directional guidance for planning and negotiation. Actual quotes will vary based on specific underwriting criteria, carrier appetite, and current market conditions. Use these estimates to set budgets and prioritize security improvements before engaging with brokers.

How often should we revisit assumptions?

At least quarterly, and immediately after major architecture or vendor changes. Cyber insurance markets evolve rapidly, and controls that satisfied underwriters last year may be insufficient today. Schedule a formal policy review 90 days before renewal to address any gaps.

Can stronger controls lower premium?

Usually yes. Underwriters often reward measurable risk reduction controls with lower premiums and broader coverage terms. MFA, backup testing, and incident response planning are the most consistently valued controls. Document your implementations thoroughly—underwriters can’t give credit for what they can’t verify.

What’s the minimum coverage we should consider?

For most small businesses, $1 million in coverage is a reasonable starting point. However, your coverage should reflect your potential loss exposure. Consider your data volume, regulatory exposure, contractual requirements, and the potential cost of a multi-day outage. Many businesses find they need $2-5 million as they grow.

How do deductibles work in cyber insurance?

Cyber insurance deductibles can be structured as flat amounts, waiting periods (for business interruption), or both. A higher flat deductible typically reduces premium by 10-20%. Waiting periods of 24-48 hours are common for business interruption coverage; longer waiting periods can yield additional savings.

What’s typically excluded from cyber policies?

Common exclusions include: unencrypted portable devices, infrastructure failures (unless caused by a covered cyber event), state-sponsored attacks, contractual liability beyond privacy obligations, and claims arising from known prior breaches. Review exclusions carefully—they vary significantly between carriers.

Should we use our broker or find a cyber specialist?

Cyber insurance is a specialized product with rapidly evolving terms and conditions. A broker who focuses on cyber insurance will have better market access, understand carrier appetites, and help you navigate the application process. Generalist brokers may miss important coverage nuances.

How does the claims process work?

Most policies require immediate notification upon discovering a potential incident. The carrier will typically appoint a breach coach (outside counsel) to coordinate response, engage forensic investigators, and manage notifications. Work with your broker to understand the specific notification requirements before a claim occurs.

What’s the difference between claims-made and occurrence policies?

Most cyber policies are claims-made, meaning coverage applies when the claim is made during the policy period, regardless of when the incident occurred. Occurrence policies cover incidents that happen during the policy period, even if discovered later. Understand which type you have and ensure continuous coverage to maintain protection.

Can we get retroactive coverage?

Yes, many policies offer retroactive dates that cover incidents occurring before the policy period but discovered during it. The retroactive date is typically the start of your first continuous cyber policy. If you’ve had gaps in coverage, you may have limited retroactive protection.