The average data breach costs $180 per stolen record. That means a breach affecting just 5,500 customer records could exhaust a $1 million cyber insurance policy, and many businesses store far more data than that.
Picking cyber insurance isn’t a shot in the dark. You need to know how much protection makes sense for your business, what drives your costs, and which coverages actually fit your risks. Whether you’re new to cyber insurance or just reviewing your current policy, here’s how to make smarter choices about limits and price.
What Cyber Insurance Covers
Cyber insurance helps cover the financial mess after digital threats hit. That includes data breaches, ransomware, social engineering scams, and system outages. Before you figure out how much coverage you need, let’s look at what kinds of cyber threats your policy might actually cover.
Types of Cyber Threats Covered
Data breach insurance covers costs when sensitive customer or employee information is stolen or exposed. This includes notification costs (legally required in most states), credit monitoring services for affected individuals, forensic investigation to determine how the breach occurred, and regulatory fines. Data breach insurance is often used interchangeably with “first-party cyber coverage” since it addresses your direct losses from an incident.
Ransomware insurance pays for ransom demands (if legal), negotiation with attackers, data recovery, and lost income while your systems are frozen. Ransomware is more common and more expensive every year. If your business relies on computers, this coverage isn’t optional.
Cyber crime insurance protects against financial losses from social engineering attacks, funds transfer fraud, invoice manipulation, and business email compromise (BEC). These schemes trick employees into wiring money or sharing sensitive information. Many policies include separate sublimits for cyber crime coverage, so check your policy terms carefully.
Cyber theft insurance covers theft of digital assets including money, securities, cryptocurrency, and intellectual property through electronic means. This goes beyond data breaches to cover actual financial theft from your accounts or systems.
Hacking insurance is a general term covering unauthorized access to your systems. This encompasses data breaches, system damage, business interruption, and any other losses caused by hackers gaining access to your network or applications.
Cyber and Crime Insurance: Understanding the Overlap
Some policies bundle cyber and traditional crime coverage together. That means you get protection for things like employee theft, forgery, and check fraud, plus digital threats. Bundles can save money, but it’s worth checking what’s actually included.
Traditional crime insurance covers losses from employee dishonesty, theft of money and securities, and forgery; threats that existed long before the internet. Cyber insurance addresses digital-specific threats like hacking, ransomware, and data breaches. The tricky part is that some threats, particularly social engineering fraud, can fall under either policy depending on how the fraud occurs and how your policies are written.
For most businesses, a standalone cyber policy provides more comprehensive digital protection than a bundled cyber-and-crime policy. However, if your business faces significant traditional crime risks alongside cyber risks, a bundled approach may make sense. Discuss your specific situation with your insurance broker to determine the best structure.
How Much Cyber Insurance Do You Need?
To figure out how much cyber insurance you need, start with two numbers: your per-incident limit and your total limit for the year. Get these right, and you’re covered without paying for more than you need.
Understanding Per-Occurrence vs. Aggregate Limits
Per-occurrence limit: The maximum amount your insurer will pay for any single cyber incident. If a ransomware attack costs $800,000 in total losses and you have a $1 million per-occurrence limit, you’re fully covered (minus your deductible).
Aggregate limit: The maximum total payout during your policy period, which is typically 12 months. If you have multiple incidents in a year, this cap applies to all claims combined.
Most small businesses go with $1 million per incident and $1 million total for the year; written as $1M/$1M. Deductibles are usually about $2,500. That’s what you pay before insurance steps in.
Calculating Your Coverage Needs
Don’t guess your coverage. Here’s a simple way to estimate what you really need:
-
- Count your records. Multiply the number of customer, employee, and patient records you store by $180 (the average cost per breached record). A business with 10,000 records faces a potential exposure of $1.8 million from notification costs, credit monitoring, and related expenses alone.
- Assess revenue impact. Estimate your daily revenue loss if systems went down, then multiply by expected recovery time. Most ransomware incidents take 7-21 days to fully resolve. A business generating $10,000 in daily revenue could face $70,000-$210,000 in business interruption losses.
- Consider regulatory exposure. If you’re subject to HIPAA, PCI-DSS, state privacy laws (like CCPA), or industry-specific regulations, potential penalties can be substantial. HIPAA violations alone can reach $1.5 million per violation category per year.
- Factor contractual requirements. Many enterprise clients require vendors to carry $1-5 million in cyber coverage before signing contracts. Check your existing and target customer contracts for insurance minimums.
Recommended Limits by Business Profile
Every business is different, but here’s a starting point based on your size and how much data you handle:
| Business Type | Revenue | Records Stored | Recommended Limit |
| Sole proprietor / Freelancer | <$500K | <1,000 | $500K – $1M |
| Small business (retail, services) | $500K – $2M | 1,000 – 5,000 | $1M |
| Professional services | $1M – $5M | 5,000 – 25,000 | $1M – $2M |
| Tech company / SaaS | $2M – $10M | 25,000 – 100,000 | $2M – $5M |
| Healthcare / Finance | $5M+ | 100,000+ | $5M+ |
It’s usually safer to have a little more coverage than not enough. The jump from $1 million to $2 million in coverage often doesn’t cost much more, but it can make a big difference if you need it.
What Does Cyber Insurance Cost?
Most small businesses pay about $145 a month, or $1,740 a year, for cyber insurance. But your price depends on your industry, how much data you have, and how strong your security is. Knowing what drives your costs helps you budget and spot ways to save.
Average Premium Benchmarks
- 38% of small businesses pay less than $100 per month for cyber coverage
- 33% pay between $100 and $200 per month
- Basic coverage starts around $500 per year for low-risk businesses
- Comprehensive protection can exceed $5,000 annually for higher-risk industries
- Enterprise and high-risk businesses may pay $5,000-$10,000+ per $1 million of coverage
Factors That Affect Your Premium
Insurers look at a few key things when setting your cyber insurance price:
- Company size and revenue. Larger businesses with higher revenues face more complex digital environments and greater potential losses, resulting in higher premiums.
- Industry and data type. Healthcare, financial services, and technology companies pay more because they handle sensitive data that’s highly valuable to attackers.
- Coverage limits and deductible. Higher coverage limits increase your premium; higher deductibles decrease it. A $2 million policy costs more than a $1 million policy, but choosing a $5,000 deductible instead of $2,500 can lower your premium.
- Security matters. If you use things like multi-factor authentication, endpoint detection, and employee training, you look like a lower risk. That can mean better rates.
- Claims history. Previous cyber incidents on your record typically result in higher premiums, though how you handled past breaches matters too.
- Number of employees with data access. More people with access to sensitive systems means more potential entry points for attackers and higher premiums.
How to Lower Your Cyber Insurance Premium
You can lower your premium by showing you take security seriously:
- Implement multi-factor authentication (MFA) on all systems, especially email and remote access. This single control can significantly impact your premium.
- Deploy endpoint detection and response (EDR) tools that monitor for and respond to threats on computers and servers.
- Conduct regular security awareness training for all employees, especially around phishing and social engineering.
- Maintain a documented incident response plan that outlines how you’ll detect, contain, and recover from cyber incidents.
- Keep systems patched and software updated. Unpatched vulnerabilities are a leading cause of breaches.
- Bundle policies when it makes sense. Combining cyber with E&O or tech E&O can sometimes reduce overall costs.
- Pay annually instead of monthly. Many insurers offer 5-10% discounts for annual payment.
First-Party vs. Third-Party Cyber Coverage
You need to know the difference between first-party and third-party cyber insurance. They cover different risks, and most businesses need both.
What Is First-Party Cyber Insurance?
First-party cyber insurance pays for your own losses after a cyber incident. That means costs you pay yourself, not lawsuits from others. It’s protection for damage done to your business.
First-party coverage typically includes:
- Data recovery and restoration: Costs to recover, restore, or recreate lost or corrupted data after an attack
- Business interruption: Lost income and extra expenses while your systems are down or operating at reduced capacity
- Breach notification: Costs to notify affected customers, employees, or patients as required by state and federal laws
- Credit monitoring: Services offered to individuals whose personal information was compromised
- Forensic investigation: Hiring cybersecurity experts to determine how the breach occurred and what data was affected
- Crisis management and PR: Reputation management and communications support to protect your brand
- Cyber extortion and ransomware: Ransom payments (where legal) and negotiation services
What Is Third-Party Cyber Liability?
Third-party cyber insurance steps in if someone sues you after a cyber incident. It pays for your legal defense and any settlements or judgments.
Third-party coverage typically includes:
- Legal defense costs: Attorney fees, court costs, expert witnesses, and other litigation expenses
- Settlements and judgments: Amounts you’re legally obligated to pay to plaintiffs
- Regulatory fines and penalties: HIPAA, GDPR, state privacy law violations, and other regulatory actions
- PCI-DSS assessments: Fines and assessments for payment card industry non-compliance after a breach involving card data
- Media liability: Claims arising from website content, including defamation, copyright infringement, and privacy violations
Which Coverage Do You Need?
| Coverage | What It Covers | Who Needs It |
| First-Party | Your direct losses: data recovery, business interruption, notification costs, credit monitoring, forensics, ransom payments | Any business that stores customer data, processes payments, or relies on digital systems |
| Third-Party | Liability to others: legal defense, settlements, regulatory fines, PCI assessments when you’re sued for a breach | IT consultants, MSPs, SaaS companies, developers—anyone accessing client systems or data |
Most good cyber policies include both types. If you’re an IT provider or tech company handling client data, third-party coverage is a must. Clients can sue if a breach on their end is traced back to you.
What Does Cyber Insurance NOT Cover?
Cyber insurance usually doesn’t cover things like known breaches, intentional acts, injuries, property damage, war, or losses if you skip required security steps. Knowing these gaps helps you avoid surprises when you file a claim.
Common Cyber Insurance Exclusions
- Prior known events. Breaches or vulnerabilities you knew about before the policy started aren’t covered. Insurers expect you to disclose known issues during the application process.
- Intentional acts. Deliberate wrongdoing by company leadership or authorized employees isn’t covered. If your CEO intentionally causes a breach, the policy won’t pay.
- Bodily injury and property damage. These are covered by general liability insurance, not cyber insurance. However, some policies may include limited coverage for IoT-related incidents.
- Acts of war or terrorism. Nation-state attacks may be excluded under “war exclusions.” This has become controversial as attribution for cyberattacks grows more complex. Policy language varies significantly between carriers.
- Failure to maintain security. If your policy requires specific security controls (like MFA or encrypted backups) and you fail to maintain them, claims may be denied.
- Infrastructure failures. Power outages, internet service provider failures, or other utility disruptions typically aren’t covered unless they result from a cyberattack on those providers.
- Betterment. Costs to upgrade your systems beyond their pre-breach condition aren’t covered. Insurance restores you to where you were, not where you want to be.
- Contractual liability. Liability you assume under contract beyond what you’d owe by law may not be covered. Review contracts carefully before signing.
Coverage Gaps to Watch For
Some coverage gaps aren’t obvious and catch businesses off guard:
- Social engineering sublimits. Many policies cap funds transfer fraud at $100,000-$250,000 even when your overall limit is much higher. If an employee is tricked into wiring $500,000 to a fraudster, you may only recover a fraction.
- Ransomware waiting periods. Business interruption coverage may not kick in until 8-24 hours after an incident begins. Losses during that initial period come out of your pocket.
- Retroactive dates. Claims from breaches that occurred before your policy’s retroactive date won’t be covered, even if you discover them during the policy period.
- Vendor and supply chain gaps. Losses stemming from breaches at your vendors or service providers may have limited coverage or require separate contingent business interruption coverage.
Choosing Cyber Insurance Carriers and Brokers
Not all cyber insurance is the same. The carrier you pick can change your coverage, claims experience, and what you pay.
Cyber Insurance Carriers
The cyber insurance market includes both traditional carriers and newer, tech-focused insurers. Major cyber insurance carriers include:
- Traditional carriers: Chubb, AIG, Travelers, Hartford, Zurich, and Liberty Mutual offer cyber coverage alongside their broader commercial insurance portfolios.
- Cyber-focused carriers: Coalition, Cowbell, At-Bay, and Corvus specialize in cyber insurance and often bundle security tools and monitoring with coverage.
- Small business specialists: Hiscox, Next Insurance, and Embroker focus on making cyber coverage accessible for smaller companies.
When you compare carriers, don’t just look at price. Check the coverage details, how they handle claims, and whether they offer extras like security monitoring or incident response help.
Why Work with a Cyber Insurance Broker?
A good cyber insurance broker helps you compare policies, negotiate terms, and make sure you’re not paying for coverage you don’t need or missing protection you do.
- Market access. Brokers can quote multiple carriers simultaneously, finding the best combination of coverage and price for your specific situation.
- Policy expertise. Cyber policies vary significantly in their language, exclusions, and sublimits. Brokers know which terms to negotiate and which exclusions to watch for.
- Claims advocacy. When you file a claim, your broker represents your interests not the carrier’s. They can help navigate disputes and ensure fair claim handling.
- Risk assessment. Experienced brokers help you determine appropriate limits based on your specific exposure, industry benchmarks, and contractual requirements.
Who Needs Cyber Insurance?
If you have an email and a bank account, you’re a target. The real question isn’t if you’ll get attacked, but whether you’re ready when it happens.
The statistics are sobering:
- 43% of cyberattacks target small businesses, often because they have weaker defenses than large enterprises
- 60% of small businesses close within six months of a significant cyberattack
- A typical data breach costs small businesses $120,000 to $150,000. That’s enough to put many out of business.
Industries with elevated cyber risk include:
- Healthcare: HIPAA compliance requirements and valuable patient data make healthcare organizations prime targets
- Financial services: Banks, credit unions, investment firms, and accounting practices handle sensitive financial data subject to multiple regulations
- Technology and SaaS: Tech companies often store client data and may be held liable for breaches affecting their customers
- Professional services: Law firms, CPAs, and consultants handle confidential client information and face both direct breach costs and malpractice liability
- Any business with enterprise clients: Many large companies now require vendors to carry $1-5 million in cyber coverage as a condition of doing business
Frequently Asked Questions
How much cyber insurance does a small business need?
Most small businesses need $1 million in cyber insurance coverage, typically structured as a $1M per-occurrence limit and $1M aggregate limit with a $2,500 deductible. This amount protects businesses storing up to approximately 5,500 customer records, based on the average data breach cost of $180 per record. Businesses handling more records or operating in high-risk industries should consider higher limits.
How much cyber liability insurance do I need?
The amount of cyber liability insurance you need depends on the volume of sensitive data you handle and your industry. Most small businesses start with $1 million in coverage, while companies handling healthcare data, financial information, or large customer databases should consider $2-5 million or higher. Factor in contractual requirements from clients and potential regulatory penalties when determining your limit.
What is the average cost of cyber insurance?
Small businesses pay an average of $145 per month ($1,740 annually) for cyber insurance. Approximately 38% of small business owners pay less than $100 per month. Costs vary based on industry, revenue, data sensitivity, security measures in place, and coverage limits selected.
What is the difference between first-party and third-party cyber coverage?
First-party cyber coverage pays for your own losses from a cyber incident, including data recovery, business interruption, notification costs, and ransom payments. Third-party coverage protects you when others sue your business for a breach, covering legal defense, settlements, and regulatory fines. Most comprehensive cyber policies include both types of coverage.
What is data breach insurance?
Data breach insurance is coverage that helps pay for costs when sensitive customer or employee information is stolen or exposed. It typically covers notification costs, credit monitoring for affected individuals, forensic investigation, legal fees, and regulatory fines. Data breach insurance is often used interchangeably with first-party cyber coverage.
Does cyber insurance cover ransomware attacks?
Yes, most cyber insurance policies cover ransomware attacks. Coverage typically includes ransom payments (where legal), ransom negotiation services, data recovery costs, and business interruption losses while systems are down. Some policies may have sublimits or waiting periods for ransomware claims, so review your policy terms carefully.
What does cyber insurance not cover?
Cyber insurance typically excludes prior known breaches or vulnerabilities, intentional acts by employees, bodily injury or property damage (covered by other policies), acts of war or terrorism, and losses from failure to maintain minimum security standards required by the policy. Social engineering fraud may also have separate sublimits that are lower than your overall policy limit.
How can I lower my cyber insurance premium?
To lower cyber insurance premiums, implement multi-factor authentication (MFA), deploy endpoint detection and response (EDR), conduct regular employee security training, maintain a documented incident response plan, keep software patched, consider bundling with other policies, and pay annually for a discount. Strong security controls demonstrate lower risk to insurers.
What is the difference between cyber insurance and crime insurance?
Cyber insurance covers losses from digital threats like hacking, ransomware, and data breaches. Crime insurance covers traditional theft and fraud, such as employee embezzlement and forgery. “Cyber and crime” bundled policies combine both coverages, which is useful because threats like social engineering can fall under either category depending on how the fraud occurs.
Should I work with a cyber insurance broker?
Working with a cyber insurance broker is recommended because they can compare policies across multiple carriers, help you understand coverage gaps and exclusions, negotiate better terms, and advocate for you during claims. Brokers are especially valuable for businesses with complex risk profiles or those in high-risk industries like healthcare, finance, or technology.
Get Your Cyber Insurance Risk Review
Protecting your business from cyber threats shouldn’t be complicated. Alliance Risk provides a comprehensive review of your current insurance program and subsequently markets your risk to the right cyber insurance carriers, delivering comprehensive proposals typically within a few business days.
What We Need for Your Quote:
- Business details and industry
- Annual revenue and employee count
- Types of data you collect and store (customer records, payment data, health information)
- Current security measures in place
- Existing coverage and limits
- 5-year claims history
Schedule a Consultation: Speak with a cyber insurance specialist about your specific situation at no cost.
Policy Review: Already have coverage? We’ll review your existing policies at no charge, identifying potential gaps, coverage exclusions, and comparing to market options.
Request a Quote: Complete our online form or contact us directly to begin the quote process.
Want coverage built for your business? Let’s talk.
Alliance Risk: your specialized partner for cyber insurance.
Alliance Risk is a full-service independent insurance brokerage licensed in all 50 states. This article provides general information about cyber insurance and should not be construed as legal or insurance advice. Coverage terms, conditions, and availability vary by carrier, state, and individual circumstances. Please consult with an Alliance Risk specialist to discuss your particular needs.
