The best cyber insurance for small businesses combines first-party breach response coverage (forensics, notification, credit monitoring) with third-party liability protection against lawsuits from affected customers or vendors. For most small businesses, a standalone cyber policy from carriers like Coalition, Corvus, Travelers, Chubb, or Hiscox provides the strongest protection at $500–$3,000/year for $1M in limits.
Who this is for: Small business owners — retailers, professional services firms, contractors, restaurants, healthcare practices, and nonprofits — who store customer data, accept credit cards, or rely on computer systems to operate.
TL;DR — Key Takeaways
- Cyber is not covered by your BOP or general liability policy. You need a standalone cyber or a specific endorsement.
- First-party coverage pays your own costs (breach notification, forensics, ransomware payments, business interruption). Third-party coverage pays claims customers bring against you.
- Most small businesses pay $500–$3,000/year for $1M in cyber liability limits; high-risk industries (healthcare, legal, e-commerce) pay more.
- Claims-made is the dominant policy form for cyber — your coverage must be active when you report the claim, not just when the breach occurred.
- MFA and endpoint detection are the biggest rate factors in 2025–2026. Carriers now ask about these controls on every application.
What Does Cyber Insurance Actually Cover for Small Businesses?
Cyber policies divide into two coverage buckets. Both matter, and most small business policies include both.
First-Party Coverage (Your Own Losses)
| Coverage Component | What It Pays | Typical Sub-Limit |
|---|---|---|
| Breach response / forensics | IT investigation to find and stop the breach | Up to policy limit |
| Notification costs | Mailing, call center, credit monitoring for affected individuals | Up to policy limit |
| Ransomware / extortion | Ransom payments and negotiation fees | Often 50–100% of limit |
| Business interruption | Lost income while systems are down | Typically an 8–12 hour waiting period; shorter in competitive policies |
| Data restoration | Recreating corrupted or deleted data | Up to policy limit |
| Reputational harm / PR | Crisis communications firm | Sub-limit, varies |
| Social engineering / funds transfer fraud | Wire fraud losses if an employee is tricked | Sub-limit: $25K–$250K common |
Third-Party Coverage (Claims Against You)
| Coverage Component | What It Pays |
|---|---|
| Network security liability | Customer or partner lawsuits if your breach spread malware or exposed their data |
| Privacy liability | Regulatory fines and penalties (where insurable by state law) + defense costs |
| Media liability | Copyright, defamation claims arising from your website content |
| Payment card industry (PCI) fines | Assessments from card brands after a payment card breach |
What cyber does NOT cover: Bodily injury, property damage (covered by CGL/BOP), intentional acts by the insured, loss of intellectual property value, war/nation-state exclusions (read carefully — some carriers exclude this broadly).
How Do the Top Cyber Carriers Compare for Small Business?
These are carriers commonly available through independent agencies like Morrow. Premiums below are illustrative ranges for a small business with $2M revenue and $1M in cyber limits.
| Carrier | Known Strengths | Estimated Annual Premium* | Standout Feature |
|---|---|---|---|
| Coalition | Strong tech-sector appetite, active monitoring | $600–$2,500 | Free attack surface monitoring included |
| Corvus | Data-driven underwriting, broad ransomware coverage | $700–$2,800 | Dynamic risk scoring; alerts before breach |
| Travelers | Broad industry appetite, strong claims team | $800–$3,000 | CyberRisk+ bundle option with breach coaches |
| Chubb | Best for professional services / law firms | $1,000–$4,000 | Broad social engineering sub-limits |
| Hiscox | Excellent small business packaging, fast quotes | $500–$2,200 | Online quoting under $5M revenue |
| Berkley Cyber | Manufacturing and industrial appetite | $700–$2,500 | OT/SCADA endorsements available |
| At-Bay | Tech-first, proactive scanning | $600–$2,400 | Continuously monitors your external attack surface |
*Premiums vary significantly based on revenue, industry, data volume, security controls, claims history, and state. These are illustrative ranges, not quotes.
What Does Cyber Insurance Cost for a Small Business?
Annual premiums for a $1M cyber liability policy typically range from $500 to $5,000 depending on several variables:
| Factor | Lower Premium | Higher Premium |
|---|---|---|
| Revenue | Under $1M | Over $5M |
| Industry | Retail, landscaping, restaurant | Healthcare, legal, financial services, e-commerce |
| Records held | Fewer than 10,000 customer records | 50,000+ records or sensitive data (SSNs, PHI) |
| Security controls | MFA on email + remote access, EDR in place | No MFA, outdated systems, no backups |
| Prior claims | Clean 5-year history | Prior ransomware or breach claim |
| Policy limits | $500K | $2M+ |
| Retention (deductible) | $10,000 | $1,000 (higher premium for lower out-of-pocket) |
Typical Premium Ranges by Industry (Illustrative, $1M Limit)
| Industry | Low End | High End | Why the Range |
|---|---|---|---|
| Restaurant / food service | $500 | $1,200 | POS card data exposure, relatively lower liability risk |
| Retail (brick-and-mortar) | $600 | $1,800 | Credit card storage, e-commerce adds risk |
| Professional services (consulting) | $700 | $2,500 | Client data, wire transfer fraud exposure |
| Healthcare practice (HIPAA) | $1,500 | $5,000+ | PHI = high regulatory exposure |
| Legal / accounting | $1,200 | $4,500 | Sensitive client data, high fraud target |
| Construction / trades | $500 | $1,500 | Lower data exposure, but ransomware still a risk |
| Nonprofit | $500 | $1,500 | Many carriers offer favorable rates |
How to Buy Cyber Insurance for Your Small Business in 6 Steps
-
Inventory your data exposure. List what customer data you store (credit cards, SSNs, health info, employee records). The type and volume of records drives coverage needs and pricing.
-
Confirm your BOP or GL does not cover cyber. Most commercial general liability policies exclude data breach claims. Check your current policy's exclusions before assuming you're covered.
-
Implement baseline security controls before applying. Carriers now require multi-factor authentication (MFA) on email and remote access, and many decline without it. Setting up MFA before you apply avoids declination and improves your rate.
-
Get a cyber-specific application completed. You'll answer 10–30 questions about your IT environment, revenue, data volume, security tools, and backup practices. Have your IT person or MSP help if needed.
-
Compare at least 2–3 carrier options. An independent agent (like Morrow) can shop your application across multiple carriers simultaneously. Compare limits, retentions, sub-limits for ransomware and social engineering, and the quality of the incident response panel.
-
Bind coverage and store your policy details. Note the policy period, the claims-reporting hotline, and the retroactive date (for claims-made policies). Brief your IT team on how to trigger coverage when an incident occurs — speed matters.
Real-World Example: Ransomware Attack on a 12-Person Accounting Firm
The scenario: A small CPA firm in Ohio with $1.8M in annual revenue and approximately 800 client tax files is hit by a ransomware attack in February (tax season). Attackers encrypt the firm's server and demand $35,000 in Bitcoin.
What happens without cyber insurance: - IT forensics and incident response: ~$15,000–$25,000 out of pocket - Ransom payment (if paid): $35,000 out of pocket - Notification to 800+ affected clients (required under Ohio data breach law): ~$8,000–$15,000 - Lost revenue during 10-day system outage at peak season: ~$40,000–$60,000 - Total out-of-pocket exposure: $98,000–$135,000
With a $1M cyber policy (illustrative, $10,000 retention): - Forensics team dispatched within hours via insurer's incident response hotline - Ransomware negotiation handled by insurer's specialist — final payment: $18,000 (negotiated down) - Notification costs covered - Business interruption coverage pays for lost revenue after a 12-hour waiting period - Firm's out-of-pocket: ~$10,000 retention + premium (~$1,400/year)
This scenario illustrates typical outcomes; actual claims results vary by policy terms, carrier, and the specific facts of an incident.
Frequently Asked Questions
Does a Business Owner's Policy (BOP) include cyber insurance?
Generally no. A standard BOP covers property damage and general liability, but data breaches, ransomware, and network security incidents are typically excluded. Some carriers offer a cyber endorsement that can be added to a BOP, but coverage is usually narrower and sub-limits are lower than a standalone cyber policy. For any business that stores customer data or relies on digital systems, a standalone cyber policy is the better choice.
Is cyber insurance required by law for small businesses?
There is no universal federal requirement for cyber insurance, but certain contracts and industries effectively require it. Many government contracts, healthcare vendor agreements, and commercial leases now require vendors to carry cyber liability coverage with minimum limits. Healthcare businesses subject to HIPAA are not legally required to carry cyber insurance, but HHS guidance strongly encourages it as part of a risk management program.
What is a retroactive date on a cyber policy, and why does it matter?
Because cyber is typically written on a claims-made policy form, coverage only applies to incidents reported during the active policy period. The retroactive date is the earliest point in time from which a covered incident can originate. If your retroactive date is January 1, 2024, a breach that began in December 2023 is not covered. When you first purchase cyber insurance, request a retroactive date as far back as possible. When you switch carriers, confirm the new policy's retroactive date matches your prior policy's inception date to avoid a gap.
What security controls do I need to qualify for cyber insurance?
As of 2025–2026, most carriers require or strongly prefer: - Multi-factor authentication (MFA) on email, remote access (VPN/RDP), and privileged accounts — this is now a near-universal requirement - Regular, tested, offsite backups (ideally immutable/air-gapped) - Endpoint detection and response (EDR) software - Patching cadence — no critical unpatched vulnerabilities for 30+ days
Businesses without MFA may face declination, higher premiums, or a social engineering / ransomware exclusion.
How much cyber insurance does a small business need?
For most small businesses, $1M in cyber liability limits is the standard starting point. Businesses that hold large volumes of sensitive records (healthcare, legal, financial) or that process high volumes of payment card transactions should consider $2M–$5M. Your agent should help you model your maximum probable loss based on your record count and revenue to recommend appropriate limits.
Does cyber insurance cover employee mistakes?
Yes — accidental employee actions are typically covered. A staff member clicking a phishing link that triggers a ransomware attack is the most common covered claim. What is not covered is intentional wrongdoing or fraud by employees, which falls under a separate crime/fidelity bond.
Will cyber insurance cover a nation-state cyberattack?
This is an evolving area. Many cyber policies contain war exclusions that could be invoked to deny coverage for attacks by foreign governments. Lloyd's of London mandated new nation-state exclusion language beginning in 2023. Some carriers offer "hostile acts" sublimits or have narrower exclusions. Read the war/hostile acts exclusion carefully and ask your agent how your carrier handles this before binding.
How fast do I need to report a cyber incident?
Most policies require prompt reporting — many policies specify 30–60 days from discovery, but calling the incident response hotline on the day of discovery is always the right move. Late reporting can jeopardize coverage. Do not attempt to remediate a breach without first notifying your carrier or their designated breach coach, as unauthorized remediation can void coverage for those costs.
Why Get Cyber Insurance Through Morrow?
-
We're independent — we shop multiple carriers. Morrow places cyber with multiple admitted and non-admitted carriers, meaning we can find the right fit for your industry, data exposure, and budget. We are not captive to any single insurer.
-
We know the application questions. Cyber applications ask technical questions about MFA, backups, and EDR. We walk through the application with you to make sure answers are accurate and complete — reducing the risk of coverage disputes at claim time.
-
Fast turnaround. Most small business cyber quotes are ready within 24–48 hours of a completed application. We can bind coverage the same day for eligible risks.
-
Real claims advocacy. When a breach happens, you need someone in your corner. Morrow's team helps you notify the carrier, coordinates with the breach response panel, and monitors the claim to ensure you're not left navigating the process alone.
-
We specialize in commercial P&C. Cyber is sold by our commercial lines team — not a call center. You speak with licensed professionals who understand how cyber interacts with your BOP, professional liability, and crime coverage. [Morrow to confirm licensed states]
Get your cyber insurance quote today: Request a Cyber Quote from Morrow | Call [Morrow to confirm phone]
Trust Strip: Morrow (Afthonea Inc., DBA Morrow) is an independent commercial P&C insurance agency. We place coverage with multiple A-rated carriers. Licensed in [Morrow to confirm states]. Client reviews: [Morrow to confirm review platform and rating].
Related Pages
- Commercial Insurance Overview — Parent pillar covering all commercial lines
- What Does Cyber Insurance Cover? — Deep dive into first-party vs. third-party cyber coverage
- Business Owner's Policy (BOP) vs. Standalone Policies — When a BOP endorsement isn't enough
- Best Cyber Insurance for Healthcare Practices — HIPAA-specific cyber considerations
- How Much Does Cyber Insurance Cost? — Detailed premium breakdown by industry and controls
- Cyber Insurance Glossary — Key terms: retroactive date, retention, claims-made, social engineering
Author: [Morrow to confirm] — Licensed P&C Insurance Advisor, [Years] years in commercial lines, specializing in technology and data risk. Published: June 2026 | Last Updated: June 2026
Sources: - Insurance Information Institute (III) — Cyber and Privacy Liability Insurance, iii.org - National Association of Insurance Commissioners (NAIC) — Cybersecurity Insurance Data Call, naic.org - U.S. Department of Health & Human Services (HHS) — HIPAA Security Rule Guidance, hhs.gov - Lloyd's of London — Cyber War Exclusion Market Bulletin, lloyds.com (2022–2023) - Cybersecurity & Infrastructure Security Agency (CISA) — Ransomware Guide, cisa.gov - State insurance department filings — coverage terms and exclusions vary by state and carrier form