Most small and mid-size businesses pay between $1,200 and $7,500 per year for a standalone cyber liability policy with $1 million in coverage. Costs vary sharply based on revenue, industry, data volume, and security controls in place. Retailers, healthcare providers, and professional services firms with sensitive data typically pay at the higher end of that range.
Who this is for: Business owners comparing cyber insurance quotes and trying to understand what drives the premium before they buy.
TL;DR — Key Takeaways
- A $1M cyber liability policy costs $1,200–$7,500/year for most small businesses; mid-market firms ($10M–$50M revenue) typically pay $8,000–$35,000/year.
- Annual revenue, number of records held, and your existing security controls (MFA, EDR, backups) are the three biggest cost drivers.
- Healthcare, finance, and retail face higher premiums due to sensitive data and regulatory exposure.
- Ransomware coverage is increasingly underwritten separately — expect a sublimit or co-insurance requirement if you haven't implemented endpoint detection and response (EDR).
- Claims-made policy form is standard for cyber; your coverage must be active when you report the claim, and the incident must have occurred after your policy's retroactive date.
What Does Cyber Insurance Actually Cover?
Cyber liability insurance is a two-sided product. First-party coverage pays your own costs after a breach: forensic investigation, breach notification, credit monitoring, ransomware extortion payments, and business interruption losses while systems are down. Third-party (cyber liability) coverage pays defense costs and settlements when customers, vendors, or regulators sue you because your breach exposed their data.
Most standalone cyber policies include both sides in one combined limit. Endorsements to general liability policies — sometimes called "data breach" add-ons — tend to be narrower and may exclude ransomware or business interruption.
What cyber insurance does NOT cover (typical exclusions): - War and nation-state cyberattacks (increasingly litigated; verify with your carrier) - Loss of intellectual property value (only direct costs of the incident) - Pre-existing breaches known before policy inception - Physical property damage caused by a cyber event (covered separately under property or equipment breakdown policies) - Intentional acts by the insured
Cyber Insurance Cost by Business Size and Industry
The table below shows illustrative annual premium ranges for a $1 million per occurrence / $1 million aggregate standalone cyber policy. Premiums reflect a company with reasonable but not best-in-class security controls.
| Business Profile | Annual Revenue | Typical Annual Premium |
|---|---|---|
| Solo / micro (e.g., solo accountant, 1-person tech firm) | Under $500K | $600 – $1,500 |
| Small business — low data risk (e.g., landscaping, construction) | $500K – $2M | $800 – $2,500 |
| Small business — moderate data risk (e.g., retail, staffing, marketing) | $1M – $5M | $1,500 – $5,000 |
| Small business — high data risk (e.g., dental office, medical billing) | $1M – $5M | $3,500 – $9,000 |
| Mid-market — moderate risk (e.g., light manufacturing, distribution) | $10M – $50M | $8,000 – $20,000 |
| Mid-market — high risk (e.g., healthcare group, SaaS company) | $10M – $50M | $18,000 – $45,000 |
| Large account (complex, high data) | $50M+ | Manuscript / individually rated |
Note: These are illustrative ranges based on typical market conditions as of mid-2026. Your actual premium will depend on underwriting review. Prices have been volatile since 2020; ransomware loss activity in your industry sector can shift premiums significantly year over year.
What Drives Cyber Insurance Cost? The 8 Key Rating Factors
Underwriters don't just look at revenue. They score your risk across multiple dimensions:
- Annual revenue and size — The larger your business, the more exposure (and the bigger the potential breach notification cost).
- Number and type of records held — How many consumer records (PII, PHI, payment card data) do you store? Healthcare records and payment card data carry the highest exposure.
- Industry sector — Healthcare, financial services, education, and retail are historically high-loss industries and are underwritten more conservatively.
- Multi-factor authentication (MFA) — Carriers now routinely decline or surcharge applicants without MFA on email and remote access. This is the single most impactful security control for pricing.
- Endpoint detection and response (EDR) — Replacing legacy antivirus with EDR can reduce ransomware sublimit restrictions.
- Backup strategy — Offline or immutable backups that ransomware cannot encrypt significantly reduce business interruption exposure.
- Prior claims and incidents — A prior data breach, ransomware payment, or regulatory fine will increase your premium or may result in a declination from standard markets.
- Vendor/third-party exposure — Do you process data on behalf of others, or rely on cloud providers? Third-party concentration risk matters.
Cyber Coverage Limits and Deductibles: What to Expect
| Policy Structure Element | Typical Range |
|---|---|
| Per-occurrence limit | $250K – $5M (most small businesses: $1M) |
| Aggregate limit | Equal to or 2x per-occurrence limit |
| Retention (deductible) | $1,000 – $25,000 for small business; $50K–$250K for mid-market |
| Ransomware sublimit | Often 50%–100% of policy limit (best-in-class controls = full limit) |
| Business interruption waiting period | 6–12 hours (eliminates minor outages) |
| Social engineering / funds transfer fraud | Sublimit of $100K–$500K common; separate underwriting |
Claims-made form mechanics: Cyber policies are almost universally written on a claims-made basis. The policy in force when you report the claim pays — not the policy in force when the breach occurred. If you let your policy lapse, a breach discovered after cancellation is uninsured even if it happened during the policy period. Tail coverage (extended reporting period) is available but adds cost.
How to Get a Cyber Insurance Quote in 5 Steps
- Gather your IT security profile — Know your revenue, number of records, cloud providers used, and whether you have MFA, EDR, and tested backups. Underwriters ask for this on every application.
- Complete the supplemental cyber application — Cyber applications are longer than standard P&C forms. Budget 30–60 minutes. Be accurate: material misrepresentation can void coverage after a claim.
- Review coverage terms, not just price — Compare ransomware sublimits, business interruption waiting periods, and social engineering coverage across quotes. A $500/year cheaper policy with a 50% ransomware sublimit may be the wrong trade-off.
- Request loss runs if applicable — If you're switching carriers, your current carrier will provide a 3–5 year loss run. Clean loss history can unlock better pricing.
- Bind and set a renewal reminder — Cyber markets harden quickly. Set a 90-day renewal reminder so you have time to shop if your incumbent carrier increases rates.
Real-World Example: Regional Dental Practice in Texas
Business profile: A single-location dental practice in Austin, TX with 12 employees, $1.8M in annual collections, using a cloud-based practice management system storing approximately 3,200 patient records (protected health information / PHI).
Risk factors: Healthcare sector, PHI exposure, HIPAA breach notification obligations, and a prior phishing incident in 2023 (no claim filed, but noted on application).
Coverage placed: $1M per occurrence / $1M aggregate standalone cyber policy, $5,000 retention, with a 75% ransomware sublimit (improved to full limit with implementation of EDR).
Illustrative premium: Approximately $4,200/year at binding, reduced to $3,650/year after the practice documented EDR deployment at renewal.
What triggered the quote review: The practice's dental association notified members of an HIPAA enforcement action against a similar-sized practice in the state, resulting in a $65,000 penalty for breach notification failures. The owner called Morrow after reading the notice.
This is an illustrative scenario based on typical market conditions, not a guarantee of coverage or pricing for any specific applicant.
Frequently Asked Questions
How much does cyber insurance cost for a small business? Most small businesses (under $5M in revenue) pay between $1,200 and $5,000 per year for $1 million in cyber liability coverage. High-data-risk industries like healthcare and financial services pay more — often $3,500–$9,000 at that revenue level. The biggest variables are how much sensitive data you hold and whether you have MFA and EDR in place.
Is cyber insurance worth it for a small business? Yes, for most businesses that store customer data, process payments, or rely on computer systems to operate. The average cost of a small business data breach — including forensic investigation, breach notification, and business interruption — frequently exceeds $50,000 even for a modest incident. A $1M policy at $2,000/year is a favorable risk transfer.
Does my general liability policy cover a data breach? Not reliably. Most standard commercial general liability (CGL) policies exclude electronic data and personal/advertising injury from data breaches. Some carriers offer limited data breach endorsements, but these typically exclude ransomware, business interruption, and regulatory defense costs. A standalone cyber policy provides substantially broader coverage.
What is a reasonable deductible for cyber insurance? Small businesses typically carry retentions of $1,000–$10,000 to keep premiums manageable. Mid-market companies often accept $25,000–$100,000 retentions in exchange for lower premiums. Choose a retention your cash flow can absorb without disrupting operations — many incidents require immediate forensic costs before the insurer steps in.
Will cyber insurance cover a ransomware payment? Typically yes, subject to the ransomware sublimit in your policy, carrier approval of the payment process, and compliance with OFAC sanctions (carriers will not approve payments to sanctioned entities). If your policy has a ransomware sublimit (e.g., 50% of the policy limit), that cap applies to the extortion payment, associated negotiation costs, and response expenses arising from the ransomware event.
How does MFA affect my cyber premium? Significantly. Carriers began applying MFA requirements around 2021, and as of 2026 most standard markets require MFA on email, remote access (VPN/RDP), and privileged accounts as a condition of coverage. Businesses without MFA may be declined by standard carriers, forced into the E&S (excess and surplus) market at higher rates, or subject to a ransomware exclusion or heavy sublimit.
Can I get cyber insurance if I've had a prior breach? Often yes, but with conditions. A prior breach will be disclosed on your application and underwriters will ask for details: what happened, what was the remediation, and were any claims filed? A breach with full remediation and no filed claim is less harmful than an unresolved situation. Some carriers will exclude known circumstances or apply higher retentions. Working with a broker who has access to multiple markets — including E&S carriers — improves your placement options.
Does cyber insurance cover HIPAA fines? Cyber policies typically include regulatory defense costs and, where insurable by law, regulatory fines and penalties. HIPAA civil monetary penalties imposed by HHS OCR are generally insurable, and many cyber policies include this coverage. However, criminal fines are not insurable in any state. Texas [verify state] and most states permit insuring HIPAA civil penalties. Always confirm with your broker and the specific policy language.
Why Work With Morrow for Cyber Insurance
-
Independent, multi-carrier access. Morrow places cyber coverage across multiple admitted and E&S carriers [Morrow to confirm carrier roster], which means we can shop your risk against the full market — not just one company's appetite — to find the best combination of price, coverage terms, and ransomware sublimit.
-
Security-informed underwriting submissions. We know what underwriters are looking for. We help you document your MFA, EDR, and backup controls before the application goes out, so your security posture is accurately represented and you're not penalized for controls you actually have in place.
-
Claims advocacy when it counts. A cyber incident is not the time to navigate the insurer's breach response hotline alone. Morrow's principals engage directly with your claims handler to ensure forensic costs, notification expenses, and business interruption losses are captured correctly from day one.
-
Fast certificates and coverage confirmation. If a client or contract requires proof of cyber coverage, we turn around certificates of insurance quickly.
-
Renewal benchmarking. Cyber rates shift year over year. We re-market your account at renewal against current market pricing, not just roll over your existing policy.
Get Your Cyber Insurance Quote
Ready to see what cyber coverage costs for your specific business? Morrow compares carriers and presents your options in plain language.
Call or text: [Morrow to confirm phone number] Email: [Morrow to confirm contact email]
Licensed commercial P&C insurance agency. [Morrow to confirm licensed states and NPN.] Carriers rated A- (Excellent) or better by AM Best. [Morrow to confirm carrier roster.]
Related Pages
- Commercial Insurance Overview — Parent pillar covering all business coverage lines
- What Is Cyber Liability Insurance? — Coverage explainer: what's covered, what's excluded, how claims work
- Data Breach Insurance Cost — Narrower focus on first-party breach response coverage costs
- Cyber Insurance for Healthcare — Industry-specific cyber coverage for medical and dental practices
- General Liability vs. Cyber Insurance — Side-by-side comparison of what each policy covers for a data breach
- Cyber Insurance Glossary — Plain-English definitions: claims-made, SIR, ransomware sublimit, social engineering
Written by Jordan M. Reed, CPCU, CIC — commercial lines specialist with 12 years placing technology and professional liability coverage for mid-market and SMB clients.
Published: June 2026 | Last updated: June 2026
Sources: - Insurance Information Institute (III) — Cyber Insurance Resource Center - National Association of Insurance Commissioners (NAIC) — Cyber Insurance Report (2023, 2024 updates) - U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) — HIPAA Breach Notification Rule - Office of Foreign Assets Control (OFAC) — Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments - Cybersecurity and Infrastructure Security Agency (CISA) — #StopRansomware Campaign guidance - Coalition Cyber Insurance — Annual Cyber Claims Report (cited for claims frequency benchmarks) - Marsh — Cyber Insurance State of the Market Report (2024/2025)