Answer-first summary: Yes — most small businesses need cyber insurance. If your business stores customer data, processes payments, uses email, or relies on any software or cloud service, a cyberattack can cost tens of thousands of dollars or more. Standard general liability and BOP policies do not cover these losses. Cyber insurance fills that gap.
Who this is for: Small business owners — retailers, contractors, medical offices, professional service firms, restaurants — who handle customer information or depend on digital systems to operate.
TL;DR — Key Takeaways
- Cyber attacks are not just a large-company problem. Small businesses account for roughly 43% of all cyberattack targets (Verizon DBIR), yet most carry no dedicated cyber coverage.
- Your general liability policy almost certainly excludes cyber losses. A BOP or GL policy does not pay for ransomware, data breach notification costs, or business interruption caused by a hack.
- Coverage can start under $1,000/year for very small businesses with limited data exposure; most small businesses pay $1,000–$3,500/year.
- State data breach notification laws apply to you. Every U.S. state has a law requiring businesses to notify affected customers after a breach — those notification costs alone can exceed $5,000–$50,000+.
- Ransomware, phishing, and social engineering are the three most common loss drivers for small businesses — and all are covered under most standalone cyber policies.
Why Small Businesses Are at Risk
It is a common misconception that cybercriminals only target large corporations. In practice, small businesses are frequently targeted precisely because they tend to have weaker security controls than enterprises while still holding valuable data — credit card numbers, Social Security numbers, employee records, health information, or simply the bank credentials that let a thief wire money out of an account.
Common cyber incidents affecting small businesses include:
- Ransomware: Malware encrypts your files; attackers demand payment (often $10,000–$500,000+) to restore access.
- Business email compromise (BEC): A criminal impersonates an owner or vendor via email to redirect a wire transfer or AP payment.
- Data breach: Customer or employee records are stolen or exposed, triggering state notification requirements and potential regulatory fines.
- Phishing: An employee clicks a malicious link, exposing login credentials or installing malware.
- Social engineering fraud: A caller impersonates a bank or vendor to trick an employee into transferring funds.
Each of these can cripple a small business that does not have the cash reserves to absorb the loss.
What Does Cyber Insurance Actually Cover?
Cyber insurance policies are not standardized the way, say, workers' compensation is — coverage terms vary by carrier. However, most standalone small-business cyber policies include two broad categories: first-party costs (your own losses) and third-party liability (claims made against you by others).
Coverage Comparison Table
| Coverage Component | What It Pays | First- or Third-Party |
|---|---|---|
| Data breach response (notification, credit monitoring) | Legal fees, mailing costs, credit monitoring for affected individuals | First-party |
| Ransomware / extortion payment & negotiation | Ransom payment (if paid) and negotiation services | First-party |
| Business interruption / extra expense | Lost revenue and extra costs while systems are restored | First-party |
| Data restoration | Cost to rebuild or restore corrupted/lost data | First-party |
| Cyber crime / funds transfer fraud | Money lost to wire fraud, BEC, or social engineering | First-party |
| Forensic investigation | IT and forensics costs to determine cause and scope | First-party |
| Crisis communications / PR | Reputation management following a public breach | First-party |
| Network security liability | Claims from third parties whose data you compromised | Third-party |
| Privacy regulatory defense & fines | Defense costs and covered regulatory penalties (where insurable) | Third-party |
| Media liability | Claims for defamation, copyright infringement in online content | Third-party |
Important: Not all policies include all components above. Social engineering / funds transfer fraud coverage is often a sublimit or endorsement — confirm it is included if BEC is a concern for your business.
What Cyber Insurance Does NOT Cover
Knowing the exclusions is as important as knowing the coverages:
- Pre-existing breaches: Incidents that began before your policy's retroactive date are excluded under claims-made forms. Ask for the broadest retroactive date possible.
- Intentional or criminal acts by the insured: If you or a partner caused the breach deliberately, the policy will not respond.
- Bodily injury or property damage caused by cyber events: Most cyber policies exclude physical loss; your GL or property policy would need to respond to those claims (though coverage there is also often limited — a coverage gap exists for operational technology / OT risks).
- War and nation-state attacks: Many policies contain war exclusions, though carriers have been narrowing these after the "NotPetya" litigation. Confirm your policy's specific language.
- Failure to maintain minimum security standards: If you agreed to maintain multi-factor authentication (MFA) or patch systems, failing to do so can void coverage for related losses.
- Fines and penalties that are uninsurable by law: Some regulatory penalties are not insurable in certain states [verify state].
How Much Does Cyber Insurance Cost for a Small Business?
Premium depends on several factors: revenue, industry, number of records held, security controls in place, prior claims history, and the limits/deductibles you choose.
Indicative Annual Premium Ranges by Business Type
| Business Type | Revenue Range | Typical Annual Premium | Common Limit |
|---|---|---|---|
| Retail shop (limited card data) | < $1M | $500–$1,200 | $250K–$1M |
| Restaurant / food service | $500K–$2M | $700–$1,500 | $500K–$1M |
| Contractor / trades (low data) | $500K–$3M | $600–$1,200 | $250K–$1M |
| Professional services (CPA, consultant) | $500K–$2M | $1,200–$2,500 | $1M |
| Medical / dental office | $500K–$2M | $1,500–$3,500 | $1M–$2M |
| E-commerce (high transaction volume) | $1M–$5M | $2,000–$5,000+ | $1M–$2M |
| Tech / SaaS (software product) | $500K–$3M | $2,000–$6,000+ | $1M–$2M |
These are illustrative ranges based on typical market conditions as of 2025–2026. Your actual premium will depend on your specific risk profile, security posture, and the carriers your broker accesses. Premiums have moderated from 2021–2022 highs as more capacity has returned to the market.
Security controls that reduce your premium: - Multi-factor authentication (MFA) on email and remote access - Endpoint detection and response (EDR) software - Regular, tested, offline backups - Employee phishing training - Patch management program
Is Cyber Insurance Required by Law?
There is no federal law mandating cyber insurance for small businesses, and most states do not require it either. However, several indirect forces effectively create requirements:
- Contracts: Larger clients, government agencies, and payment processors (PCI DSS contracts) increasingly require vendors to carry cyber insurance and may specify minimum limits.
- State data breach laws: Every U.S. state has enacted a breach notification law requiring you to notify affected individuals (and sometimes regulators) when personal data is compromised. Compliance costs money whether or not you have insurance.
- Healthcare (HIPAA): If you handle protected health information (PHI), HIPAA's Security Rule requires administrative, technical, and physical safeguards. Cyber insurance does not satisfy HIPAA directly, but it covers many of the costs of a breach response.
- FTC Safeguards Rule: Financial institutions and related businesses (auto dealers, tax preparers, mortgage brokers) must comply with the FTC's updated Safeguards Rule, which mandates specific data security controls. Cyber insurance covers the breach response if controls fail.
Bottom line: no state requires cyber insurance as a standalone mandate for most small businesses — but your contracts, your customers' data, and basic financial prudence often make it effectively necessary.
How to Buy Cyber Insurance in 5 Steps
- Inventory your data and systems. List the types of sensitive data you hold (payment cards, SSNs, PHI, employee records), how many records, and what systems store or transmit them.
- Review your existing policies for gaps. Pull out your BOP, GL, and commercial property policy and confirm that cyber events are excluded or sub-limited. Most are — but confirm.
- Assess your security controls. Carriers will ask about MFA, backups, EDR, and patch management. Implement what you can before applying; it improves coverage terms and lowers premiums.
- Work with an independent broker. Cyber policy wording varies significantly. An independent broker can compare several carriers (e.g., Coalition, Corvus, Chubb, Travelers, Beazley, Cowbell) on your behalf to find the right fit.
- Review the policy carefully before binding. Confirm retroactive date, sublimits on social engineering / funds transfer fraud, war exclusions, and any security warranties you are agreeing to maintain.
Real-World Example: Ransomware Attack on a Small CPA Firm
Scenario (illustrative — not a guarantee of coverage or outcome):
A two-partner CPA firm in Ohio with eight employees and about $950,000 in annual revenue is hit by ransomware on a Monday in February — peak tax season. Attackers encrypt the firm's entire file server, including client tax returns and financial records for hundreds of clients.
The losses:
| Loss Category | Estimated Cost |
|---|---|
| IT forensics to investigate the attack | $8,500 |
| Ransomware negotiation and payment | $45,000 |
| Data restoration and system rebuild | $12,000 |
| Business interruption (10 days of lost revenue) | $18,000 |
| Attorney fees for breach analysis | $6,000 |
| Client notification (Ohio law requires notification if SSNs exposed) | $7,500 |
| Credit monitoring for 400+ affected clients | $9,000 |
| Total estimated loss | $106,000 |
The firm carried a $1M cyber policy with a $2,500 deductible, purchased for approximately $1,800/year. The insurer covered $103,500 of the total loss after the deductible. Without the policy, the firm would have faced potential insolvency or been forced to absorb the loss personally.
Key lesson: Business interruption — not just the ransom payment — is often the largest single cost in a ransomware event for a service business.
FAQ — Common Questions About Cyber Insurance for Small Businesses
Q: Does a Business Owner's Policy (BOP) include cyber coverage? No — not automatically. Some carriers offer a limited cyber endorsement that can be added to a BOP, but these typically carry low sublimits ($10,000–$50,000) and narrow coverage. A standalone cyber policy provides substantially broader protection and higher limits. Always confirm what your BOP actually includes.
Q: Is cyber insurance worth it if I am very small with almost no customer data? Even businesses with minimal stored data face risk. Business email compromise and funds transfer fraud do not require the attacker to steal data — they manipulate your employees into wiring money. If your business sends or receives wire transfers or ACH payments, BEC fraud coverage alone can justify the premium.
Q: What is the minimum limit I should buy? For most small businesses, a $1M per-claim / $1M aggregate limit is a reasonable starting point. Businesses in healthcare, financial services, e-commerce, or those holding large volumes of customer records should consider $1M–$2M+. Your broker can help model a realistic worst-case scenario for your specific business.
Q: Will cyber insurance cover my employees' mistakes — like accidentally emailing a client's data to the wrong person? Yes — most cyber policies cover accidental data exposure caused by employee error, provided the event meets the policy's definition of a "security breach" or "privacy event." Confirm this with your broker when comparing policies.
Q: Does the policy pay the ransom even if paying is controversial? Most cyber policies include coverage for ransomware payments, subject to compliance with OFAC sanctions (carriers will not pay ransoms to sanctioned groups). Carriers typically have experienced negotiators and incident response teams that work to minimize the ransom amount or find alternatives to payment.
Q: How is cyber insurance different from a tech E&O policy? Technology errors & omissions (Tech E&O) insurance covers claims that your technology product or service caused a third party's loss — it is sold-to rather than used-by your business. Cyber insurance covers events where your systems are attacked or breached. Tech companies often need both, while most non-tech small businesses need cyber insurance rather than Tech E&O.
Q: Can I get cyber coverage even if I had a breach last year? You can often still obtain coverage, but you may face higher premiums, sublimits on certain coverages, or exclusions for vulnerabilities related to the prior incident. Disclose prior incidents fully on your application — non-disclosure can void coverage. Some specialty carriers focus on businesses with complex or prior cyber histories.
Q: What security requirements will the carrier impose on me? Almost all carriers now require MFA for email (Microsoft 365 / Google Workspace) and remote access (VPN / RDP) at minimum. Carriers may also require endpoint protection, backups, and regular patching as conditions of coverage. Failure to maintain stated controls can reduce or eliminate coverage in the event of a claim.
Why Work With Morrow for Cyber Insurance
1. Independent access to the cyber market. Morrow is an independent agency, meaning we are not captive to a single insurer. We work with multiple admitted and surplus lines cyber carriers — including carriers that specialize in small business cyber — and compare policy language, not just price. [Morrow to confirm current cyber carrier panel]
2. We understand your industry's specific exposures. A dental office's cyber risk profile is different from a landscaping company's. We tailor coverage recommendations to your industry, data footprint, and the contracts your clients actually require — not a one-size-fits-all package.
3. Fast certificates and documentation. If a client or contract requires you to show proof of cyber coverage, we turn around certificates of insurance (COIs) quickly — often same business day — so you never lose a deal waiting on paperwork.
4. Security control guidance before you bind. We help you understand what carriers will ask and what controls you can implement before applying, which both improves your coverage and reduces your premium.
5. Claims advocacy when it matters most. A cyberattack is one of the most stressful events a small business can face. Morrow advocates on your behalf with the carrier's claims team and incident response resources — we do not disappear after binding.
Get a Cyber Insurance Quote
Ready to find out what cyber coverage costs for your business?
Get a cyber insurance quote from Morrow →
Or call us at [Morrow to confirm phone number] — we can typically turn around a cyber quote within one business day for most small businesses.
Trust strip: Morrow (Afthonea Inc., DBA Morrow) is a licensed independent commercial insurance agency. [Morrow to confirm licensed states and NPN]. We work with A-rated and A+-rated admitted and surplus lines carriers. [Morrow to confirm current carrier relationships and any verified review ratings/platform links.]
Related Resources
- Commercial Cyber Insurance — Coverage Overview
- What Is a Business Owner's Policy (BOP) and What Does It Cover?
- Do I Need Professional Liability If I Have General Liability?
- What Does General Liability Insurance Not Cover?
- Cyber Insurance for Healthcare and Medical Offices
- Cyber Insurance Cost Guide for Small Businesses
Author: Written by the Morrow Commercial Insurance Editorial Team. Content reviewed for technical accuracy by a licensed P&C insurance professional.
Published: June 2026 | Last updated: June 2026
Sources: - Verizon Data Breach Investigations Report (DBIR) — annual edition - Insurance Information Institute (III) — cyber risk resources - National Association of Insurance Commissioners (NAIC) — cyber insurance guidance and model laws - Federal Trade Commission (FTC) — Safeguards Rule (16 CFR Part 314) - U.S. Department of Health & Human Services — HIPAA Security Rule - State data breach notification laws — National Conference of State Legislatures (NCSL) tracker - U.S. Department of the Treasury / OFAC — sanctions compliance guidance for ransomware payments