Cyber insurance is a policy that covers the financial losses your business faces after a cyberattack, data breach, or other digital incident. It pays for two categories of costs: first-party expenses (forensic investigation, data recovery, customer notification, business interruption, and ransom payments) and third-party expenses (legal defense and settlements when customers or regulators sue you for failing to protect their data). The average small business pays $1,000 to $7,500 annually for coverage, while the average data breach costs small businesses $120,000 to $1.24 million to resolve. Cyber insurance is not a replacement for security controls like MFA and backups, but it provides the financial safety net that keeps your business operating when prevention fails.
The Complete Guide for Business Owners
If ransomware hit your systems tomorrow, would you have the cash to pay for forensic investigators, legal counsel, customer notifications, and months of lost revenue? For most small and mid-sized businesses, the answer is no.
Cyber insurance exists for exactly this reason. It helps pay for the response, recovery, and legal costs after a cyber incident so your business survives what could otherwise be a company-ending event.
The Bottom Line (TL;DR)
Key Facts |
What You Need to Know |
|---|---|
|
Definition |
Insurance covering financial losses from data breaches, ransomware, and business interruption |
|
Average SMB Cost |
$1,000 to $7,500 annually ($145/month average for $1M coverage) |
|
Average Breach Cost |
$4.88 million globally; $120,000 to $1.24 million for small businesses |
|
Coverage Types |
First-party (your costs) and third-party (lawsuits against you) |
|
Required Controls |
MFA, EDR, tested backups, incident response plan |
What Is Cyber Insurance? A Plain-English Definition
Cyber insurance (also called cyber liability insurance) protects your business from the financial fallout of cyberattacks, data breaches, and digital incidents.
Just like property insurance covers physical damage to your building, cyber insurance covers digital damage to your operations, data, and reputation.
When a cyber incident hits, you face two categories of costs: first-party costs (what you pay directly to respond and recover) and third-party costs (what you pay when others sue you). A comprehensive cyber policy covers both.
What 40+ Years Taught Me About This Risk
The businesses that survive cyber incidents aren’t necessarily the ones with the best IT departments. They’re the ones with proper insurance and a plan. 60% of small businesses close within six months of a cyberattack. Not because the attack was sophisticated, but because they couldn’t afford the recovery.
What Cyber Insurance Is NOT
What People Think |
Reality |
|---|---|
|
A replacement for IT security |
Insurance pays claims; it doesn’t prevent attacks |
|
The same as general liability |
GL covers bodily injury, not data breaches |
|
The same as crime insurance |
Crime covers employee theft; cyber covers data breaches |
|
The same as Tech E&O |
Tech E&O covers professional mistakes; cyber covers security incidents (see comparison) |
What Cyber Insurance Typically Covers
First-Party Coverage: Your Direct Costs
Coverage Area |
What It Pays For |
|---|---|
|
Forensic Investigation |
IT experts determining what happened and what data was compromised |
|
Breach Coach/Legal Guidance |
Attorney coordinating response and advising on legal obligations |
|
Notification Costs |
Letters to affected individuals plus call center setup |
|
Credit Monitoring |
12-24 months of monitoring for affected individuals |
|
Cyber Extortion/Ransom |
Payment to attackers plus negotiator fees (if covered) |
|
Business Interruption |
Lost income during downtime plus extra expenses |
Learn more about what cyber insurance covers.
Third-Party Coverage: Claims Against You
Coverage Area |
What It Pays For |
|---|---|
|
Privacy Liability |
Lawsuits alleging failure to protect personal information |
|
Regulatory Defense |
Costs to defend against government investigations |
|
Media Liability |
Claims of defamation or copyright infringement |
|
PCI Fines |
Penalties for payment card security failures |
Understanding first-party vs. third-party cyber coverage helps evaluate whether your policy truly protects your business.
What Cyber Insurance Usually Does NOT Cover
Exclusion |
Why It Matters |
|---|---|
|
Prior/Known Issues |
Vulnerabilities known before buying coverage are excluded |
|
Intentional Acts |
Fraud or deliberate wrongdoing isn’t covered |
|
Failure to Maintain Controls |
Claiming you have MFA when you don’t can void your policy |
|
War/Hostile Acts |
State-sponsored attacks may be excluded |
|
Social Engineering (Sometimes) |
Wire transfer fraud often requires a separate endorsement |
This is the #1 reason cyber insurance claims get denied.
Real-World Example: Ransomware Attack Costs
A manufacturer’s systems were encrypted overnight. Production stopped for 12 days.
Expense |
Amount |
|---|---|
|
Forensic investigation |
$75,000 |
|
Ransom negotiation & payment |
$180,000 |
|
Data restoration |
$45,000 |
|
Business interruption |
$320,000 |
|
Legal counsel |
$35,000 |
|
Total |
$655,000 |
Without insurance, this comes from operating capital. More cyber insurance claims examples show how coverage works in practice.
The Wire Fraud Surprise: BEC Isn’t Always Covered
Scenario |
Which Policy Responds |
|---|---|
|
Hacker steals data |
Cyber Insurance |
|
Ransomware encrypts systems |
Cyber Insurance |
|
Employee tricked into wiring money |
Crime Insurance (Social Engineering endorsement) |
The difference between cyber and crime insurance determines which policy pays. Many businesses need both.
What Insurers Require
Mandatory Security Controls
Control |
Why Required |
|---|---|
|
Multi-Factor Authentication (MFA) |
Blocks 99.9% of automated attacks |
|
Endpoint Detection & Response (EDR) |
Detects and stops threats in real-time |
|
Immutable/Offline Backups |
Ensures recovery without paying ransom |
|
Security Awareness Training |
Employees are the first line of defense |
|
Incident Response Plan |
Tested within past 12 months |
Learn about MFA and why insurers require it.
The #1 Application Mistake
Saying you have controls that aren’t fully deployed.
You check “Yes” for MFA, but IT hasn’t enforced it everywhere. After a breach, the insurer investigates, finds gaps, and denies your claim for material misrepresentation. Audit your actual security posture before completing applications.
Do You Need Cyber Insurance?
If You… |
You Need Cyber Insurance |
|---|---|
|
Store customer data |
✅ Yes |
|
Rely on cloud services or email |
✅ Yes |
|
Accept credit card payments |
✅ Yes |
|
Wire money or change bank details |
✅ Yes |
|
Have contracts requiring it |
✅ Yes |
Does my small business really need cyber insurance? The answer is almost always yes.
How Much Cyber Insurance Do You Need?
Quick Sizing Guide
Revenue |
Typical Limit |
|---|---|
|
Under $5M |
$1M |
|
$5M-$25M |
$2M-$3M |
|
$25M-$100M |
$5M+ |
Most SMBs start with $1M limits, but this is often inadequate. How much cyber insurance should you buy? depends on your specific risk profile.
What Cyber Insurance Costs
Pricing Benchmarks
Business Profile |
Annual Premium Range |
|---|---|
|
Small businesses (under $5M revenue) |
$1,000-$3,000 |
|
Mid-sized businesses ($5M-$25M) |
$3,000-$7,500 |
|
Larger operations ($25M+) |
$7,500-$50,000+ |
|
Average for SMBs |
$1,740/year |
Factors Impacting Premium
Factor |
Impact |
|---|---|
|
Revenue |
Higher revenue = higher premiums |
|
Industry |
Healthcare, financial services pay more |
|
Data types |
PII, PHI, payment data increase risk |
|
Security controls |
Strong controls = 15-30% reduction |
|
Claims history |
Past claims raise rates significantly |
How to Buy Cyber Insurance the Right Way
Three-Step Process
Element |
What to Check |
|---|---|
|
Business interruption waiting period |
8 hours is better than 24 |
|
Social engineering/BEC coverage |
Is it included? What’s the sublimit? |
|
Dependent business interruption |
Does it cover vendor outages? |
Bring This Checklist to Your Broker
Prepare these items before seeking quotes:
Having this information ready speeds up quoting and ensures accurate pricing.
Key Terms You’ll Hear
Term |
Definition |
|---|---|
|
Incident vs. Claim |
An incident is a security event; a claim is when you ask your insurer to pay |
|
First-Party Coverage |
Pays your direct costs (forensics, notification, business interruption) |
|
Third-Party Coverage |
Pays legal defense and settlements when others sue you |
|
Waiting Period |
Hours you must be down before business interruption coverage kicks in |
|
Sublimit |
A coverage cap within your policy lower than the main limit |
|
Panel Vendors |
Pre-approved forensics firms and lawyers your insurer requires you to use |
|
Breach Coach |
An attorney who coordinates your incident response |
Understanding cyber insurance waiting periods is critical because they determine when your business interruption coverage actually begins.
Frequently Asked Questions
Ready to Protect Your Business?
If you want to know whether your current policy would actually pay when you need it, we’ll do a complimentary coverage review.
Why Work with The Coyle Group
Author’s Experience
This article was written by Gordon B. Coyle, CPCU, ARM, AMIM, PWCA, CEO of The Coyle Group, who has over 40 years of experience working with business owners of all sizes and industries across the US, solving their insurance challenges. Gordon specializes in helping SMBs develop comprehensive cyber insurance programs that protect their operations and support their growth objectives. His expertise spans cyber insurance for manufacturers, technology startups, hedge funds, and professional services firms.
