How Much Cyber Insurance Do I need?

ByGordon Coyle Reading Time: 8 minutes

A CFO-Friendly Limit Guide

Your CFO asks: “How much cyber insurance do we need?” Most SMBs default to $1M limits because that’s what the quote shows. But $1M might be dangerously thin for your actual exposure, or unnecessarily expensive for your risk profile.

The right limit depends on three things: how much downtime would cost you, how much data you hold, and how much you move in wire transfers. At The Coyle Group, we help business owners translate cyber risk into CFO-friendly numbers.

The Bottom Line (TLDR)

  • Most SMBs start at $1M, but this is often inadequate for actual breach costs
  • Size your limit based on three buckets: downtime, data exposure, and fraud exposure
  • Social engineering/BEC coverage is typically capped at $250,000, often too low
  • Annual premiums range from $1,000 to $7,500 for most SMBs
  • Strong security controls (MFA, EDR, tested backups) can reduce premiums 15-30%
Business professional analyzing cyber protection on a digital interface, representing the decision process behind how much cyber insurance should I buy.

Business Profile

Starting Limit Range

Low data + minimal downtime risk

$500K to $1M

Typical SMB (10-100 employees)

$1M to $2M

High-revenue, regulated, or data-heavy

$2M to $5M+
Schedule a consultation

For a limit recommendation tailored to your risk profile.

How Much Cyber Insurance Do I Need for a Small Business?

Profile

Revenue Range

Typical Limit

Monthly Cost

Low risk (limited data, minimal digital operations)

Under $2M

$500K to $1M

$80 to $150

Average SMB (some PII, standard digital presence)

$2M to $10M

$1M to $2M

$120 to $300

Higher risk (healthcare, finance, heavy wire transfers)

$5M to $25M

$2M to $5M

$200 to $500+

If you have a contract requirement specifying minimum limits, start there. Client contracts most often require a $1 million per-occurrence limit as a baseline.

What Does “$1M” of Cyber Insurance Actually Mean?

Term

What It Means

Per-occurrence limit

Maximum payout for any single incident

Aggregate limit

Maximum payout across all claims in a policy year

Retention/Deductible

What you pay first (typically $2,500 to $10,000)

Sublimits

Caps on specific coverages within your total limit

Critical: Sublimits often matter more than the headline number. A $2M policy with a $100K ransomware sublimit provides far less protection than a $1M policy with full ransomware coverage.

What Should I Base My Cyber Insurance Limit On?

The 3-Bucket Sizing Method

  • Bucket 1: Downtime Exposure – Lost gross profit + extra expense to get back online
  • Bucket 2: Data Exposure – Privacy liability + notification costs + regulatory penalties
  • Bucket 3: Fraud Exposure – BEC/social engineering + wire transfer fraud

Add these three buckets together, then add 20-30% buffer. That’s your target limit range.

How Do I Estimate My Downtime Loss?

Daily Gross Profit × Expected Downtime Days + Extra Expense = Business Interruption Exposure

Example for a $5M revenue distribution company:

  • Daily gross profit: $5M × 30% margin ÷ 365 = $4,100/day
  • Expected ransomware recovery: 21 days
  • Basic BI exposure: $86,100
  • Extra expense (IT consultants, overtime): $50,000
  • Total BI exposure: ~$136,000
CFO assessing downtime loss and extra expenses after a cyber incident, helping determine how much cyber insurance should I buy for business interruption exposure.

What 40+ Years Taught Me About This Risk

Business owners consistently underestimate downtime costs. A manufacturing client assumed they’d be back online in 3 days. Reality: 18 days, because their backup hadn’t been tested in 14 months. Their $500K BI limit was exhausted by day 12.

Most overlooked details:

  • Waiting period: Most policies have 8-24 hours before BI coverage kicks in
  • Dependent BI: If your cloud provider goes down, does your policy cover your losses?
  • System vs. security failure triggers: Some policies only cover hacks, not software bugs

Understanding the cyber insurance waiting period is essential before binding coverage.

How Do I Estimate Data Breach Costs?

Cost Category

Typical Range

What It Covers

Breach counsel + forensics

$50,000 to $150,000

Attorney fees, digital investigation

Notification + call center

$50 to $200 per record

State-mandated notifications, victim support

Credit monitoring

$10 to $30 per person/year

If offering to affected individuals

Regulatory defense

$50,000 to $250,000+

Responding to state AG inquiries, HIPAA investigations

Third-party claims

Variable

Customer or vendor lawsuits

Biggest cost drivers: Number of records, type of data (PHI/PCI costs more than basic contact info), and regulatory environment (HIPAA, PCI-DSS, state privacy laws).

Learn more about what cyber insurance actually covers.

Data Inventory Quick Check

What data do you actually store?

  • Basic PII (names, emails, addresses)
  • Social Security numbers
  • Payment card data (PCI)
  • Health information (HIPAA)
  • Employee W-2s and tax data

The more boxes you check, the higher your data exposure bucket.

Professional reviewing a digital data inventory checklist that affects cyber risk levels, an essential step in deciding how much cyber insurance should I buy.

How Much Social Engineering and Wire Fraud Coverage Do I Need?

This is where most SMBs are dangerously underinsured. Most cyber policies cap social engineering at $100,000 to $250,000, while the average BEC attack costs $200,000 to $300,000.

According to the FBI’s IC3 2024 report, BEC complaints totaled over 21,000 with losses approaching $2.77 billion.

Cyber vs. Crime: Which Pays?

Coverage

Cyber Policy

Crime Policy

BEC/social engineering

Usually sublimited ($100K to $250K)

Often higher limits

Wire transfer fraud (system hack)

Typically covered

May require endorsement

Employee theft

Usually excluded

Primary coverage

Key insight: Crime policies can layer on top of cyber. If cyber covers the first $250K and crime covers up to $500K additional, you have $750K total coverage.

Learn more about cyber insurance social engineering coverage.

What Cyber Insurance Limits Do Companies Like Mine Usually Buy?

Industry

Common Limit Range

Why

Professional services

$1M to $2M

Client data, contractual requirements

E-commerce/retail

$1M to $3M

PCI compliance, transaction volume

Healthcare/medical

$2M to $5M

HIPAA penalties, PHI requirements

Manufacturing/logistics

$1M to $3M

OT systems, BI exposure

SaaS/technology

$2M to $10M

Third-party liability

Financial services

$3M to $10M

SEC requirements, fiduciary exposure

For industry-specific guidance, see cyber insurance for manufacturers and distributors and cyber insurance for technology startups.

What Limit Do I Need to Satisfy Client Contracts?

Many businesses need cyber insurance because clients require it, not because of regulations. Industry data shows a significant percentage of vendors lose contract opportunities due to insufficient coverage.

Approach contract requirements methodically:

  • Start with the required limit, then verify sublimits don’t break it. A contract requiring “$2M cyber” means nothing if your ransomware sublimit is $500K.
  • Confirm COI language. Some contracts require additional insured status or specific wording.
  • Watch for unrealistic requirements. Some enterprises ask for $10M limits from small vendors. If requirements seem excessive, negotiate.
  • Factor compliance into your pricing. If winning a contract requires doubling your cyber limits, build that premium cost into your proposal.
Schedule a consultation

What Sublimits Should I Check Before Binding?

Item

Red Flag

Ransomware/extortion sublimit

Below $500K

BEC/social engineering sublimit

Below your largest wire

Business interruption waiting period

24+ hours

Dependent BI sublimit

No coverage or heavily sublimited

PCI coverage

Excluded or sublimited

War/nation-state exclusion

Overly broad language

Review cyber insurance claims examples to understand how sublimits affect real claims.

Is $1M of Cyber Insurance Enough?

  • When $1M can be reasonable: Revenue under $3M, minimal sensitive data, strong security controls with tested backups, no significant wire transfers, no contractual requirements for higher limits.
  • When $1M is usually thin: Daily gross profit exceeds $5,000, you store PHI/PCI/significant PII, you process wire transfers exceeding $100K, clients require higher limits contractually, you’re in healthcare/finance/technology.

Our guide on how much cyber insurance should I buy walks through specific scenarios.

What Security Controls Affect Coverage?

Strong security unlocks better pricing, higher limits, and faster claim approval. Underwriting has shifted from questionnaires to proof of controls.

Control

Why Required

Implementation Time

MFA everywhere (email, VPN, admin)

Blocks 99.9% of automated attacks

1-2 weeks

EDR (endpoint detection & response)

Catches ransomware before it spreads

2-4 weeks

Immutable backups + tested restore

Only way to recover without paying ransom

2-4 weeks

Security awareness training

Employees are the #1 attack vector

Ongoing

Patch management (30-day cadence)

Unpatched systems are easy targets

Ongoing

According to Microsoft security research, MFA alone blocks 99.9% of automated attacks.

Why This Matters for Limits

Better controls = more capacity. Insurers offer higher limits and better terms to businesses with demonstrable security. Weak controls often result in denied applications or coverage restrictions.

Documentation is critical. You must prove your systems work, not just claim they exist. Expect underwriters to request screenshots, policy exports, and testing logs.

Good / Better / Best Coverage Tiers

Good

Better

Best

Primary Limit

$1M

$2M

$3M to $5M

Social Engineering

$100K to $250K

$500K

High limit or crime policy

BI Waiting Period

8-hour

4-hour

Minimal

Dependent BI

Excluded

Sublimited

Full coverage

Annual Cost

$1,200 to $2,500

$2,500 to $5,000

$5,000 to $10,000+

Understanding the difference between cyber and crime insurance helps you choose the right combination.

Frequently Asked Questions

Contact your broker. Most carriers allow mid-term limit increases for additional premium. Don’t wait for renewal if your exposure has increased significantly.

You likely need both. Cyber covers system hacks but often sublimits social engineering. Crime policies can provide higher social engineering limits and layer on top of cyber.

Only if your policy includes dependent business interruption coverage. Standard policies often exclude or heavily sublimit this. If your business depends on cloud providers or SaaS tools, confirm this coverage exists.

Yes, most policies cover ransomware payments, though some apply sublimits. Coverage typically includes the ransom, forensics, negotiation services, and restoration. See ransomware insurance coverage.

Healthcare organizations face HIPAA penalties ranging from $100 to $50,000 per compromised record. Most medical practices should carry $2M to $5M minimum. HIPAA violations alone can consume a $1M policy. Cyber insurance for doctors covers specific requirements.

Early-stage startups typically start with $500K to $1M. However, investors and enterprise customers often require $2M or higher. Factor contractual requirements into your coverage decision from day one.

Law firms handle confidential client information and privileged communications, making them attractive targets. Professional services firms typically carry $1M to $3M based on size. Client contracts often dictate minimums.

The guardrail: choose a retention you can fund immediately during a crisis. If you pick a $25K retention to save $500 in premium, can you write that check within 48 hours while also paying emergency IT consultants? Most SMBs should stay at $2,500 to $5,000.

Next Step: Get a Limit Recommendation You Can Defend

Your cyber insurance limit should be sized to your specific downtime, data, and fraud exposure, not industry averages or carrier defaults.

At The Coyle Group, we help business owners translate cyber risk into defensible numbers. 40+ years of commercial insurance expertise, access to 20+ cyber carriers, and no-pressure consultation.

Schedule a consultation

To discuss your specific risk profile

Author’s Experience

This article was written by Gordon B. Coyle, CPCU, ARM, AMIM, PWCA, CEO of The Coyle Group, who has over 40 years of experience working with business owners of all sizes and industries across the United States, solving their insurance challenges. Gordon specializes in helping SMBs develop comprehensive cyber insurance programs that protect their operations and support their growth objectives.

Check Out Our Blogs