Cyber insurance for small business pays the costs of a hacking incident or data breach: forensic investigation, customer notification, credit monitoring, ransomware negotiation and payments, lost income while systems are down, and lawsuits or regulatory actions that follow. Small businesses buy it as a stand-alone policy because general liability, property, and businessowners policies exclude or barely touch cyber losses. Typical small business policies carry $1,000,000 limits and cost around $129 per month according to Insureon customer data.
Cyber criminals do go after big companies, but small and mid-sized businesses are the most common accessible targets, partly because a small vendor's network can be the backdoor into a larger customer's systems. Here is how the coverage actually works, what it costs, and what carriers will ask of you before they quote.

Cyber Insurance
Cyber insurance covers financial losses from hacking, data breaches, ransomware, and related technology incidents. Policies pair first party coverage for the insured's own response costs and lost income with liability coverage for claims brought by affected customers, regulators, and card networks.
What is cyber liability insurance?
Cyber liability insurance, also called data breach insurance, is the common name for a policy that responds to hacking incidents, data breaches, ransomware, and the lawsuits that follow them. The name is a little misleading. Modern cyber policies contain both first party coverage, which pays your own losses, and liability coverage, which pays what you owe others, so the industry increasingly just says "cyber policy."
Nearly every insurer writes coverage on its own proprietary form rather than a standard industry form, which means two policies with similar names can cover very different things. ISO does file a standard form, the Information Security Protection Cyber Policy (CY 00 03 11 21), and it makes a useful benchmark for comparing the proprietary forms you'll actually be quoted.
The reason a separate policy exists at all is that traditional coverage was never built for this. Your general liability policy covers bodily injury and property damage, and it is explicit that electronic data is not tangible property. It also carries a mandatory endorsement limiting cyber related coverage. A businessowners policy or commercial property form provides only small sublimits for electronic data, restricted to a narrow set of perils. Commercial crime insurance can pick up computer fraud and fraudulent impersonation, but nothing close to full breach response.
What does cyber insurance cover?
Cyber insurance covers two categories of loss. First party coverage pays costs your business incurs directly: forensic experts to establish whether a breach occurred and what data was taken, legally required notification to affected customers, credit monitoring for those customers for at least a year, ransom payments and negotiator fees in an extortion event, restoration of damaged or encrypted data, and income lost while your systems are down.
Third party coverage pays damages and defense costs when others come after you: customers suing over exposed personal information, regulators enforcing privacy laws like HIPAA or the CCPA, card networks assessing PCI fines after compromised card data, and media liability claims over website or social media content. A single incident commonly triggers several of these at once.
The ISO benchmark form organizes this into eight insuring agreements, and most proprietary forms map to the same skeleton under different names:
| Insuring agreement | Side | What it pays |
|---|---|---|
| Cyber Incident or Information Security Breach Expense | First party | Forensics, notification, call centers, credit monitoring, PR costs |
| Cyber Extortion Events | First party | Ransom payments (including cryptocurrency), negotiators, even interest on a loan taken to pay quickly |
| Replacement or Restoration of Electronic Data | First party | Cost to restore data and programs, including data re-entry and reprogramming |
| Business Income and Extra Expense | First party | Lost net income and continuing expenses during the interruption, after a waiting period measured in hours |
| Cyber Incident or Information Security Breach Liability | Third party | Damages and defense for claims by people whose data was compromised |
| Regulatory Proceeding Liability | Third party | Regulatory defense, consumer redress funds, fines and penalties where insurable |
| Payment Card Industry Liability | Third party | PCI assessments, card reissuance costs, fraud recoveries under your card service agreement |
| Media Liability | Third party | Defamation, privacy, and copyright claims arising from your online content |
Business income works much like the business income coverage on a property policy, with two twists. The deductible is a waiting period measured in hours rather than days, and the period of restoration is capped, 180 days on the ISO form unless the declarations say otherwise. Coverage also excludes what the insured controls least: losses from power or internet outages caused by your utility or provider are excluded, as are costs to upgrade or improve your systems beyond their pre-incident condition.
Do small businesses need cyber insurance?
Small businesses need cyber insurance whenever they store customer or employee personal information, accept credit cards, depend on email or a website to operate, or hold funds that can be moved electronically. That describes nearly every business. Attackers favor small companies precisely because their defenses are thinner, and breach notification laws in all 50 states apply regardless of company size.
A restaurant with a compromised point of sale system owes the same legally required notification and credit monitoring as a national chain. Picture a small pizza shop whose POS exposes card data for 750 customers: at $20 per customer for a year of required credit monitoring, that is $15,000 out the door before any lawsuit or fine.
The dollars are not small. The NetDiligence Cyber Claims Study 2025 puts the five year average cyber claim for small and mid-sized enterprises at $246,000, and ransomware incidents requiring recovery work averaged $961,000. Few small businesses can absorb that from cash flow. Reputation damage compounds the direct cost, since customers rarely give a breached business the benefit of the doubt.
There is also a contractual angle. Larger customers increasingly require vendors to carry cyber coverage before signing, for the same backdoor reason attackers target vendors in the first place. If you sell to enterprises, hospitals, or government, expect a cyber insurance requirement in the contract.
How much does cyber insurance cost for a small business?
Cyber insurance for a small business averages $129 per month, about $1,552 per year, according to Insureon's customer data, with 41 percent of their policyholders paying under $100 per month. That typically buys a $1,000,000 limit with a retention between $1,000 and $2,500.
Premiums scale with what an underwriter sees as your exposure: revenue, industry, the volume of personal and payment card data you hold, prior incidents, and the security controls you can attest to. A ten person consulting firm and a medical billing company with the same revenue will pay very different rates because the billing company holds protected health information.
Several pricing levers matter when you compare quotes:
- Limits and aggregate: policies carry a per agreement limit and usually an annual aggregate limit that caps everything the policy will pay in a year.
- Retention: the retention is subtracted from each loss. On the ISO form, when one event triggers multiple insuring agreements, only the single highest retention applies, but many proprietary forms stack a retention per agreement. Ask which way your quote works.
- Eroding limits: on most cyber forms, defense costs reduce the limit as they are spent. A $1,000,000 policy that spends $400,000 on lawyers has $600,000 left for the judgment.
- Sublimits: extortion, social engineering, and regulatory fines are frequent sublimit targets. A $1,000,000 policy with a $100,000 ransomware sublimit is not a $1,000,000 ransomware policy.
Price is only half the comparison. The conditions attached to each coverage decide whether a claim actually pays, and wire fraud is where small businesses most often discover that the hard way.
What do cyber insurers require before they quote?
Cyber underwriters now require baseline security controls before they will offer terms, and the application asking about them becomes part of the policy itself. Multifactor authentication on email, remote access, and administrative accounts is the near universal ask. Carriers also commonly want tested offsite or offline backups, endpoint detection and response software, prompt security patching, and employee phishing training.
Weak answers no longer just raise the price. They can produce a declination, a ransomware sublimit, or a coinsurance percentage on extortion losses. Many carriers also verify from the outside, scanning your public footprint for open remote desktop ports and end of life software before they release terms.
The application deserves the same care as the policy. Because your answers are representations the insurer relies on, a misstatement discovered after a loss can void coverage, and on forms like the ISO policy that consequence reaches the whole organization if a CEO, CFO, or general counsel knew the truth. If the application says every account has MFA and the claim reveals an exception, expect a fight. Answer precisely, and if a control is only partially deployed, say so and let the underwriter price it.
How does the claims made structure affect your coverage?
The liability side of a cyber policy is written on a claims made and reported basis, which changes how you have to manage the policy over time. Coverage applies only when a claim is first made against you during the policy period and reported to the insurer quickly, no later than 60 days after the policy period ends on the ISO form. The declarations show a retroactive date, and wrongful acts before that date are never covered.
This is the same trap that catches professional liability buyers, explained in our guide to occurrence vs claims made policies: when you switch carriers, the new policy must carry your original retroactive date or you lose coverage for the gap years.
Two details are worth negotiating. If the declarations show no retroactive date, the policy may provide full prior acts coverage, which is the strongest position a buyer can hold. And breaches are often discovered long after they happen, so the first party side includes a 60 day extended discovery window after expiration, while the liability side offers a basic 60 day extended reporting period with longer tails available for purchase.
Report early and report everything. A circumstance noticed to the insurer during the policy period locks in coverage even if the lawsuit arrives years later.
Frequently asked questions
Does a BOP or general liability policy cover cyber attacks?
Not meaningfully. The CGL states that electronic data is not tangible property and includes a mandatory endorsement limiting cyber exposure, while BOP and commercial property forms provide only small electronic data sublimits tied to a narrow set of perils. Cyber endorsements can be added to these policies, but they carry sublimits well below real breach costs. A stand-alone cyber policy is the reliable route for a small business.
Does cyber insurance cover ransomware payments?
Yes, under cyber extortion coverage. The ISO form pays the ransom itself, including payments in cryptocurrency, plus negotiator fees, reward payments, and even interest on a loan taken to fund a fast payment. Conditions apply: you generally must confirm the event is real, try to restore from backups, notify the insurer before paying, and get the payment approved. Many policies also require you to keep the existence of extortion coverage confidential so attackers cannot price their demand to your limit.
What is a retroactive date on a cyber policy?
It is the earliest date of wrongful acts the liability coverage will respond to. A claim made during the policy period is covered only if the underlying act happened on or after the retroactive date. When you change carriers, matching your original retroactive date preserves coverage for past years. If the declarations show no retroactive date, the policy may provide full prior acts coverage, though the policy terms should be read closely to confirm it.
Is cyber insurance required by law?
No state requires businesses to buy cyber insurance. But every state has a breach notification law that applies whether or not you are insured, and privacy regulations like HIPAA and the CCPA impose obligations and penalties on top. The practical requirement usually comes from contracts: larger customers, lenders, and government agencies increasingly demand proof of cyber coverage from their vendors.
This guide is for educational purposes and summarizes standard ISO policy language. Your policy's specific terms, conditions, and endorsements control. Talk to a licensed broker about your actual exposures.




