Cyber Liability Insurance for small businesses

Cyber liability insurance covers the costs a business incurs from data breaches, ransomware attacks, and other cyber incidents — forensic investigation, customer notification, credit monitoring, legal defense, regulatory penalties, and lost revenue from business interruption.¹ All 50 states have breach-notification laws requiring businesses to notify affected individuals (and, in many states, state regulators) after certain types of data breaches, which creates enforceable legal obligations and direct costs regardless of business size.² Across Insureon's small-business marketplace, small businesses pay a median of approximately $134–$140 per month for cyber liability, with the full annual premium range running $400 to over $8,000 depending on industry, data handled, and coverage limits.³ Cyber incidents specifically targeting small businesses have become disproportionately common because small businesses typically have weaker defenses than large enterprises — which is why cyber coverage has migrated from an optional specialty policy to a near-mandatory line for any business handling customer data.

This page walks through who needs cyber liability, the first-party vs. third-party coverage structure, what it covers, what it doesn't, how to size limits, and which carriers in our coverage set are the stronger cyber options.

Who needs cyber liability

Any modern business. The qualifying pattern is not whether a business is in a "cyber-exposed" industry but whether it stores customer data, payment information, employee information, or proprietary digital assets — which effectively means every business operating in 2026.²

• Businesses storing payment card data — retailers, restaurants, e-commerce, service businesses taking credit cards. PCI-DSS compliance and state breach-notification laws create direct legal exposure.
• Businesses handling personally identifiable information (PII) — every business with customers, employees, or vendors has PII exposure. HR records, customer databases, email lists all qualify.
• Businesses handling protected health information (PHI) — healthcare providers, wellness businesses, employer-sponsored health plans face HIPAA-specific obligations that make cyber particularly important.
• Technology companies and SaaS — cyber is the primary insurance exposure for tech businesses. Data breaches, ransomware, and cyber extortion are core risks, not peripheral.
• Professional services firms — accountants, lawyers, consultants, marketing agencies handle client confidential data with privacy obligations.
• Small retailers and e-commerce businesses — payment-card breaches at small retailers are common; breach-notification and PCI-DSS remediation costs are substantial relative to business size.

Why cyber is particularly important for small businesses:

• Breach-notification laws apply regardless of business size.
• Forensic and legal costs after a breach run $20,000-$100,000+ even for small incidents.
• Ransomware ransoms have averaged $100K-$500K+ for small-business targets.
• Business interruption from a ransomware attack can close a small business for days or weeks.

Industry-specific context: See saas-tech, it-consultants, ecommerce-retail, accountants, lawyers, consultants, and real-estate industry pages for industry-specific cyber risk patterns.

What cyber liability covers

Cyber policies are typically split into first-party (the insured's own costs) and third-party (claims against the insured) coverage:¹

First-party coverages:

• Forensic investigation — cost of determining how the breach occurred, what data was accessed, and what notifications are required.
• Legal counsel (breach counsel) — pre-negotiated breach attorneys who advise on notification obligations and regulatory response.
• Notification costs — costs of notifying affected individuals and regulators per state breach-notification laws.
• Credit monitoring and identity theft services — typically offered to affected individuals for 12-24 months.
• Public relations and crisis management — reputation-management spend during and after an incident.
• Business interruption — lost revenue and continuing expenses while operations are impaired by the cyber incident.
• Data restoration — costs of rebuilding or recovering data destroyed or encrypted during an attack.
• Cyber extortion and ransomware — ransomware payments (where legally permissible) and negotiation fees.
• Funds transfer fraud and social engineering — often a sublimit; covers losses from wire-transfer fraud, business-email compromise, and social-engineering scams.

Third-party coverages:

• Privacy liability — claims by customers, employees, or business partners for breach of PII, PHI, or other privacy obligations.
• Network security liability — claims arising from transmitting malware to third parties, or allowing third-party systems to be compromised through the insured's vulnerabilities.
• Media liability — defamation, copyright infringement, or other online-content claims.
• Regulatory defense and fines — defense costs for state AG inquiries, FTC actions, HIPAA enforcement, and (where insurable by state law) regulatory fines.

Active Insurance / risk-monitoring integration. Some cyber carriers — notably Coalition — bundle real-time cyber risk monitoring into the policy itself, scanning the policyholder's exposed attack surface and providing remediation signals integrated with underwriting. This is a relatively new product design that separates cyber-specialist carriers from generalist commercial cyber offerings.⁴

What cyber liability doesn't cover

Cyber is scoped to digital and data incidents. Standard exclusions:¹

• Bodily injury and physical property damage — addressed by general liability and commercial property. Cyber-physical events (where a cyber attack causes physical damage) create coverage-allocation complexity that cyber and property policies jointly address.
• Intentional acts by insiders — intentional malicious acts by the insured or its employees are typically excluded.
• Acts of war and state-sponsored attacks — cyber policies in the last few years have sharpened war-exclusion language, particularly after Russia/Ukraine geopolitical cyber activity. This is a fast-evolving exclusion area.
• Prior known incidents — incidents occurring before the policy's retroactive date.
• Failure to maintain minimum security practices — some carriers exclude claims where the insured failed to maintain specified security controls (MFA, patching, backups, EDR).
• Physical replacement of hardware beyond restoration — replacement of damaged or bricked hardware is typically addressed by commercial property; cyber covers data restoration costs, not hardware replacement.
• Contract-based damages — liquidated damages, penalties, or liability assumed under contracts beyond the scope of normal business operations.
• Patent and IP disputes — addressed by dedicated IP-protection products.

Policy limits and how to choose them

Cyber limits are per-claim and aggregate, with specific sublimits for common coverage parts.

Typical limit structures for small business:

• $250K–$500K per incident / $500K–$1M aggregate — minimum for most small businesses; frequently insufficient for ransomware or data-breach events.
• $1M–$2M per incident / $2M aggregate — common for small businesses with meaningful data holdings.
• $3M–$5M+ — tech, SaaS, e-commerce, or data-heavy businesses.

Common sublimits worth checking:

• Ransomware / cyber extortion — increasingly sublimit-capped (often $250K-$500K even on $1M+ total policies) due to the 2021-2024 ransomware-market hardening.
• Business interruption — often a separate sublimit; the key question is the waiting period (hours before BI coverage triggers) and the indemnity period.
• Funds transfer fraud / social engineering — typically sublimited $100K-$250K on $1M+ policies.
• Regulatory fines — where insurable, typically sublimited relative to the overall policy limit.

Retention / deductible structures. Cyber retentions vary widely — $1,000-$25,000+ for small business. Higher retentions reduce premium; the trade-off matters because cyber claims often trigger quickly.

When to size up limits:

• Data volume. Companies handling substantial PII, PHI, or payment-card data need higher limits.
• Regulated industries. HIPAA-covered entities, PCI-DSS level 1/2 merchants, financial-services businesses.
• Prior cyber events. Any prior incident typically triggers higher limits at renewal.
• Industry targeting patterns. Tech, healthcare, and professional services are more frequently targeted.

Cost and how to buy cyber

For full cost analysis with industry breakdowns, top carriers by published starting price, and 2026 benchmark data, see our cyber liability insurance cost guide.

Marketplace cost data. Insureon reports small-business cyber liability median at $134-$140/month, with annual premiums ranging $400 to over $8,000.³ Cyber pricing has been dynamic in the last few years — the 2021-2024 ransomware market hardening raised premiums substantially, with some segments seeing 2-3x increases before moderating.

What drives cyber price:

• Industry. Healthcare, financial services, tech, professional services, and e-commerce face higher premium loads.
• Data volume and type. More PII/PHI/payment-card data = higher premium.
• Security posture. MFA, EDR, patching discipline, backup practices, and incident-response planning all affect underwriting. Carriers increasingly require attestations and sometimes security assessments.
• Prior claims. Any prior cyber event raises premium materially.
• Revenue. Premium scales with revenue as a proxy for exposure.
• Coverage limits and sublimits. Higher limits and broader sublimits scale premium.

Carriers and placement paths:

• Coalition — cyber specialist MGA with Active Insurance model; floor $83/mo, range $83-$625/mo published.⁵ Munich Re / Arch / Allianz panel.
• Hiscox — standalone cyber from $30/mo on A-rated US paper.⁶
• Embroker — cyber as part of the Startup Package on Munich Re-backed paper for tech/startup companies.⁷
• NEXT Insurance — cyber as an add-on to GL or BOP from $4/mo; not a standalone cyber product.⁸
• The Hartford — cyber as part of the 10-line direct-bind ladder; starting price not publicly published.⁹
• biBerk — cyber as an add-on, not standalone.

What underwriters evaluate: industry, revenue, employee count, data types and volumes handled, regulatory requirements (HIPAA, PCI-DSS, state privacy laws), security stack (EDR, MFA, email security, backup practices), incident history, third-party vendor relationships with data access, and cyber incident-response planning.

State-by-state requirements for cyber liability

Cyber liability is not mandated by state business law in any of the 50 states as a universal requirement.¹ However, cyber-adjacent regulatory frameworks create strong functional pressure to carry cyber coverage:

• All 50 states have data breach notification laws. Every state requires businesses to notify affected individuals (and, in many states, state regulators) after certain types of data breaches involving personal information. Notification costs alone — legal review, mailing/email notification, credit monitoring offerings — regularly exceed $20,000-$50,000 even for modest breaches.
• HIPAA (federal) — healthcare providers and business associates handling PHI face specific cyber security and breach-notification obligations with substantial penalties for violations.
• NY DFS Cybersecurity Regulation (23 NYCRR 500) — financial services companies regulated by NY DFS face explicit cybersecurity program requirements.¹⁰
• California Consumer Privacy Act (CCPA) / CPRA — California creates specific breach-related obligations and private right of action for certain breaches.¹¹
• State attorney-general enforcement — state AGs increasingly enforce breach-notification and data-security obligations through enforcement actions.
• Texas, Florida, other states — most state DOIs regulate the commercial cyber insurance market without mandating cyber coverage directly.¹²¹³

Multi-state operations. Businesses operating across multiple states face the most restrictive applicable breach-notification law. Cyber policies respond to regulatory obligations in all 50 states regardless of the business's operating footprint.

Frequently asked questions

Do small businesses really need cyber insurance?

Yes. Small businesses are disproportionately targeted because they typically have weaker defenses than large enterprises.² Breach-notification laws in all 50 states create direct legal obligations regardless of business size; forensic and legal costs after a breach regularly run $20K-$100K+ even for small incidents.

How much does cyber insurance cost?

Insureon's aggregated small-business data shows a median of $134-$140/month with annual premiums ranging $400 to over $8,000.³ Cyber is more expensive than most other small-business lines because claim frequency and severity are both higher than most commercial categories.

What's the difference between first-party and third-party cyber coverage?

First-party covers the insured's own costs (forensics, notification, BI, ransomware). Third-party covers claims brought by others (customers, regulators, business partners). A complete cyber policy includes both.

Does cyber insurance cover ransomware payments?

Where legally permissible, yes — most cyber policies cover ransomware payments, though 2021-2024 market hardening has led to lower ransomware sublimits and more carriers requiring prior approval before paying ransoms. Some policies have moved to coverage requirements like MFA and EDR as conditions of ransomware coverage.

Is cyber coverage required by law?

No state mandates cyber coverage as a business requirement. But breach-notification laws in all 50 states, HIPAA (for healthcare), PCI-DSS (for payment-card handling), and NY DFS Cybersecurity Regulation (for financial services) create enforceable legal obligations that generate cyber-relevant costs regardless of insurance coverage.

What's the difference between cyber and technology E&O?

Technology E&O covers claims by clients alleging technology-product or service failures. Cyber covers breaches, ransomware, and data incidents affecting the insured itself and third-party claims arising from them. Tech companies frequently carry both; Coalition's cyber and Embroker's Tech E&O in the Startup Package are the common placements.

How do I know if my security practices qualify for coverage?

Most cyber underwriters now require security attestations: MFA on remote access, EDR on endpoints, documented patching, segregated backups, incident-response planning. Some carriers run non-intrusive external security scans as part of the quote process (Coalition's Active Insurance model is the clearest example). Gaps in basic security practices are increasingly treated as underwriting disqualifiers, not just premium-pricing factors.

What's the Active Insurance model?

Coalition pioneered "active insurance" — integrating real-time cyber risk monitoring into the policy itself. The Coalition Control platform continuously scans the policyholder's exposed attack surface and feeds signals into underwriting and remediation recommendations. Traditional cyber insurance is policy-issued and forgotten until a claim; active insurance is designed to reduce claim frequency through pre-incident visibility.

Do I need standalone cyber or is a BOP add-on enough?

It depends on the level of cyber exposure. For businesses with minimal digital exposure — a small retail store with no customer database, a local service business with minimal data — a BOP cyber add-on or NEXT's $4/mo cyber add-on may be sufficient. For tech companies, SaaS, e-commerce, healthcare providers, or any business where cyber is a material primary exposure, a dedicated standalone cyber policy from Coalition or Hiscox is meaningfully more capable.

Related policies

Cyber liability pairs with several related lines:

• Professional liability / E&O — tech companies frequently carry both cyber and tech E&O.
• Directors & officers (D&O) — post-breach, shareholder suits alleging management failure to prevent the incident are D&O claims.
• General liability — covers bodily injury and property damage that cyber excludes; cyber-physical attacks create allocation issues.
• Business owner's policy (BOP) — some BOPs include basic cyber as an endorsement; dedicated cyber is typically stronger.
• Commercial property — covers physical hardware replacement that cyber doesn't.

Top carriers

Compare top cyber liability insurance carriers

Recommended carriers for this coverage, ranked against our 6-dimension methodology.

Sub-threshold = fewer than 20 NAIC complaints in 3 years (data is too sparse to score reliably). N/A (broker) = not a carrier. See full methodology →

Carrier	Our score	Positioning	Starting price	Coverage	Claims	AM Best	NAIC index	States	Quote channel
Editor's pick	7.7	Tech & data-handling specialist	Cyber $83/mo	8.5/10	8.0/10	A	Sub-threshold	50 states	Direct online
	7.0	Professional services E&O focus	GL $30/mo	7.5/10	8.0/10	A	8.15	50 states	Direct online
	7.0	Venture-backed tech & SaaS	—	7.0/10	7.0/10	—	N/A (broker)	50 states	Broker portal
	7.8	Digital-native micro-business	Cyber $4/mo	7.0/10	7.5/10	A+	Sub-threshold	50 states	Direct online
	7.9	Single-carrier program for SMBs	GL $68/mo	9.0/10	8.0/10	A+	Sub-threshold	50 states	Direct online
	7.2	Berkshire-backed contractual umbrella	GL $28/mo	8.0/10	8.0/10	A++	13.25	50 states	Direct online

About complaint index data: Values are 3-year averages from NAIC Consumer Information Source for commercial liability. Carriers with fewer than 20 complaints in the 3-year window are labeled "sub-threshold". A reliability call about data volume, not a finding about the carrier. Brokers (Category D) are structurally N/A. See our complete methodology.

• Editor's pick
  
  7.7

  Positioning

  Tech & data-handling specialist

  Starting price

  Cyber $83/mo

  Coverage

  8.5/10

  Claims

  8.0/10

  AM Best

  A

  NAIC index

  Sub-threshold

  States

  50 states

  Quote channel

  Direct online

• 
  7.0

  Positioning

  Professional services E&O focus

  Starting price

  GL $30/mo

  Coverage

  7.5/10

  Claims

  8.0/10

  AM Best

  A

  NAIC index

  8.15

  States

  50 states

  Quote channel

  Direct online

• 
  7.0

  Positioning

  Venture-backed tech & SaaS

  Starting price

  —

  Coverage

  7.0/10

  Claims

  7.0/10

  AM Best

  —

  NAIC index

  N/A (broker)

  States

  50 states

  Quote channel

  Broker portal

• 
  7.8

  Positioning

  Digital-native micro-business

  Starting price

  Cyber $4/mo

  Coverage

  7.0/10

  Claims

  7.5/10

  AM Best

  A+

  NAIC index

  Sub-threshold

  States

  50 states

  Quote channel

  Direct online

• 
  7.9

  Positioning

  Single-carrier program for SMBs

  Starting price

  GL $68/mo

  Coverage

  9.0/10

  Claims

  8.0/10

  AM Best

  A+

  NAIC index

  Sub-threshold

  States

  50 states

  Quote channel

  Direct online

• 
  7.2

  Positioning

  Berkshire-backed contractual umbrella

  Starting price

  GL $28/mo

  Coverage

  8.0/10

  Claims

  8.0/10

  AM Best

  A++

  NAIC index

  13.25

  States

  50 states

  Quote channel

  Direct online

Full per-carrier analysis lives in each carrier review. See our scoring methodology for how we weight the dimensions above.