Cyber Insurance Cost for Small Business: Real Numbers by Size and Industry

Cyber insurance pricing has become more predictable over the past two years after a volatile run from 2020 to 2022 that saw premiums double or triple for many businesses. Underwriters now have real claims data, and they price based on specific risk factors they can actually measure. The ranges below reflect current market conditions as of early 2026.

Average Cyber Insurance Cost by Business Size

Business size - measured by employee count and annual revenue - is one of the primary rating factors underwriters use. More employees means more potential entry points for phishing attacks; higher revenue means higher stakes for ransomware operators and more regulatory exposure.

Solo operators and microbusinesses (1 to 5 employees, under $500K revenue): $400 to $900 per year for $500,000 in coverage. $600 to $1,200 per year for $1 million in coverage. This is the most affordable tier, though underwriters are increasingly requiring MFA documentation even at this size.

Small businesses (6 to 25 employees, $500K to $2M revenue): $700 to $1,500 per year for $1 million in coverage. $1,200 to $2,500 per year for $2 million in coverage. Premium variability in this band depends heavily on industry and security practices.

Mid-size small businesses (26 to 100 employees, $2M to $10M revenue): $2,000 to $5,000 per year for $1 million in coverage. $3,500 to $8,000 per year for $2 million in coverage. At this size, underwriters conduct more detailed security questionnaires and often require documented security policies.

These are standalone cyber policy ranges. BOP cyber endorsements are cheaper - often $200 to $600 per year - but they cap coverage at $50,000 to $100,000, which is insufficient for most real incidents.

How Industry Affects Your Premium

Industry classification drives significant premium variance - sometimes as much as 200 to 300 percent between low-risk and high-risk categories.

Healthcare. Medical practices, dental offices, physical therapy clinics, and any HIPAA-covered entity pay the highest cyber premiums in the small business market. HIPAA breach notification costs, OCR audit exposure, and the sensitivity of health data combine to push premiums 2 to 3 times above baseline. A 10-physician practice should expect $3,000 to $8,000 per year for $1 million in coverage.

Legal services. Law firms hold confidential client communications, financial records, and privileged information that makes them valuable targets. Attorney-client privilege breaches carry significant professional liability ramifications beyond the cyber claim itself. Small law firms (under 10 attorneys) typically pay $1,500 to $4,000 per year for $1 million.

Financial services. Accounting firms, financial advisors, mortgage brokers, and bookkeeping services handle tax identification numbers, banking credentials, and financial account data. Premiums run $1,200 to $3,500 per year for $1 million coverage.

Retail and restaurant. Point-of-sale systems create payment card exposure. Smaller retailers without e-commerce components pay $600 to $1,500 per year for $1 million. Adding significant online sales volume pushes this higher.

Professional services without sensitive data (marketing agencies, consulting firms, PR firms, design studios): $500 to $1,200 per year for $1 million, assuming standard security controls. These businesses face lower claims frequency because the data they hold is less immediately monetizable.

Technology companies. Software firms, IT service providers, and managed service providers face elevated cyber premiums because a breach in their systems can cascade to all their clients. MSPs in particular face strict underwriting scrutiny. Expect $2,000 to $6,000 per year for $1 million.

Underwriting Factors That Raise or Lower Your Rate

Modern cyber underwriting is detailed. Applications often include 30 to 50 questions about security practices. Here are the factors with the most impact.

Multi-factor authentication (MFA). This is the single biggest rate-reduction factor. Businesses with MFA deployed on email, remote access (VPN, RDP), and privileged accounts typically receive 10 to 20 percent better rates than those without. Some carriers now exclude ransomware coverage entirely for accounts without MFA on critical systems.

Backup practices. Encrypted, offline or cloud-separate backups that are regularly tested reduce your ransomware exposure significantly. Underwriters reward documented backup procedures. Businesses with no tested backup program may face coverage restrictions or exclusions.

Endpoint detection and response (EDR) software. Basic antivirus is no longer sufficient in most underwriters' eyes. Businesses running modern EDR tools (CrowdStrike, SentinelOne, Microsoft Defender for Business) get better rates than those with legacy antivirus only.

Claims history. A prior cyber claim raises your premium at renewal. One incident is typically manageable. Multiple claims can make coverage difficult to obtain in the standard market and push you to surplus lines carriers at higher rates.

Employee training. Regular phishing simulation training and security awareness programs are a meaningful underwriting factor. Some carriers ask specifically whether you conduct annual security training and whether you test employees with simulated phishing emails.

Revenue growth. If your revenue has grown significantly since your last renewal, your premium will increase even without any security changes. More revenue means more exposure.

Coverage Limits and How They Affect Price

The relationship between coverage limit and premium is not linear. Moving from $500,000 to $1 million in coverage does not double the premium.

A typical small business might pay $800 per year for $500,000 in coverage and $1,100 per year for $1 million - a 37 percent premium increase for double the coverage. This makes higher limits relatively efficient.

Moving from $1 million to $2 million typically adds 40 to 60 percent to the premium. A $1,100 policy might cost $1,600 to $1,800 at $2 million in limits.

Sublimits matter as much as the headline limit. A $1 million cyber policy with a $100,000 sublimit on social engineering and a $250,000 sublimit on ransomware may not provide $1 million of effective coverage for your most likely claim scenarios. Read the sublimits before buying.

Ways to Reduce Your Cyber Insurance Premium

Most premium reduction comes from security improvements, not from shopping around - though getting competitive quotes helps too.

Deploy MFA everywhere. Start with email (Microsoft 365 or Google Workspace), remote desktop access, and your accounting system. This is the single highest-impact change for both actual security and underwriting rates.

Document your backups. Implement and document a 3-2-1 backup strategy: three copies of data, on two different media types, with one stored offsite or in a separate cloud environment. Test restores quarterly and keep a log. Show this documentation to underwriters.

Run security awareness training. Annual security training with documented completion records costs $5 to $15 per employee per year through platforms like KnowBe4 or Proofpoint Essentials. This is one of the cheapest security investments with measurable underwriting impact.

Increase your deductible. Moving from a $1,000 deductible to $5,000 or $10,000 can reduce your premium by 10 to 20 percent. This makes sense if you have the cash reserves to cover the deductible in a real incident.

Get at least three quotes. Cyber pricing varies more between carriers than most other commercial lines. The same risk can see 40 to 60 percent premium variance across carriers with equivalent coverage. Use an independent broker or digital platform to compare.

Frequently Asked Questions

Is cyber insurance worth it for a small business with few employees? The cost of a basic data breach - forensics, notification letters, credit monitoring for affected customers - typically runs $50,000 to $150,000 even for a small breach. Annual premiums for small businesses start under $1,000. The math makes it worth it for virtually any business handling customer data.

Does my business owner's policy include cyber coverage? Many BOP policies offer a cyber endorsement, but these typically cap coverage at $50,000 to $100,000. That amount covers a small incident but is insufficient for a meaningful breach requiring forensics, legal defense, and customer notification. Standalone cyber coverage provides much higher limits at reasonable cost.

What is the waiting period before cyber insurance kicks in? Most cyber policies have no waiting period for data breach response costs. Business interruption coverage typically has a 6- to 12-hour waiting period before it begins paying for lost revenue. Read your specific policy for the exact terms.

How long does a cyber insurance claim take to resolve? Simple claims with clear documentation can resolve in 60 to 90 days. Complex incidents involving litigation or regulatory investigation can take 12 to 24 months. Your carrier will assign a dedicated claims team and often provide immediate access to breach response vendors as soon as you report the incident.