By Ryan Windt | Head of Growth Marketing | Updated April 2026
Small businesses are the most targeted segment in cybercrime. Not because attackers have a grudge against small operators, but because small businesses combine three things that make them attractive: real money to steal, sensitive data worth taking, and security postures that are significantly weaker than the enterprises attackers once focused on.
The FBI’s 2025 Internet Crime Report recorded more than $20 billion in cybercrime losses across the United States, and a majority of the incidents behind that number involved small and mid-sized businesses. The average cost of a data breach for a small business now falls between $120,000 and $1.24 million when you factor in forensics, legal fees, notification costs, regulatory fines, and business interruption. Most small businesses do not have that kind of cash sitting idle.
Cyber insurance exists to cover exactly that gap. This guide explains what small businesses actually need, what it costs, what it covers, and what underwriters want to see when you apply.
Do Small Businesses Actually Need Cyber Insurance?
If your business stores customer data, processes payments, uses business email, or depends on any cloud-based software to operate, the answer is yes.
The idea that cyber risk belongs to large enterprises is one of the most expensive misconceptions in small business risk management. Attackers have industrialized their operations using ransomware-as-a-service platforms, automated phishing kits, and credential stuffing tools that hit thousands of small businesses simultaneously at almost no cost. According to Cybersecurity Ventures, 43% of cyberattacks target small businesses, and 60% of small businesses that suffer a significant cyber incident close within six months.
Your general liability policy does not cover this. Your business owner’s policy typically does not cover it either, or covers it so narrowly that it would not respond to a real incident. Standalone cyber insurance is the only coverage structure designed specifically for these losses.
What Does Cyber Insurance Cost for Small Businesses?
Premiums for small businesses are more accessible than most owners expect. Here is what current market data shows for $1M in cyber liability coverage:
| Business Size | Annual Revenue | Typical Annual Premium | Typical Monthly Cost |
|---|---|---|---|
| Micro Business | Under $1M | $500 to $1,500 | $42 to $125/mo |
| Small Business | $1M to $5M | $1,200 to $3,000 | $100 to $250/mo |
| Small Business | $5M to $10M | $2,500 to $5,000 | $210 to $415/mo |
| Lower Mid-Market | $10M to $25M | $5,000 to $12,000 | $415 to $1,000/mo |
The median small business cyber premium runs approximately $134 to $145 per month based on current market data from Insureon and TechInsurance. Industry plays a significant role on top of revenue. Healthcare-adjacent businesses, financial services firms, and technology companies pay more than professional services, retail, or trades businesses at the same revenue level because of data sensitivity, regulatory exposure, and claims frequency.
Security controls are the other major lever. Businesses with multi-factor authentication on all accounts, endpoint detection and response deployed on all devices, and tested backup and recovery procedures qualify for materially better rates. The difference can be 20 to 30% on your annual premium.
For a full breakdown of every pricing variable, see our 2026 cyber insurance pricing guide.
Why Small Businesses Are High-Value Targets
You hold more sensitive data than you probably realize. Customer payment information, employee Social Security numbers, healthcare records if you offer benefits, vendor banking details, client contracts, and confidential communications all have value to attackers and create regulatory exposure for you.
Your security stack is limited. Most small businesses do not have dedicated IT security staff. Security decisions get made by whoever manages the computers, or they do not get made at all. Attackers know this.
You are connected to larger organizations. Small businesses that serve as vendors, subcontractors, or suppliers to larger companies are increasingly targeted as a path into those larger networks. Supply chain attacks now account for a growing share of total cyber losses. The breach does not have to start at the enterprise level.
Recovery is harder without reserves. A large enterprise that suffers a $500,000 breach has the cash flow and legal infrastructure to absorb it. A 15-person professional services firm hit with the same incident may not survive it.
What Cyber Insurance Covers for Small Businesses
A well-structured cyber policy covers both your own losses and claims made against you by others.
First-Party Coverage: Your Own Losses
Business interruption. If a ransomware attack or system breach forces your business offline, business interruption coverage reimburses the revenue you lose and the extra expenses you incur during the recovery period. For a small business with thin margins, even a few days of downtime can create a cash flow crisis. This is often the coverage that matters most when an incident actually happens.
Forensic investigation. After an incident, you need to know what happened, how it happened, which systems were affected, and what data was exposed. Digital forensics firms specializing in cyber incidents can cost $10,000 to $50,000 or more for even a basic investigation.
Data recovery and system restoration. Rebuilding systems after ransomware or a destructive attack takes time and technical resources. Coverage includes the cost of restoring data from backups and rebuilding affected systems.
Ransomware extortion payments. Most cyber policies include cyber extortion coverage, which applies when attackers demand payment to restore your systems or withhold stolen data. Coverage includes both the ransom payment where legally permitted and access to specialist ransomware negotiators and incident response teams. For a deeper look at how this coverage works, see our post on whether cyber insurance covers ransomware payments.
Breach notification costs. If your business experiences a data breach involving customer or employee personal information, most states require you to notify affected individuals within a specific timeframe. Notification involves legal review, printing and mailing, call center setup, and often credit monitoring services for affected individuals. For a breach involving even a few thousand records, these costs add up quickly.
Crisis communications. A breach that becomes public can damage customer trust fast. Coverage can include public relations support and crisis communications management.
Third-Party Coverage: Claims Against You
Legal defense and settlements. If customers, employees, or business partners sue you after a breach that exposed their data, cyber insurance covers your legal defense costs and any resulting settlements or judgments. Class action litigation following data breaches has become increasingly common even against small businesses.
Regulatory fines and penalties. Data privacy regulations including state-level breach notification laws, HIPAA for businesses handling health information, and PCI DSS for businesses processing payment cards all carry potential fines for non-compliance following a breach. Cyber insurance can cover these costs where they are insurable under applicable law.
PCI DSS assessments. If your business processes payment cards and a breach results in a card data compromise, your payment processor can impose fines and require a costly forensic investigation at your expense. Cyber coverage can absorb these assessments.
Your existing business insurance almost certainly does not cover any of this. General liability policies explicitly exclude most cyber losses. Business owner policies have some limited cyber add-ons, but they are typically insufficient for a real incident.
The Most Common Cyber Threats Hitting Small Businesses
Understanding what you are buying protection against helps you evaluate whether your coverage matches your real exposure.
Phishing and credential theft. Phishing emails that trick employees into entering credentials on fake login pages are the starting point for the majority of small business cyber incidents. Once an attacker has a valid username and password, they can access email, file storage, banking platforms, and any other system using those credentials. For more on how this plays out and what coverage applies, see our post on how cyber insurance protects against phishing attacks.
Ransomware. Ransomware attacks encrypt your files and systems and demand payment for the decryption key. Small businesses are frequent targets because their backup and recovery capabilities are often limited, which makes them more likely to pay. The average ransomware demand targeting small businesses now runs between $50,000 and $500,000.
Business email compromise (BEC). An attacker gains access to a business email account, or convincingly spoofs one, and uses it to redirect payments, authorize fraudulent wire transfers, or manipulate payroll. BEC is the highest-dollar cybercrime category in the FBI’s annual reporting. It does not require any technical exploit. For a full explanation of how coverage works, see our post on business email compromise and cyber insurance.
Social engineering and funds transfer fraud. Closely related to BEC, social engineering attacks manipulate employees through phone calls, text messages, or email to authorize fraudulent transactions. Coverage for this exposure varies significantly by policy and some policies apply sublimits or require specific endorsements. Our post on social engineering and funds transfer fraud coverage explains what to look for.
Data breaches. An attacker accesses your systems and exfiltrates customer, employee, or business data. Even a breach involving a small number of records triggers notification obligations and potential regulatory scrutiny. The cost of notification, credit monitoring, and legal review can easily exceed $50,000 for a breach affecting a few thousand individuals.
What Underwriters Want to See From Small Businesses
The application process for small business cyber insurance is more straightforward than most owners expect, but carriers do evaluate your security posture before binding coverage. Here is what matters most.
Multi-factor authentication. MFA on email and any externally accessible system is the single control that appears on every underwriting application. If your employees can access business email with just a username and password, that is a flag. If you have MFA deployed and can document it, that is a meaningful positive. Our MFA implementation guidewalks through what carriers want to verify.
Endpoint detection and response. Traditional antivirus is no longer sufficient. Underwriters want to see EDR tools deployed on all endpoints because they provide the detection and containment capability needed to stop an attack before it spreads. Our post on EDR and cyber insurance covers what carriers require and how to document it.
Backup and recovery. Do you have backups? Are they tested? Are they isolated from your primary network so ransomware cannot reach them? Underwriters ask all three questions. Backups that are connected to the same network as the systems they back up can be encrypted along with everything else in a ransomware attack. See our guide on immutable backups and cyber insurance for the standards carriers look for.
Incident response planning. You do not need a 50-page document. You need a documented plan that identifies who is responsible for managing a cyber incident, who gets notified, and what the first steps are. Carriers view this as a signal that you have thought seriously about the risk. Our incident response plan template provides a starting point.
No recent claims or incidents. A prior breach or ransomware incident increases your rate and may require additional documentation. Clean loss history is a meaningful underwriting positive.
For a full list of what carriers require, see our cyber insurance requirements checklist.
Common Coverage Gaps Small Businesses Miss
Buying a cyber policy is not the same as being covered for everything. These are the gaps that create problems at claim time.
Sublimits on ransomware and social engineering. Some policies apply lower limits to specific coverage types. A policy with a $1M headline limit may cap ransomware payments at $250,000 or apply a separate sublimit to social engineering losses. Read the policy language carefully before binding.
Waiting periods on business interruption. Many policies include a waiting period before business interruption coverage kicks in, typically 8 to 12 hours. Short outages may not trigger coverage at all.
Exclusions for unencrypted data. If stolen data was not encrypted and your policy includes an unencrypted data exclusion, a breach involving that data may not be covered. This is a common exclusion that small businesses overlook.
No coverage for funds transfer fraud. Social engineering losses and fraudulent wire transfers are not automatically included in every cyber policy. Some carriers require a specific endorsement. Others apply sublimits that may not match your actual wire transfer volumes.
For a comprehensive look at what most policies will not cover, see our post on common cyber insurance exclusions.
How SeedPod Cyber Works With Small Businesses
SeedPod Cyber is a direct cyber insurance underwriter specializing in cyber and Tech E&O coverage for small and mid-sized businesses. We work with your existing broker or directly alongside you to find coverage that fits your risk profile and budget.
Contact us to get a quote, or learn more about coverage options for your business.
Frequently Asked Questions
Does my small business really need cyber insurance?
If you store customer data, process payments, use business email, or rely on any cloud-based software to operate, the answer is yes. The average small business data breach costs between $120,000 and $1.24 million. Most small businesses do not have reserves to absorb that. Cyber insurance is how you transfer that financial risk.
What does cyber insurance not cover?
Intentional acts, pre-existing breaches, infrastructure damage from a cyberattack (covered under property insurance), and in most cases, losses attributable to war or nation-state attacks. Coverage for social engineering and funds transfer fraud varies by policy. Our full breakdown of cyber insurance exclusions covers the most common gaps.
Is there a minimum revenue requirement?
No. Cyber insurance is available to businesses of virtually any size. Micro businesses with under $1M in revenue can typically obtain $1M in coverage for $500 to $1,500 per year.
How long does the application process take?
For most small businesses, the application is straightforward and can be completed in under 30 minutes. Quote turnaround at SeedPod Cyber is typically under 24 hours.
What happens if I have a claim?
Your first step is to notify your insurer immediately after discovering an incident. Do not wait until you have assessed the full scope of the damage. Early notification triggers the carrier’s incident response resources, which typically include forensic investigators, legal counsel, and ransomware negotiators available to you immediately. For a full walkthrough of the process, see our guide on how to file a cyber insurance claim and our post on what happens after you file a cyber insurance claim.
Can I get cyber insurance if I already had a breach?
Yes, in most cases. Carriers will want documentation of what happened, what remediation steps you took, and what controls you have in place today. Prior incidents typically result in higher premiums and may require endorsements addressing specific exposures, but coverage is generally still available for businesses that have remediated the underlying vulnerabilities.