By Ryan Windt | Head of Growth Marketing | Updated April 2026
Most businesses shopping for cyber insurance spend the majority of their time focused on the limit. How much coverage do I have? Is $1 million enough? Should I go to $2 million?
Those are legitimate questions. But there is a second number in your policy that determines how much you pay out of pocket before your insurance kicks in, and it often gets far less attention than it deserves. That number is your deductible, or in many cyber policies, your self-insured retention.
They sound similar. They are structured differently. And confusing them can lead to surprises when you actually file a claim.
This post explains how cyber insurance deductibles and self-insured retentions work, how they interact with your coverage limits and sublimits, and what to think about when choosing the right number for your business.
Deductible vs. Self-Insured Retention: What Is the Difference
In most insurance lines, a deductible is straightforward. Your insurer pays the full claim and then bills you for your share. Or the insurer pays the amount above your deductible and closes the file.
Cyber insurance often works differently.
Many cyber policies use a self-insured retention structure rather than a traditional deductible. The distinction matters in practice.
With a traditional deductible, the insurer often takes the lead immediately when a claim is reported. They engage vendors, coordinate the response, and pay the full invoice. You reimburse them for the deductible amount afterward, or they simply reduce your payout by that amount.
With a self-insured retention (SIR), you are responsible for funding and managing the first layer of the response yourself, up to the retention amount. Your insurer does not step in until your out-of-pocket costs have reached the SIR threshold. You are not reimbursed for the SIR amount. You absorb it.
For a $25,000 SIR on a $200,000 incident, that means you are funding and managing the first $25,000 of forensics, legal counsel, and notification costs before your insurer engages. For a small business, that distinction is not trivial.
Some policies use the terms interchangeably. Read your policy language carefully or ask your underwriter which structure applies.
How Deductibles Are Structured in Cyber Policies
Cyber deductibles are typically applied per occurrence, meaning each separate incident triggers its own deductible. If your business suffers a ransomware attack in March and a separate phishing incident in October, you pay your deductible twice.
Some policies include an aggregate cap on how many times your deductible applies in a policy year, but this is not universal. If your policy does not specify an aggregate, assume you are exposed to multiple deductible payments in a bad year.
Deductible structures you will commonly see in cyber policies:
Flat per-occurrence deductible. The same dollar amount applies to every covered claim regardless of the type or size of the incident. This is the most common structure for small and mid-market policies.
Coverage-specific deductibles. Some policies apply different deductible amounts depending on the coverage type triggered. Your ransomware deductible might be $10,000 while your funds transfer fraud deductible is $25,000. Policies with sublimits often have coverage-specific retentions built in alongside the sublimit.
Percentage-based deductibles. Less common in cyber, but some larger policies use a deductible expressed as a percentage of the total loss rather than a flat dollar amount. At scale, a 2% deductible on a $5 million incident is $100,000.
Coinsurance clauses. A small number of policies include coinsurance provisions that require the policyholder to share a percentage of every covered loss above the deductible. These are more common in property insurance but do appear in some cyber forms, particularly for business interruption coverage.
How Deductibles Interact With Sublimits
This is where deductible planning gets more complex, and where most buyers get caught off guard.
Cyber policies frequently include sublimits, which are coverage caps that apply to specific loss categories within your overall policy limit. Common sublimits include ransomware payments, funds transfer fraud, social engineering, and breach notification costs.
If your policy has both a sublimit and a deductible for the same coverage type, both apply.
Here is a straightforward example.
Your policy has a $1 million overall limit. Your ransomware sublimit is $250,000. Your ransomware deductible is $10,000.
A ransomware incident causes $300,000 in losses.
Your maximum recovery from the ransomware sublimit is $250,000, not $300,000. Your insurer then subtracts your $10,000 deductible from that sublimit-capped amount. Your insurer pays $240,000. You absorb $60,000: the $10,000 deductible plus the $50,000 gap between your sublimit and your actual loss.
If you had assumed your $1 million policy would cover a $300,000 ransomware incident in full, you would have been wrong by $60,000.
This interaction is one of the primary reasons to review your sublimits and deductibles together, not separately, when evaluating a policy. For a deeper look at how sublimits work across different coverage types, see our post on cyber insurance sublimits explained.
Deductibles and Business Interruption Coverage
Business interruption coverage deserves separate attention when evaluating your deductible structure, because the deductible for business interruption is often expressed differently than the deductible for other coverage types.
Many cyber policies apply a time-based waiting period to business interruption coverage rather than a dollar-based deductible. The waiting period is the period of time that must elapse after an incident before business interruption losses begin to accrue under the policy.
Common waiting periods are 8 hours, 12 hours, or 24 hours.
If your policy has a 24-hour waiting period and your systems are down for 18 hours, your business interruption coverage does not respond at all, regardless of how much revenue you lost during those 18 hours.
If your policy has a 12-hour waiting period and your systems are down for 4 days, your insurer begins calculating covered loss starting at hour 13, not from the moment the incident began.
For businesses where even a few hours of downtime represents significant revenue loss, such as e-commerce companies, SaaS platforms, or financial services firms, the waiting period functions as a material economic deductible. It is a negotiable term at placement.
Some policies also include a separate dollar-based deductible on top of the waiting period for business interruption claims. Read your policy carefully.
How Deductible Size Affects Premium
Higher deductibles lower premiums. This is true in cyber just as it is in every other insurance line, but the premium sensitivity varies by company size and risk profile.
For small businesses (under $5 million in revenue), moving from a $5,000 deductible to a $25,000 deductible may produce a 10 to 20 percent premium reduction. Whether that trade-off makes sense depends on whether you have $25,000 available in liquid reserves to fund an incident response before your insurer engages.
For mid-market companies ($10 million to $100 million in revenue), the premium impact of deductible selection is more pronounced because the underlying premium is larger. A $50,000 SIR versus a $10,000 SIR on a $30,000 annual premium policy might save $4,000 to $6,000 per year, but it shifts meaningful out-of-pocket exposure back to the insured.
The right deductible is the highest number you can genuinely absorb in a single incident without straining cash flow or operations, not the highest number that generates the most premium savings.
What Underwriters Think About Deductible Selection
Underwriters generally view a policyholder’s deductible selection as a signal of risk awareness and financial health.
A business that selects the lowest available deductible without being able to articulate why sends a different signal than a business that has evaluated its incident response budget, assessed its cash reserve position, and made a deliberate choice.
Underwriters also pay attention to whether the deductible and limit selections are internally consistent. A business purchasing a $5 million limit with a $1,000 deductible on a policy covering a hundred employees is sending a mixed signal. The limit implies serious exposure; the deductible implies limited appetite for financial participation.
At SeedPod Cyber, we work directly with carriers, which means we can help you structure your deductible and limit selection in a way that tells a coherent story to the underwriter and supports better pricing and coverage terms.
Choosing the Right Deductible: A Framework
When evaluating your deductible or SIR, work through these four questions.
1. What can you actually absorb? If an incident happened tomorrow, how much could you spend on forensics, legal counsel, and notification before it created a genuine cash flow problem? That number should anchor your deductible selection.
2. What does your SIR require you to manage? Under an SIR structure, you are not just absorbing cost. You are managing the early phase of the response. Do you have the internal resources or retained vendors to do that effectively?
3. How does your deductible interact with your sublimits? Review each coverage type with a sublimit and confirm you understand the worst-case scenario if a covered incident hits that sublimit cap and you still owe a deductible on top.
4. Is the premium savings worth the exposure? Run the math. If a higher deductible saves $3,000 per year and shifts $20,000 in additional exposure to you, you need roughly seven claim-free years to break even. That may or may not be a reasonable bet depending on your industry and risk profile.
The Bottom Line
Your deductible, or self-insured retention, is not a number to minimize by default or maximize for premium savings. It is a financial commitment that shapes how your policy responds in the moments that matter most.
Understanding how it interacts with your sublimits, how it applies to business interruption waiting periods, and how it positions you with underwriters at renewal is part of owning your cyber insurance program, not just purchasing it.
If you want to review how your current deductible structure fits your actual risk exposure, contact SeedPod Cyber. We work directly with carriers and can help you evaluate whether your current structure is working for you.
Related posts:
- Cyber Insurance Sublimits Explained: https://seedpodcyber.com/cyber-insurance-sublimits-explained/
- First-Party vs. Third-Party Cyber Insurance: https://seedpodcyber.com/first-party-vs-third-party-cyber-insurance/
- How to Fill Out a Cyber Insurance Application Without Getting Your Claim Denied: https://seedpodcyber.com/cyber-insurance-application-claim-denial/
- Cyber Insurance Renewal Checklist: https://seedpodcyber.com/cyber-insurance-renewal-checklist/