By Ryan Windt | Head of Growth Marketing | Updated April 2026
Small businesses are the most targeted segment in cybercrime. Not because attackers have a grudge against small operators, but because small businesses combine three things that make them attractive: real money to steal, sensitive data worth taking, and security postures that are significantly weaker than the enterprises attackers used to focus on.
The FBI’s 2024 Internet Crime Report recorded $16.6 billion in cybercrime losses across the United States. A majority of the incidents behind that number involved small and mid-size businesses. The average cost of a data breach for a small business now falls between $120,000 and $1.24 million when you factor in forensics, legal fees, notification costs, regulatory fines, and business interruption. Most small businesses do not have that kind of cash sitting idle.
Cyber insurance exists to cover exactly that gap. This guide explains what small businesses actually need, what it costs, what it covers, and what underwriters want to see when you apply.
Why Small Businesses Are High-Value Targets
The idea that cybercriminals focus on large enterprises is outdated. Attackers have industrialized their operations with ransomware-as-a-service platforms, automated phishing kits, and credential stuffing tools that can hit thousands of small businesses simultaneously with almost no marginal cost.
Small businesses are attractive for several specific reasons.
You hold more sensitive data than you probably realize. Customer payment information, employee Social Security numbers, healthcare records if you offer benefits, vendor banking details, client contracts and confidential communications. Any of this data has value to attackers and creates regulatory exposure for you.
Your security stack is limited. Most small businesses do not have a dedicated IT security staff. Security decisions get made by whoever manages the computers, or they do not get made at all. Attackers know this and price it into their targeting.
You are connected to larger organizations. Small businesses that serve as vendors, subcontractors, or suppliers to larger companies are increasingly targeted as a path into those larger networks. The breach does not have to start at the enterprise level. It starts with you.
Recovery is harder without reserves. A large enterprise that suffers a $500,000 breach has the cash flow and legal infrastructure to absorb it. A 15-person professional services firm hit with the same incident may not survive it. 43% of cyberattacks target small businesses, and 60% of small businesses that suffer a significant cyber incident close within six months.
What Cyber Insurance Covers for Small Businesses
A well-structured cyber policy covers both your own losses and claims made against you by others. Here is what each side of the coverage looks like in practice.
First-Party Coverage: Your Own Losses
Business interruption. If a ransomware attack or system breach forces your business offline, business interruption coverage reimburses the revenue you lose and the extra expenses you incur during the recovery period. For a small business with thin margins, even a few days of downtime can create a cash flow crisis. This is often the coverage that matters most when an incident actually happens.
Forensic investigation. After an incident, you need to know what happened, how it happened, which systems were affected, and what data was exposed. Digital forensics firms specializing in cyber incidents can cost $10,000 to $50,000 or more for even a basic investigation. Cyber insurance covers this.
Data recovery and system restoration. Rebuilding systems after ransomware or a destructive attack takes time and technical resources. Coverage includes the cost of restoring data from backups and rebuilding affected systems.
Ransomware extortion payments. Most cyber policies include cyber extortion coverage, which applies when attackers demand payment to restore your systems or withhold stolen data. Coverage includes both the ransom payment (where legally permitted) and access to specialist ransomware negotiators and incident response teams. For a deeper look at how this coverage works, see our post on whether cyber insurance covers ransomware payments.
Breach notification costs. If your business experiences a data breach involving customer or employee personal information, most states require you to notify affected individuals within a specific timeframe. Notification involves legal review, printing and mailing, call center setup, and often credit monitoring services for affected individuals. For a breach involving even a few thousand records, these costs add up fast.
Crisis communications. A breach that becomes public can damage customer trust quickly. Coverage can include public relations support and crisis communications management.
Third-Party Coverage: Claims Against You
Legal defense and settlements. If customers, employees, or business partners sue you after a breach that exposed their data, cyber insurance covers your legal defense costs and any resulting settlements or judgments. Class action litigation following data breaches has become increasingly common even against small businesses.
Regulatory fines and penalties. Data privacy regulations including state-level breach notification laws, HIPAA for businesses handling health information, and PCI DSS for businesses processing payment cards all carry potential fines for non-compliance following a breach. Cyber insurance can cover these costs where they are insurable under applicable law.
PCI DSS assessments. If your business processes payment cards and a breach results in a card data compromise, your payment processor can impose fines and require a costly forensic investigation at your expense. Cyber coverage can absorb these assessments.
One important thing to understand: your existing business insurance almost certainly does not cover any of this. General liability policies explicitly exclude most cyber losses. Business owner policies (BOPs) have some limited cyber add-ons, but they are typically insufficient for a real incident. For a full explanation, see our post on whether your general liability policy covers a cyberattack.
What Cyber Insurance Costs for Small Businesses
Premiums for small businesses are more accessible than most owners expect. The key pricing variables are your revenue, your industry, and your security controls.
| Business Size | Annual Revenue | Typical Annual Premium | Common Limit |
|---|---|---|---|
| Micro Business | Under $1M | $500 to $1,500 | $1M |
| Small Business | $1M to $5M | $1,200 to $3,000 | $1M |
| Small Business | $5M to $10M | $2,500 to $5,000 | $1M |
| Lower Mid-Market | $10M to $25M | $5,000 to $12,000 | $1M to $3M |
Industry plays a significant role as well. Healthcare-adjacent businesses, financial services firms, and technology companies pay meaningfully more than professional services, retail, or trades businesses at the same revenue level. The reason is simple: higher-value data, stricter regulatory environments, and higher claims frequency.
Security controls are the other major lever. Businesses with multi-factor authentication on all accounts, endpoint detection and response tools deployed on all devices, and tested backup and recovery procedures qualify for materially better rates than businesses without them. The difference can be 20 to 30% on your annual premium. For a full breakdown of what drives your rate, see our 2026 cyber insurance pricing guide.
The Most Common Cyber Threats Hitting Small Businesses
Understanding what you are actually buying protection against helps you evaluate whether your coverage matches your real exposure.
Phishing and credential theft. Phishing emails that trick employees into entering credentials on fake login pages are the starting point for the majority of small business cyber incidents. Once an attacker has a valid username and password, they can access email, file storage, banking platforms, and any other system using those credentials. For more on how this plays out and what coverage applies, see our post on how cyber insurance protects against phishing attacks.
Ransomware. Ransomware attacks encrypt your files and systems and demand payment for the decryption key. Small businesses are frequent targets because their backup and recovery capabilities are often limited, which makes them more likely to pay. The average ransomware demand targeting small businesses now runs between $50,000 and $500,000.
Business email compromise (BEC). An attacker gains access to a business email account, or convincingly spoofs one, and uses it to redirect payments, authorize fraudulent wire transfers, or manipulate payroll. BEC is the highest-dollar cybercrime category in the FBI’s annual reporting. It does not require any technical exploit. It requires one employee to act on a convincing email. For a full explanation of how this coverage works, see our post on business email compromise and cyber insurance.
Social engineering and funds transfer fraud. Closely related to BEC, social engineering attacks manipulate employees through phone calls, text messages, or email to authorize fraudulent transactions. Coverage for this exposure varies significantly by policy. Not all cyber policies cover social engineering losses the same way, and some apply sublimits or require specific endorsements. Our post on social engineering and funds transfer fraud coverage explains what to look for.
Data breaches. An attacker accesses your systems and exfiltrates customer, employee, or business data. Even a breach involving a small number of records triggers notification obligations and potential regulatory scrutiny. The cost of notification, credit monitoring, and legal review can easily exceed $50,000 for a breach affecting a few thousand individuals.
What Underwriters Want to See From Small Businesses
The application process for small business cyber insurance is more straightforward than most owners expect, but carriers do evaluate your security posture before binding coverage. Here is what matters most.
Multi-factor authentication. MFA on email and any externally accessible system is the single control that appears on every underwriting application. If your employees can access business email with just a username and password, that is a flag. If you have MFA deployed and can document it, that is a meaningful positive. Our MFA implementation guidewalks through what carriers want to verify.
Endpoint detection and response. Traditional antivirus is no longer sufficient. Underwriters want to see EDR tools deployed on all endpoints because they provide the detection and containment capability needed to stop an attack before it spreads. Our post on EDR and cyber insurance covers what carriers require and how to document it.
Backup and recovery. Do you have backups? Are they tested? Are they isolated from your primary network so ransomware cannot reach them? Underwriters ask all three questions. Backups that are connected to the same network as the systems they back up can be encrypted along with everything else in a ransomware attack. See our guide on immutable backups and cyber insurance for the standards carriers look for.
Incident response planning. You do not need a 50-page document. You need a documented plan that identifies who is responsible for managing a cyber incident, who gets notified, and what the first steps are. Carriers view this as a signal that you have thought seriously about the risk. Our incident response plan template provides a starting point.
No recent claims or incidents. A prior breach or ransomware incident increases your rate and may require additional documentation. Clean loss history is a meaningful underwriting positive.
Common Coverage Gaps Small Businesses Miss
Buying a cyber policy is not the same as being covered for everything. These are the gaps that create problems at claim time.
Sublimits on ransomware and social engineering. Some policies apply lower limits to specific coverage types. A policy with a $1M headline limit may cap ransomware payments at $250,000 or apply a separate sublimit to social engineering losses. Read the policy language carefully before binding.
Waiting periods on business interruption. Many policies include a waiting period before business interruption coverage kicks in, typically 8 to 12 hours. Short outages may not trigger coverage at all.
Exclusions for unencrypted data. If stolen data was not encrypted and your policy includes an unencrypted data exclusion, a breach involving that data may not be covered. This is a common exclusion that small businesses overlook.
No coverage for funds transfer fraud. Social engineering losses and fraudulent wire transfers are not automatically included in every cyber policy. Some carriers require a specific endorsement. Others apply sublimits that may not match your actual wire transfer volumes.
For a comprehensive look at what most policies will not cover, see our post on common cyber insurance exclusions.
How SeedPod Cyber Works With Small Businesses
SeedPod Cyber is a direct cyber insurance underwriter. We write policies directly for small businesses across industries, which means you get a quote directly from the underwriter without the markup that comes from passing through multiple layers. We work alongside brokers when you have an existing relationship you want to maintain.
8 out of 10 businesses that get a quote from us bind the policy, and we can typically deliver one in under 24 hours. Get a quote from SeedPod Cyber or learn more about coverage options for your business.
Frequently Asked Questions
Does my small business really need cyber insurance?
If you store customer data, process payments, use business email, or rely on any cloud-based software to operate, the answer is yes. The average small business data breach costs between $120,000 and $1.24 million. Most small businesses do not have reserves to absorb that. Cyber insurance is how you transfer that financial risk.
What does cyber insurance not cover?
Intentional acts, pre-existing breaches, infrastructure damage from a cyberattack (covered under property insurance), and in most cases, losses attributable to war or nation-state attacks. Coverage for social engineering and funds transfer fraud varies by policy. Our full breakdown of cyber insurance exclusions covers the most common gaps.
Is there a minimum revenue requirement?
No. Cyber insurance is available to businesses of virtually any size. Micro businesses with under $1M in revenue can typically obtain $1M in coverage for $500 to $1,500 per year.
How long does the application process take?
For most small businesses, the application is straightforward and can be completed in under 30 minutes. Quote turnaround at SeedPod Cyber is typically under 24 hours.
What happens if I have a claim?
Your first step is to notify your insurer immediately after discovering an incident. Do not wait until you have assessed the full scope of the damage. Early notification triggers the carrier’s incident response resources, which typically include forensic investigators, legal counsel, and ransomware negotiators available to you immediately. For a full walkthrough of the process, see our guide on how to file a cyber insurance claim and our post on what happens after you file a cyber insurance claim.
Can I get cyber insurance if I already had a breach?
Yes, in most cases. Carriers will want documentation of what happened, what remediation steps you took, and what controls you have in place today. Prior incidents typically result in higher premiums and may require endorsements addressing specific exposures, but coverage is generally still available for businesses that have remediated the underlying vulnerabilities.