By Ryan Windt | Head of Growth Marketing | Updated April 2026
Most businesses spend a lot of time thinking about what cyber insurance costs. They spend almost no time thinking about whether the limit they bought is the right one.
Those are two different questions, and confusing them is one of the most common mistakes in the cyber insurance buying process.
A $1 million policy at $2,000 per year might be a great deal. It might also be a policy that pays out $1 million on a $3.5 million loss. The premium only tells you what you paid. The limit determines what you actually recover.
This post explains how to think about limit selection, what inputs actually matter, and how to arrive at a number that reflects your real exposure rather than an industry default.
Why Most Businesses Pick the Wrong Limit
The most common approach to choosing a cyber insurance limit is not really an approach at all. A broker quotes $1 million because that is the standard starting point. The business accepts it because the premium fits the budget and nobody pushes back. The policy renews at the same limit the following year. And the year after that.
The result is that a large portion of the market is carrying limits that were sized based on what was affordable or conventional rather than what their actual exposure requires.
This matters more in cyber than in most other lines of insurance. Cyber losses are not capped at some predictable multiple of your revenue. A ransomware attack on a mid-market company, a business interruption event tied to a cloud provider outage, or a breach that triggers regulatory action in multiple states can produce losses that bear no obvious relationship to the size of the business.
The starting point for limit selection should always be your exposure, not the market standard.
The Four Numbers That Should Drive Your Limit Decision
There is no formula that produces a precise right answer for every business. But there are four categories of potential loss that, taken together, give you a realistic picture of what a serious cyber incident could cost you.
1. Breach response and notification costs
If your business stores personally identifiable information, a breach triggers a chain of required actions: forensic investigation to determine what happened and what was taken, legal review to assess notification obligations, notification to affected individuals, credit monitoring for those individuals, and public relations management if the breach becomes public.
The cost of this process scales with the number of records exposed. Industry estimates for breach response costs run from $5 to $15 per affected record depending on the complexity of the incident and the regulatory environment. A business with 50,000 customer records faces a potential notification cost of $250,000 to $750,000 before a single dollar of liability is considered.
Start by counting your records. Not just your CRM contacts, but every place sensitive data lives: email archives, accounting software, HR systems, payment processors, cloud storage. The realistic number is often much higher than most business owners initially estimate.
2. Business interruption losses
Business interruption is now the single largest driver of cyber insurance claims. When a ransomware attack or a significant security incident takes systems offline, the revenue lost during the recovery period can dwarf the direct remediation costs.
To estimate your business interruption exposure, start with your daily revenue and multiply it by a realistic recovery window. For a ransomware incident with full system encryption, recovery timelines for businesses without tested backups often run two to four weeks. For businesses with mature backup and recovery capabilities, recovery may take days rather than weeks, but the incident response and forensic work still takes time.
A business generating $5 million per year in revenue, or roughly $14,000 per day, facing a three-week recovery period is looking at approximately $300,000 in lost revenue before accounting for remediation costs. That number climbs quickly for businesses with higher revenue or longer recovery timelines.
3. Regulatory fines and defense costs
If your business operates in a regulated industry or handles data subject to state or federal privacy laws, a breach can trigger regulatory scrutiny in addition to direct response costs. HIPAA penalties for healthcare organizations, state attorney general actions under consumer privacy statutes, and PCI DSS assessments for businesses that handle payment card data all represent financial exposure that sits outside the direct remediation bucket.
Regulatory defense costs alone, meaning the legal fees required to respond to an investigation regardless of whether a fine is ultimately imposed, can reach six figures for a significant incident. Actual fines vary widely based on the jurisdiction, the severity of the breach, and the documented state of your security controls at the time of the incident.
Businesses in healthcare, financial services, or any industry subject to state privacy laws with significant penalty exposure should treat regulatory defense and potential fines as a distinct line item in their limit calculation.
4. Third-party liability
If a breach at your business results in harm to a third party, whether a customer, a client, or a business partner, you may face liability claims in addition to your own response costs. This is the third-party coverage component of a cyber policy, and it is often where the largest losses occur for businesses that hold significant volumes of other people’s data.
For most small businesses, third-party liability is a secondary consideration. For businesses that hold customer financial data, protected health information, or sensitive business information belonging to enterprise clients, third-party liability can be the dominant exposure. Technology companies and SaaS providers in particular face third-party claims tied to their contractual indemnification obligations, which we cover in more detail in our cyber insurance guide for SaaS companies.
A Simple Framework for Sizing Your Limit
Add up your estimates across the four categories above. The total is your baseline exposure number, meaning the amount a serious but not catastrophic incident could realistically cost you.
From there, apply a judgment layer:
- If your business is in a high-risk industry (healthcare, financial services, technology, legal), add a buffer of 25 to 50 percent above your baseline number to account for the elevated severity and regulatory complexity those industries carry.
- If your business holds data on behalf of enterprise clients under contractual indemnification obligations, your limit needs to reflect the maximum liability you could face under your largest client contract, not just your own direct costs.
- If your business has not implemented core security controls (MFA everywhere, tested backups, EDR on all endpoints), your recovery timeline and remediation costs in the event of an incident will be meaningfully higher than the baseline estimates above.
Round the result up to the nearest available policy limit. Most carriers offer limits at $1 million, $2 million, $3 million, and $5 million for the mid-market, with higher limits available for businesses that can demonstrate the exposure.
Common Limit Benchmarks by Business Type
While every business is different, these ranges reflect what underwriters and brokers see as appropriate coverage for businesses with typical risk profiles in each segment.
Small businesses ($1M to $10M revenue, limited sensitive data): $1 million is often appropriate. The key qualifier is “limited sensitive data.” A small business that handles primarily its own financial records and a modest customer list has a different exposure than a small business that processes payment cards or stores protected health information.
Small businesses in regulated industries: $1 million to $2 million. The regulatory exposure in healthcare and financial services pushes the baseline higher even for small operators.
Mid-market businesses ($10M to $100M revenue): $2 million to $5 million. Mid-market companies have proportionally higher business interruption exposure and more complex regulatory environments. They also tend to hold larger volumes of sensitive data.
Technology companies and SaaS providers: Limits should be calibrated to the largest contractual indemnification obligation in your client contracts, not your revenue. Many tech companies with $5 million to $20 million in revenue carry $3 million to $5 million in coverage because their enterprise client contracts require it. For a full breakdown of how tech company exposure differs from other businesses, see Cyber Insurance for Tech Companies.
MSPs and MSSPs: Aggregation risk makes limit selection especially important for managed service providers. A single compromise of your management infrastructure can produce simultaneous losses across every client you manage. The right limit for an MSP is not a function of the MSP’s own revenue alone. It is a function of the aggregate exposure across the client portfolio. See our dedicated coverage guide for MSPs and MSSPs for detail on how underwriters approach this.
Sublimits: Why Your Full Limit May Not Apply to Your Biggest Risks
One of the most important and least understood aspects of limit selection is the role of sublimits. A sublimit is a cap on what the insurer will pay for a specific type of loss, set below the overall policy limit.
A $1 million policy with a $250,000 sublimit on ransomware payments will pay no more than $250,000 toward a ransom demand regardless of what the aggregate limit says. A $2 million policy with a $500,000 sublimit on funds transfer fraud will not pay more than $500,000 on a $700,000 wire fraud loss.
The practical implication for limit selection is that you cannot simply buy a policy at a given limit and assume that limit applies uniformly to every type of loss. The categories of loss most commonly subject to sublimits are precisely the categories that produce the largest cyber claims: ransomware, funds transfer fraud, social engineering, and regulatory fines.
Before finalizing your limit decision, review the sublimit structure of the policy you are considering. If your business has significant exposure in any of the sublimited categories, you may need a higher overall limit or a policy with improved sublimit terms to achieve the coverage you actually need. For a full explanation of how sublimits work and which coverage lines are most commonly affected, see Cyber Insurance Sublimits Explained.
The Deductible Side of the Equation
Limit selection does not happen in isolation. The deductible you choose affects both your premium and your out-of-pocket exposure when a claim occurs.
A higher deductible lowers your premium but means you absorb more of the loss before coverage kicks in. A lower deductible costs more in premium but reduces your exposure in a claim scenario.
The right deductible is a function of your cash reserves and your risk tolerance. A business that could absorb a $25,000 loss without significant operational disruption may reasonably carry a $25,000 deductible in exchange for a lower premium. A business operating with thin margins and limited cash reserves should probably carry a lower deductible even at a higher premium cost.
For a full explanation of how deductibles work in cyber insurance, including the difference between a deductible, a self-insured retention, and a co-pay structure, see Cyber Insurance Deductibles Explained.
How Your Security Posture Affects What You Can Buy
Limit selection is constrained by underwriting eligibility. Not every business can buy every limit at every price.
Carriers evaluate your security controls when they evaluate your application, and businesses with weak security postures face two distinct problems. First, they may be declined or offered coverage only with significant exclusions. Second, they may be offered lower limits than their exposure requires because carriers are not willing to write high limits on businesses with documented security gaps.
The controls that most directly affect your eligibility and your access to higher limits are multi-factor authentication, endpoint detection and response, tested backup and recovery capabilities, and privileged access management. Our cyber insurance requirements checklist covers what carriers expect in each of these areas.
Businesses that invest in these controls before applying do not just get better premiums. They get access to higher limits, cleaner policy language, and fewer sublimits on the coverage lines that matter most.
One More Thing: Your Limit Should Grow With Your Business
Cyber insurance limits are often set once and forgotten. Annual renewals go through without a real review of whether the limit still reflects the business’s current exposure.
Revenue grows. Customer data volumes grow. Client contract indemnification obligations get larger as enterprise deals close. The regulatory environment gets more complex.
A limit that was appropriate two years ago may be meaningfully inadequate today. Use every renewal cycle as an opportunity to run through the four-number framework above and confirm that your limit still reflects your real exposure.
If your business has changed significantly since you last evaluated your limit, that conversation should happen before the renewal, not after a claim.
Getting It Right
Choosing the right cyber insurance limit is not complicated, but it does require actually looking at your exposure rather than accepting a default.
SeedPod Cyber works directly with carriers across a range of business types and industries. We can help you evaluate your exposure, understand what limits are available for your risk profile, and find coverage that fits both your needs and your budget.
Contact us to talk through your situation, or get a quote to see what coverage looks like for your business.