By Ryan Windt | Head of Growth Marketing | Updated April 2026
A Complete 2026 Pricing Guide by Company Size, Industry, Employee Count, and Security Posture
If you’ve searched for cyber insurance pricing, you’ve probably found a lot of frustratingly vague answers. “It depends” isn’t useful when you’re trying to budget for coverage or benchmark what you’re currently paying.
This guide gives you real numbers. We’ve pulled current market data across company sizes, industries, and security control profiles so you can understand what drives your premium, what you should expect to pay, and where you’re likely overpaying.
The short answer: Most small businesses pay between $1,200 and $7,500 per year, roughly $100 to $625 per month, for $1M in cyber coverage. Mid-market companies ($10M to $100M in revenue) typically pay $8,000 to $35,000 annually. Enterprises pay $50,000 to $500,000 or more. Your actual number depends on four things: your revenue, your industry, your employee count, and your security controls.
What Cyber Insurance Actually Costs: The Quick Numbers
Before diving into the variables, here is what current market data shows as baseline pricing for $1M in standalone cyber liability coverage:
| Business Type | Typical Monthly Cost | Typical Annual Cost |
|---|---|---|
| Sole proprietor / freelancer | $40 to $100/mo | $480 to $1,200/yr |
| Small business (under 25 employees) | $100 to $300/mo | $1,200 to $3,600/yr |
| Small business (25 to 99 employees) | $250 to $600/mo | $3,000 to $7,200/yr |
| Mid-market (100 to 499 employees) | $600 to $2,500/mo | $7,200 to $30,000/yr |
| Mid-market (500 to 999 employees) | $2,000 to $5,000/mo | $24,000 to $60,000/yr |
| Enterprise (1,000+ employees) | $5,000 to $40,000+/mo | $60,000 to $500,000+/yr |
Sources: Insureon, TechInsurance, MoneyGeek, and SeedPod Cyber underwriting data. Figures reflect median market pricing for standard $1M per occurrence / $1M aggregate policies. High-risk industries such as healthcare, financial services, and technology will fall at the higher end or above these ranges.
The median premium for small businesses in 2025 to 2026 is approximately $134 to $145 per month based on data from Insureon and TechInsurance. That said, the median hides a lot. A five-person accounting firm and a five-person marketing agency with identical revenue can have meaningfully different premiums because of what they do with data.
What Drives Cyber Insurance Pricing
Cyber insurance is not priced like auto or property insurance. Underwriters are not looking at your physical assets. They are looking at your data, your attack surface, and your ability to survive an incident. The five primary pricing factors are:
Revenue and company size is the single biggest driver. It determines how much a breach would cost to remediate, how large a ransom demand might be, and how much business interruption coverage you would realistically need.
Industry is the second biggest factor. Healthcare, financial services, and tech companies pay significantly more because they hold high-value data and face stricter regulatory environments.
Employee count matters because each employee is a potential attack vector. Human error accounts for 60% of breaches. More employees means more phishing exposure, more credential compromise risk, and more social engineering surface area.
Security controls can move your premium by 20 to 40% in either direction. MFA, EDR, immutable backups, and a tested incident response plan are now baseline expectations. Missing them does not just raise your rate. It can get you declined.
Claims history is priced hard. A prior breach or claim will increase your rate, sometimes by 30 to 50%. A clean loss history is one of the most valuable assets you bring to underwriting.
Cyber Insurance Cost by Company Size and Revenue
Revenue is the primary underwriting variable across most cyber insurance models. Here is what current market data shows by revenue tier:
| Company Size | Est. Annual Revenue | Typical Annual Premium | Common Limit |
|---|---|---|---|
| Micro Business | Under $1M | $500 to $1,500 | $1M |
| Small Business | $1M to $10M | $1,200 to $4,000 | $1M |
| Lower Mid-Market | $10M to $50M | $4,000 to $15,000 | $1M to $3M |
| Mid-Market | $50M to $250M | $15,000 to $60,000 | $5M+ |
| Upper Mid-Market | $250M to $1B | $60,000 to $200,000 | $10M+ |
| Enterprise | $1B+ | $200,000 to $500,000+ | $25M+ |
Source: Market data compiled from Insureon, Windes, SeedPod Cyber underwriting data, and 2025 to 2026 broker benchmarks. Premiums assume standard $1M per occurrence / $1M aggregate limits unless noted.
One of the most common patterns we see is companies auto-renewing policies priced for their revenue two or three years ago. If your revenue has changed significantly in either direction, your premium should change too. Overpaying because of outdated underwriting is more common than most CFOs realize.
Cyber Insurance Cost by Employee Count
Employee count is the pricing variable most businesses overlook. Some underwriters weight it as heavily as revenue because each additional employee expands your attack surface in a direct, measurable way.
| Employee Count | Typical Annual Premium (Standard Risk Industry) | vs. Baseline |
|---|---|---|
| 1 to 4 employees | $480 to $1,200 | Baseline |
| 5 to 19 employees | $1,000 to $2,800 | +50% to +100% |
| 20 to 49 employees | $2,000 to $5,500 | +150% to +200% |
| 50 to 99 employees | $4,000 to $10,000 | +250% to +325% |
| 100 to 249 employees | $8,000 to $20,000 | +400% to +500% |
| 250 to 499 employees | $15,000 to $40,000 | +600%+ |
| 500 to 999 employees | $25,000 to $65,000 | Transitions to enterprise models |
Source: MoneyGeek analysis of cyber insurance pricing by employee band, cross-referenced with SeedPod Cyber underwriting data.
The jump between a sole proprietor and a 20 to 49 person company can be three to four times higher in premium, reflecting the reality that breach probability scales with the number of people who handle credentials, receive email, and access systems.
Below five employees, most businesses operate informally. Everyone knows everyone, access controls are loose, and the owner often handles IT directly. At five employees, that model breaks down. Underwriters know it, and it shows in the pricing.
Cyber Insurance Cost by Industry
Your industry is the second biggest pricing factor after revenue. The combination of data sensitivity, regulatory exposure, and claims frequency drives significant variation across verticals.
| Industry | Risk Tier | Premium vs. Average | Primary Exposure |
|---|---|---|---|
| Healthcare / Medical | Very High | +60% to +120% | PHI, HIPAA, ransomware |
| Financial Services / Fintech | Very High | +50% to +100% | PII, BEC, wire fraud, GLBA |
| Technology / SaaS | High | +40% to +88% | Client data, IP, Tech E&O |
| MSPs / MSSPs | High | +40% to +88% | Aggregation risk, vicarious liability |
| Legal / Law Firms | High | +30% to +60% | Client confidentiality, PII, wire fraud |
| Manufacturing | High | +25% to +50% | Operational disruption, OT ransomware |
| Professional Services | Moderate | +10% to +30% | PII, BEC |
| Real Estate | Moderate | +10% to +25% | Wire transfer fraud, closing fraud |
| Retail / E-Commerce | Moderate | Near average | PCI DSS, payment data |
| Construction / Trades | Lower | -10% to -20% | Limited sensitive data |
| Recreation / Nonprofits | Low | -20% to -38% | Minimal digital exposure |
Industries with strict regulatory frameworks, including HIPAA for healthcare and GLBA and PCI DSS for financial services, carry higher premiums because a breach triggers both remediation costs and regulatory liability on top of the technical recovery.
For more on what specific industries pay and what underwriters look for, see our vertical guides:
- Cyber Insurance for MSPs
- Cyber Insurance for Healthcare
- Cyber Insurance for Law Firms
- Cyber Insurance for Financial Services Firms
- Cyber Insurance for Tech Companies
- Cyber Insurance for Manufacturers
- Cyber Insurance for Real Estate
- Cyber Insurance for Small Businesses
How Security Controls Affect Your Premium
This is where the real pricing leverage is, and where most companies either leave money on the table or get caught off guard at renewal.
Modern cyber underwriters do not just ask whether you have security tools. They verify controls, require documentation, and price your policy based on the strength of what you can prove. Here is how specific controls impact your rate:
| Control | Premium Impact | Underwriter Requirement Level |
|---|---|---|
| Multi-Factor Authentication (MFA) on all users | -10% to -20% | Non-negotiable baseline |
| Phishing-Resistant MFA (FIDO2 / number-match) | -5% to -10% additional | Increasingly required in 2026 |
| Endpoint Detection and Response (EDR) | -10% to -15% | Required for most policies |
| Immutable / Offline Backups | -10% to -15% | Required; tested backups preferred |
| Privileged Access Management (PAM) | -5% to -10% | Required for mid-market and above |
| Incident Response Plan (tested) | -5% to -10% | Required; tabletop strongly preferred |
| Email Security (DMARC, anti-phishing) | -5% to -8% | Expected baseline |
| MDR / 24×7 SOC monitoring | -5% to -15% | Strongly preferred; organizations with MDR see median claims 96% lower than those using endpoint security alone |
| No controls / weak posture | +30% to +100% or declined | High-risk designation |
A $20,000 annual premium for a mid-market company with weak controls could drop to $13,000 to $15,000 with documented MFA, EDR, and immutable backup hygiene in place. The cost of implementing those controls often pays for itself in the first renewal cycle.
What has changed in 2026: underwriters are no longer accepting self-attestation on critical controls. Screenshots, exports from your RMM or PSA, and third-party verification are increasingly required. If you cannot document your controls quickly, expect sublimits, exclusions, or higher rates regardless of what your application says.
For a full breakdown of what controls underwriters require, see our Cyber Insurance Requirements Checklist.
What Your Premium Actually Buys You
Price and coverage structure are connected but not identical. Here is what a well-structured policy typically looks like at each premium tier.
$500 to $2,000 per year (micro and very small businesses)
Typical limits are $1M per occurrence and $1M aggregate. First-party coverage includes breach response, forensics, and notification costs with limited business interruption. Third-party coverage includes basic liability and regulatory defense. Ransomware is typically sublimited to $100,000 to $250,000. Social engineering and BEC coverage often requires a separate endorsement and may be sublimited. Deductibles typically run $2,500 to $5,000.
$2,000 to $8,000 per year (small to lower mid-market)
Limits run $1M to $3M depending on revenue and risk profile. Full first-party coverage including business interruption with a waiting period. Ransomware coverage of $250,000 to $1M depending on carrier and controls. Social engineering and BEC available as an endorsement or sub-coverage line. Deductibles typically run $5,000 to $10,000.
$8,000 to $35,000 per year (mid-market)
Limits of $3M to $10M with a broader policy structure. Full first-party and third-party suite. Ransomware coverage of $1M to $5M depending on carrier. Better policies at this tier include contingent business interruption from third-party outages. Some programs include an incident response retainer with named carrier-panel vendors. Deductibles typically run $10,000 to $50,000.
$35,000 and above per year (upper mid-market and enterprise)
Manuscript or heavily negotiated policies. Sublimits negotiated by individual coverage line. Excess and surplus layers stacked above primary. Dedicated claims teams and preferred panel vendors. Deductibles run $50,000 to $500,000 or more depending on structure.
The coverage gap most companies miss: standard policies increasingly apply sublimits to ransomware, social engineering and BEC, and contingent business interruption from third-party outages. These are now among the top three claim drivers. Confirm your limits on each of those lines specifically, not just the headline policy limit.
Current Market Conditions: Is Now a Good Time to Buy or Renew?
The short answer is yes, if you have your controls in order.
After peaking in 2021 to 2022 when cyber insurance rates rose 30 to 50% annually, the market has stabilized significantly. Premiums are now flat to down 3% for clean accounts, with some primary layers seeing up to 10% decreases for well-documented security postures. Capacity has increased as more carriers have entered the market and compete for qualified risks.
The market has split into two tiers. Clean accounts with documented controls, no claims history, and a strong security posture are getting better terms. Some are seeing renewals 10 to 20% below peak rates. Accounts with weak controls or prior claims are still in a hard market. Carriers are declining risks they would have written two years ago. If you are missing MFA or have no tested backup, expect difficulty finding coverage or significant sublimits and exclusions on any policy you do get.
If you have not benchmarked your coverage against current market pricing in the last 12 months, you are likely overpaying. Blindly renewing a policy written at 2022 peak rates is one of the most common and preventable budget mistakes we see. For renewal prep, see our Cyber Insurance Renewal Checklist.
What Does Cyber Insurance Actually Cover?
Understanding what you are paying for is as important as understanding what it costs. A well-structured cyber policy covers two categories of exposure.
First-Party Coverage (Your Own Losses)
First-party coverage pays for your own costs following an incident: forensic investigation and incident response, data recovery and system restoration, business interruption and lost revenue during downtime, ransomware extortion payments where permitted by law, crisis communications and public relations management, and regulatory fines and penalties where insurable under state law.
Third-Party Coverage (Claims Against You)
Third-party coverage responds when someone sues you or a regulator comes after you: legal defense costs from customer or partner lawsuits following a breach, settlements and judgments from privacy claims, PCI DSS fines and card brand assessments, and media liability for content-related claims.
For a deeper breakdown of what each coverage type actually pays and where the gaps are, see our full guide: First-Party vs. Third-Party Cyber Coverage: What Every Business Needs to Understand Before a Breach.
Frequently Asked Questions
How much does cyber insurance cost per month?
Most small businesses pay $100 to $300 per month for $1M in cyber coverage. The median is approximately $134 to $145 per month based on current market data. Actual cost depends on your revenue, industry, employee count, and security controls.
Is cyber insurance worth it for small businesses?
Yes. The average cost of a data breach for a small business ranges from $120,000 to well over $1 million when you factor in forensics, legal fees, customer notification, regulatory fines, and business interruption. A $1,500 annual premium for $1M in coverage is straightforward risk math. For a full breakdown, see our guide: Cyber Insurance for Small Businesses.
Does cyber insurance cover ransomware?
Most policies cover ransomware, but the coverage details matter significantly. Look carefully at sublimits. Some policies cap ransomware payments at $250,000 even if your headline limit is $1M. Average ransomware losses hit $292,000 per incident in 2025. Confirm that extortion coverage applies to your policy structure and that your carrier panel includes experienced ransomware negotiators. Full breakdown: Does Cyber Insurance Cover Ransomware Payments?
Will my general liability policy cover a cyber incident?
No. General liability policies explicitly exclude most cyber losses. Some older policies had limited cyber coverage, but insurers have largely removed it. If you rely on a GL or BOP for cyber protection, you have a coverage gap.
How do I lower my cyber insurance premium?
The single most effective action is documenting and strengthening your security controls before your next renewal. MFA across all users, EDR on all endpoints, and immutable backups with tested restores are the three controls that move the needle most. The stronger your documented posture, the more pricing leverage you have at renewal. See our full checklist: Cyber Insurance Requirements: The Minimum Controls Checklist for SMBs and MSPs.
Does location affect cyber insurance cost?
Yes, though it is the least influential pricing factor compared to revenue, industry, and controls. States with strict privacy laws and plaintiff-friendly courts, including California, New York, and Illinois, tend to run 10 to 24% above the national average because breach response costs more there. States with lighter regulatory environments run 10 to 15% below average.
What deductible should I choose?
The average deductible for small business cyber policies is $2,500. Higher deductibles lower your premium but increase out-of-pocket exposure when a claim occurs. Choose the highest deductible you could realistically self-fund in a crisis. If you could not write that check within the first 72 hours of an incident, the deductible is too high.
How often should I shop my cyber coverage?
Every renewal cycle, at minimum. The market has moved significantly in the past 24 months. A policy written at peak-market rates in 2022 should be benchmarked against current pricing. If your revenue, headcount, or security posture has changed, your premium should change too.
What is the difference between cyber insurance and Tech E&O?
Cyber insurance covers losses from security incidents such as breaches, ransomware, and business interruption. Technology Errors and Omissions (Tech E&O) covers claims that your technology product or service failed to perform as promised and caused a client financial harm. Tech companies and MSPs typically need both. Full comparison: Tech E&O vs. Cyber Liability Insurance: Which One Does Your Business Actually Need?
How do I get a cyber insurance quote?
SeedPod Cyber specializes in cyber insurance and Tech E&O for MSPs, tech companies, and small-to-mid-sized businesses. Contact us to start the process. We will assess your risk, document your controls, and shop your submission to carriers that are a genuine fit for your profile.