By Ryan Windt | Head of Growth Marketing | Updated June 2026
If you’ve searched for cyber liability insurance pricing, you’ve probably found a lot of frustratingly vague answers. “It depends” isn’t useful when you’re trying to budget for coverage or benchmark what you’re currently paying.
This guide gives you real numbers, and context for what those numbers actually mean. SeedPod Cyber places coverage across dozens of carriers and sees hundreds of submissions annually. What follows reflects what we observe across actual quotes and renewals, not just aggregated market surveys.
The short answer: Most small businesses pay between $1,200 and $7,500 per year for $1M in cyber coverage. Mid-market companies ($10M to $100M in revenue) typically pay $8,000 to $35,000 annually. Your actual number depends on four things: your revenue, your industry, your employee count, and your security controls. It also depends on how much coverage you actually need, which is a separate question from price. But the spread within each category is wide, and how you present your risk to underwriters matters as much as the risk itself.
What Cyber Insurance Actually Costs: The Quick Numbers
Before diving into the variables, here is what current market data shows as baseline pricing for $1M in standalone cyber liability coverage:
| Business Type | Typical Monthly Cost | Typical Annual Cost |
|---|---|---|
| Sole proprietor / freelancer | $40 to $100/mo | $480 to $1,200/yr |
| Small business (under 25 employees) | $100 to $300/mo | $1,200 to $3,600/yr |
| Small business (25 to 99 employees) | $250 to $600/mo | $3,000 to $7,200/yr |
| Mid-market (100 to 499 employees) | $600 to $2,500/mo | $7,200 to $30,000/yr |
| Mid-market (500 to 999 employees) | $2,000 to $5,000/mo | $24,000 to $60,000/yr |
| Enterprise (1,000+ employees) | $5,000 to $40,000+/mo | $60,000 to $500,000+/yr |
Sources: Insureon, TechInsurance, MoneyGeek, and SeedPod Cyber underwriting data. Figures reflect median market pricing for standard $1M per occurrence / $1M aggregate policies. High-risk industries such as healthcare, financial services, and technology will fall at the higher end or above these ranges.
The median premium for small businesses in 2025 to 2026 is approximately $134 to $145 per month. That median hides a lot. A five-person accounting firm and a five-person marketing agency with identical revenue can have meaningfully different premiums because of what they do with data and how well they’ve documented their controls. For a breakdown of coverage options specific to smaller organizations, see our guide to cyber insurance for small businesses.
One thing the industry surveys don’t capture: the same business, presented differently to underwriters, can receive quotes that vary by 30 to 50%. The carrier matters. The application quality matters. Whether your broker has submitted to that market before and has a relationship with the underwriting team matters.
If you want to know what your business would actually pay, the fastest way to find out is to get a real quote. SeedPod Cyber works with businesses across every industry and size to find coverage that fits the risk. Contact us to get started.
What Drives Cyber Insurance Pricing
Cyber insurance is not priced like auto or property insurance. Underwriters are not looking at your physical assets. They are looking at your data, your attack surface, and your ability to survive an incident. The five primary pricing factors are:
Revenue and company size is the single biggest driver. It determines how much a breach would cost to remediate, how large a ransom demand might be, and how much business interruption coverage you would realistically need.
Industry is the second biggest factor. Healthcare, financial services, and tech companies pay significantly more because they hold high-value data and face stricter regulatory environments.
Employee count matters because each employee is a potential attack vector. Human error accounts for 60% of breaches. More employees means more phishing exposure, more credential compromise risk, and more social engineering surface area.
Security controls can move your premium by 20 to 40% in either direction. MFA, EDR, immutable backups, and a tested incident response plan are now baseline expectations. Missing them does not just raise your rate. It can get you declined.
Claims history is priced hard. A prior breach or claim will increase your rate, sometimes by 30 to 50%. A clean loss history is one of the most valuable assets you bring to underwriting.
What changes the math in practice: we regularly see businesses with identical revenue and employee counts receive quotes that differ by 40% based solely on how their security posture is documented. Underwriters at carriers like Coalition and At-Bay run active scanning on your environment before binding. If their scan finds exposed RDP, unpatched systems, or services running on non-standard ports, that shows up in the quote before you’ve said a word. Coming to market with your controls documented and your vulnerabilities addressed is worth more than almost any other pre-submission step.
Cyber Insurance Cost by Company Size and Revenue
Revenue is the primary underwriting variable across most cyber insurance models. Here is what current market data shows by revenue tier:
| Company Size | Est. Annual Revenue | Typical Annual Premium | Common Limit |
|---|---|---|---|
| Micro Business | Under $1M | $500 to $1,500 | $1M |
| Small Business | $1M to $10M | $1,200 to $4,000 | $1M |
| Lower Mid-Market | $10M to $50M | $4,000 to $15,000 | $1M to $3M |
| Mid-Market | $50M to $250M | $15,000 to $60,000 | $5M+ |
| Upper Mid-Market | $250M to $500M | $60,000 to $200,000 | $10M+ |
| Enterprise | $500M+ | $200,000 to $500,000+ | $25M+ |
Source: Market data compiled from Insureon, Windes, SeedPod Cyber underwriting data, and 2025 to 2026 broker benchmarks. Premiums assume standard $1M per occurrence / $1M aggregate limits unless noted.
One of the most common patterns we see is companies auto-renewing policies priced for their revenue two or three years ago. If your revenue has changed significantly in either direction, your premium should change too. Overpaying because of outdated underwriting is more common than most CFOs realize.
The other pattern: companies that grew past a revenue threshold mid-year and did not update their policy. Most cyber policies are written on estimated revenue. If your actual revenue at audit exceeds the estimate, some carriers will adjust the premium at renewal. Either way, being underinsured relative to your current revenue exposure is a real risk.
Cyber Insurance Cost by Employee Count
Employee count is the pricing variable most businesses overlook. Some underwriters weight it as heavily as revenue because each additional employee expands your attack surface in a direct, measurable way.
| Employee Count | Typical Annual Premium (Standard Risk Industry) | vs. Baseline |
|---|---|---|
| 1 to 4 employees | $480 to $1,200 | Baseline |
| 5 to 19 employees | $1,000 to $2,800 | +50% to +100% |
| 20 to 49 employees | $2,000 to $5,500 | +150% to +200% |
| 50 to 99 employees | $4,000 to $10,000 | +250% to +325% |
| 100 to 249 employees | $8,000 to $20,000 | +400% to +500% |
| 250 to 499 employees | $15,000 to $40,000 | +600%+ |
| 500 to 999 employees | $25,000 to $65,000 | Transitions to enterprise models |
Source: MoneyGeek analysis of cyber insurance pricing by employee band, cross-referenced with SeedPod Cyber underwriting data.
The jump between a sole proprietor and a 20 to 49 person company can be three to four times higher in premium, reflecting the reality that breach probability scales with the number of people who handle credentials, receive email, and access systems.
Below five employees, most businesses operate informally. Everyone knows everyone, access controls are loose, and the owner often handles IT directly. At five employees, that model breaks down. Underwriters know it, and it shows in the pricing.
Cyber Insurance Cost by Industry
Your industry is the second biggest pricing factor after revenue. The combination of data sensitivity, regulatory exposure, and claims frequency drives significant variation across verticals.
| Industry | Risk Tier | Premium vs. Average | Primary Exposure |
|---|---|---|---|
| Healthcare / Medical | Very High | +60% to +120% | PHI, HIPAA, ransomware |
| Financial Services / Fintech | Very High | +50% to +100% | PII, BEC, wire fraud, GLBA |
| Technology / SaaS | High | +40% to +88% | Client data, IP, Tech E&O |
| MSPs / MSSPs | High | +40% to +88% | Aggregation risk, vicarious liability |
| Legal / Law Firms | High | +30% to +60% | Client confidentiality, PII, wire fraud |
| Manufacturing | High | +25% to +50% | Operational disruption, OT ransomware |
| Professional Services | Moderate | +10% to +30% | PII, BEC |
| Real Estate | Moderate | +10% to +25% | Wire transfer fraud, closing fraud |
| Retail / E-Commerce | Moderate | Near average | PCI DSS, payment data |
| Construction / Trades | Lower | -10% to -20% | Limited sensitive data |
| Recreation / Nonprofits | Low | -20% to -38% | Minimal digital exposure |
Industries with strict regulatory frameworks carry higher premiums because a breach triggers both remediation costs and regulatory liability on top of the technical recovery.
What the table above does not fully capture: industry classification disputes. We regularly see carriers classify a business differently than the business classifies itself. A healthcare technology company might be quoted as healthcare (very high risk) or as technology (high risk) depending on how the application is framed and which carrier is receiving it. Getting the classification right is one of the first things a good broker does before submission.
For more on what specific industries pay and what underwriters look for, see our vertical guides on the SeedPod Cyber industries page.
How Security Controls Affect Your Premium
This is where the real pricing leverage is, and where most companies either leave money on the table or get caught off guard at renewal.
Modern cyber underwriters do not just ask whether you have security tools. They verify controls, require documentation, and price your policy based on the strength of what you can prove. Here is how specific controls impact your rate:
| Control | Premium Impact | Underwriter Requirement Level |
|---|---|---|
| Multi-Factor Authentication (MFA) on all users | -10% to -20% | Non-negotiable baseline |
| Phishing-Resistant MFA (FIDO2 / number-match) | -5% to -10% additional | Increasingly required in 2026 |
| Endpoint Detection and Response (EDR) | -10% to -15% | Required for most policies |
| Immutable / Offline Backups | -10% to -15% | Required; tested backups preferred |
| Privileged Access Management (PAM) | -5% to -10% | Required for mid-market and above |
| Incident Response Plan (tested) | -5% to -10% | Required; tabletop strongly preferred |
| Email Security (DMARC, anti-phishing) | -5% to -8% | Expected baseline |
| MDR / 24×7 SOC monitoring | -5% to -15% | Strongly preferred |
| No controls / weak posture | +30% to +100% or declined | High-risk designation |
A $20,000 annual premium for a mid-market company with weak controls could drop to $13,000 to $15,000 with documented MFA, EDR, and immutable backup hygiene in place. The cost of implementing those controls often pays for itself in the first renewal cycle.
What has changed in 2026: underwriters are no longer accepting self-attestation on critical controls. Screenshots, exports from your RMM or PSA, and third-party verification are increasingly required. If you cannot document your controls quickly, expect sublimits, exclusions, or higher rates regardless of what your application says.
Carriers that run active pre-bind scanning, including Coalition and At-Bay, are surfacing control gaps before the application is even reviewed by an underwriter. If their scan detects an issue and your application does not address it, you are starting from a credibility deficit. Getting ahead of that with a clean security posture documented before you go to market is the single most effective thing you can do to influence your quote.
For a full breakdown of what controls underwriters require, see our Cyber Insurance Requirements Checklist.
How Carrier Choice Affects What You Pay
This is the piece most pricing guides skip entirely.
The same risk, submitted to different carriers, can produce quotes that vary by 20 to 40%. That variance is not random. Carriers have distinct appetites, underwriting models, and pricing approaches.
Coalition and At-Bay use active scanning and security ratings built into their pricing models. Clean digital hygiene can produce meaningfully better rates from these carriers than from traditional underwriters who rely on application responses alone. They tend to be competitive for tech companies and SMBs with strong controls.
Corvus applies machine learning to publicly available data about your business. Their pricing for mid-market risks with clean exposures is often competitive, and they are strong for manufacturing and logistics.
Beazley is a London-based market that tends to be more conservative on price but strong on claims handling and coverage breadth, particularly for financial services and healthcare. You typically pay more but get a broader policy.
Cowbell focuses on SMBs and uses continuous monitoring. Their quoting process is fast and their pricing for smaller risks is often sharp.
None of these carriers are right for every risk. Selecting the right market for your specific exposure, revenue, industry, and controls profile is a core part of what a cyber-specialist broker does. For a deeper breakdown, see our cyber insurance carrier comparison.
What Your Premium Actually Buys You
Price and coverage structure are connected but not identical. Here is what a well-structured policy typically looks like at each premium tier.
$500 to $2,000 per year (micro and very small businesses)
Typical limits are $1M per occurrence and $1M aggregate. First-party coverage includes breach response, forensics, and notification costs with limited business interruption. Third-party coverage includes basic liability and regulatory defense. Ransomware is typically sublimited to $100,000 to $250,000. Social engineering and BEC coverage often requires a separate endorsement. Deductibles typically run $2,500 to $5,000.
$2,000 to $8,000 per year (small to lower mid-market)
Limits run $1M to $3M depending on revenue and risk profile. Full first-party coverage including business interruption with a waiting period. Ransomware coverage of $250,000 to $1M depending on carrier and controls. Social engineering and BEC available as an endorsement or sub-coverage line. Deductibles typically run $5,000 to $10,000.
$8,000 to $35,000 per year (mid-market)
Limits of $3M to $10M with a broader policy structure. Full first-party and third-party suite. Ransomware coverage of $1M to $5M depending on carrier. Better policies at this tier include contingent business interruption from third-party outages. Some programs include an incident response retainer with named carrier-panel vendors. Deductibles typically run $10,000 to $50,000.
$35,000 and above per year (upper mid-market and enterprise)
Manuscript or heavily negotiated policies. Sublimits negotiated by individual coverage line. Excess and surplus layers stacked above primary. Dedicated claims teams and preferred panel vendors. Deductibles run $50,000 to $500,000 or more depending on structure.
The coverage gap most companies miss: standard policies increasingly apply sublimits to ransomware, social engineering and BEC, and contingent business interruption from third-party outages. These are now among the top three claim drivers. Confirm your limits on each of those lines specifically, not just the headline policy limit.
Current Market Conditions: Is Now a Good Time to Buy or Renew?
The short answer is yes, if you have your controls in order.
After peaking in 2021 to 2022 when cyber insurance rates rose 30 to 50% annually, the market has stabilized significantly. Premiums are now flat to down 3% for clean accounts, with some primary layers seeing up to 10% decreases for well-documented security postures. Capacity has increased as more carriers have entered the market and compete for qualified risks.
The market has split into two tiers. Clean accounts with documented controls, no claims history, and a strong security posture are getting better terms. Some are seeing renewals 10 to 20% below peak rates. Accounts with weak controls or prior claims are still in a hard market. Carriers are declining risks they would have written two years ago.
If you have not benchmarked your coverage against current market pricing in the last 12 months, you are likely overpaying. Blindly renewing a policy written at 2022 peak rates is one of the most common and preventable budget mistakes we see. For renewal prep, see our Cyber Insurance Renewal Checklist.
What Does Cyber Insurance Actually Cover?
Understanding what you are paying for is as important as understanding what it costs. A well-structured cyber policy covers two categories of exposure.
First-Party Coverage (Your Own Losses)
First-party coverage pays for your own costs following an incident: forensic investigation and incident response, data recovery and system restoration, business interruption and lost revenue during downtime, ransomware extortion payments where permitted by law, crisis communications and public relations management, and regulatory fines and penalties where insurable under state law.
Third-Party Coverage (Claims Against You)
Third-party coverage responds when someone sues you or a regulator comes after you: legal defense costs from customer or partner lawsuits following a breach, settlements and judgments from privacy claims, PCI DSS fines and card brand assessments, and media liability for content-related claims.
For a deeper breakdown of what each coverage type actually pays and where the gaps are, see our full guide: First-Party vs. Third-Party Cyber Coverage.
Frequently Asked Questions
How much does cyber insurance cost per month?
Most small businesses pay $100 to $300 per month for $1M in cyber coverage. The median is approximately $134 to $145 per month based on current market data. Actual cost depends on your revenue, industry, employee count, and security controls.
Is cyber insurance worth it for small businesses?
Yes. The average cost of a data breach for a small business ranges from $120,000 to well over $1 million when you factor in forensics, legal fees, customer notification, regulatory fines, and business interruption. A $1,500 annual premium for $1M in coverage is straightforward risk math. For a full breakdown, see our guide: Cyber Insurance for Small Businesses.
Does cyber insurance cover ransomware?
Most policies cover ransomware, but the coverage details matter significantly. Look carefully at sublimits. Some policies cap ransomware payments at $250,000 even if your headline limit is $1M. Confirm that extortion coverage applies to your policy structure and that your carrier panel includes experienced ransomware negotiators. Full breakdown: Does Cyber Insurance Cover Ransomware Payments?
Will my general liability policy cover a cyber incident?
No. General liability policies explicitly exclude most cyber losses. Some older policies had limited cyber coverage, but insurers have largely removed it. If you rely on a GL or BOP for cyber protection, you have a coverage gap.
How do I lower my cyber insurance premium?
The single most effective action is documenting and strengthening your security controls before your next renewal. MFA across all users, EDR on all endpoints, and immutable backups with tested restores are the three controls that move the needle most. See our full checklist: Cyber Insurance Requirements Checklist.
Does location affect cyber insurance cost?
Yes, though it is the least influential pricing factor compared to revenue, industry, and controls. States with strict privacy laws and plaintiff-friendly courts, including California, New York, and Illinois, tend to run 10 to 24% above the national average. States with lighter regulatory environments run 10 to 15% below average.
What deductible should I choose?
The average deductible for small business cyber policies is $2,500. Higher deductibles lower your premium but increase out-of-pocket exposure when a claim occurs. Choose the highest deductible you could realistically self-fund in a crisis. If you could not write that check within the first 72 hours of an incident, the deductible is too high.
How often should I shop my cyber coverage?
Every renewal cycle, at minimum. The market has moved significantly in the past 24 months. A policy written at peak-market rates in 2022 should be benchmarked against current pricing. If your revenue, headcount, or security posture has changed, your premium should change too.
What is the difference between cyber insurance and Tech E&O?
Cyber insurance covers losses from security incidents such as breaches, ransomware, and business interruption. Technology Errors and Omissions (Tech E&O) covers claims that your technology product or service failed to perform as promised and caused a client financial harm. Tech companies and MSPs typically need both. Full comparison: Tech E&O vs. Cyber Insurance: Which Policy Responds When.
How do I get a cyber insurance quote?
SeedPod Cyber works with businesses across every industry to assess risk, document controls, and place coverage with carriers that fit their profile. Contact us to get started.
Related Resources: What Is Cyber Insurance | How to Compare Cyber Insurance Quotes | Cyber Insurance Carrier Comparison
Ready to find out what your business would actually pay? SeedPod Cyber accesses over a dozen cyber insurance markets to find coverage that fits your risk and your budget. Contact us to get started.