By Ryan Windt | Head of Growth Marketing | Updated March 2026
Cyber attacks are no longer a big-business problem. Attackers have shifted their focus deliberately toward smaller organizations: fewer defenses, faster payouts, and less sophisticated incident response. Yet most small and mid-sized businesses are still operating under the assumption that their existing coverage handles it, or that they’re too small to be a target.
Both assumptions are wrong. This post breaks down what a breach actually costs, what your current policies don’t cover, and what to look for in a standalone cyber policy.
The Numbers That Should Change Your Mind
Before getting into coverage details, it’s worth understanding what’s actually at stake financially.
- The global average cost of a data breach in 2024 was $4.88 million, a 10% increase from the year before.
- In the U.S., that number rises to $9.36 million per incident on average.
- The average ransomware claim in early 2025 hit $1.18 million, up from $705,000 in 2024.
- Nearly 75% of businesses were hit by ransomware in 2024.
- 60% of small businesses that suffer a significant breach close within six months.
These aren’t enterprise numbers. Ransomware operators don’t discriminate by company size. They target whoever has accessible systems and something worth protecting.
Why Your Existing Policies Leave You Exposed
This is where most businesses get caught off guard. They assume one of their existing policies covers a cyber event. In almost every case, it doesn’t.
General Liability covers bodily injury, property damage, and personal injury claims. It explicitly excludes digital assets, data breaches, and cyber events in virtually every modern policy form.
Commercial Property covers physical assets. Your servers are covered if they burn in a fire. They are not covered if ransomware makes them unusable.
Business Owner’s Policy (BOP) combines general liability and property coverage. The same gaps apply. Some older BOPs included limited cyber endorsements, but insurers have been removing them, and the sub-limits on those endorsements were rarely adequate anyway.
Professional Liability / E&O covers claims that your professional services caused a client harm. It does not cover your own first-party losses from an attack, and its third-party coverage is narrower than a dedicated cyber policy.
The bottom line: if you experience a ransomware attack, a business email compromise, or a data breach today and you don’t have standalone cyber coverage, you are paying for everything out of pocket.
What a Real Breach Actually Costs
The headline number from IBM or Verizon often gets dismissed as “enterprise data.” Here’s what a breach actually looks like in dollar terms for a small or mid-sized business.
| Cost Category | Typical Range (SMB) |
|---|---|
| Forensic investigation | $15,000 – $50,000 |
| Legal fees and counsel | $20,000 – $75,000 |
| Customer notification | $5,000 – $30,000 |
| Regulatory fines (HIPAA, PCI, state) | $10,000 – $500,000+ |
| Business interruption / lost revenue | $25,000 – $250,000+ |
| Ransomware payment | $50,000 – $1,000,000+ |
| PR and crisis communications | $5,000 – $25,000 |
| System restoration | $10,000 – $100,000 |
| Total exposure | $140,000 – $2,000,000+ |
None of those line items are hypothetical. Every one of them shows up in real claims. And most businesses hit by ransomware experience several simultaneously.
What Standalone Cyber Insurance Actually Covers
A properly structured cyber policy covers two categories of loss.
First-Party Coverage: Your Own Losses
This is the coverage most businesses are underestimating. First-party cyber covers what happens to you directly when an incident occurs.
- Forensic investigation to identify the source and scope of the breach
- Data recovery and system restoration costs
- Business interruption losses, meaning the revenue you lose while systems are down
- Ransomware extortion payments (where legally permitted)
- Crisis communications and public relations support
- Regulatory defense costs and covered fines
Third-Party / Liability Coverage: Claims Against You
If a breach exposes your customers’ or partners’ data, they may come after you. Third-party coverage addresses those exposures.
- Legal defense costs from lawsuits filed by affected clients or partners
- Settlements and judgments from privacy claims
- PCI DSS fines and card brand assessments if payment data is compromised
- Media liability for content-related claims
The Coverage Gaps Most Businesses Don’t Know About
Even among companies that have cyber coverage, a few common gaps consistently show up at claim time.
Ransomware sublimits. Many policies have a headline limit of $1M but cap ransomware-specific payments at $250,000. If your policy has a ransomware sublimit, find out what it is before you need it.
Social engineering and BEC exclusions. Business email compromise, where an attacker impersonates a vendor or executive and tricks someone into wiring money, is now the single most common claim driver. Some policies exclude it entirely or apply a much lower sublimit. Confirm your policy covers it.
Contingent business interruption. If a third-party vendor you rely on, such as a cloud provider, a SaaS platform, or a payment processor, goes down due to a cyber event, your policy may not cover your resulting losses unless it includes contingent business interruption (CBI) coverage. This gap became very visible during the CrowdStrike outage in 2024.
Retroactive date gaps. Cyber policies have retroactive dates, meaning the earliest point in time from which a claim can originate. If you switch carriers and your new policy’s retroactive date doesn’t match your old one, you may have a window of uninsured exposure.
Who Needs Standalone Cyber Insurance
The honest answer is: any business that stores data, processes payments, or relies on digital systems to operate. But certain profiles have especially high exposure.
Healthcare and medical practices — PHI is the most targeted data category. HIPAA fines alone can be devastating, and ransomware attacks on healthcare have hit record frequency and severity.
Financial services and fintech — payment data, account information, and wire transfer capability make financial businesses prime targets for BEC and credential theft.
Professional services (legal, accounting, consulting) — client confidentiality creates significant third-party liability if data is exposed. Law firms in particular hold highly sensitive information across many clients simultaneously.
Technology companies and SaaS — if your product touches client data or your platform goes down, you face both first-party business interruption and third-party liability from affected clients.
Retailers and e-commerce — payment card data and PCI DSS compliance make these businesses a consistent target category.
Manufacturers — ransomware operators specifically target manufacturing because operational downtime creates immediate pressure to pay. The average ransom demand in manufacturing is among the highest of any sector.
If your business falls into any of these categories and you don’t have standalone cyber coverage, you are carrying uninsured risk that your other policies will not respond to.
What to Look for in a Cyber Policy
Not all cyber policies are created equal. When evaluating coverage, ask these questions.
What are the sublimits? Get the actual sublimit for ransomware, social engineering / BEC, and contingent business interruption. If any of these are dramatically lower than your headline limit, that’s your real coverage.
What’s the retroactive date? If switching carriers, make sure there’s no gap between your old policy’s coverage period and your new one.
Who’s on the incident response panel? When a breach happens, you want access to experienced forensic firms, ransomware negotiators, and legal counsel. Ask who’s on the carrier’s panel and whether you have a choice.
Is coverage occurrence-based or claims-made? Most cyber policies are claims-made, meaning the policy in force when the claim is reported, not when the incident occurred, responds. Understand the implications for your specific situation.
Does it cover regulatory defense? If you’re in healthcare, financial services, or handle personal data at scale, regulatory exposure is real. Confirm your policy includes regulatory defense and fines coverage where insurable.
Frequently Asked Questions
Does cyber insurance cover human error?
Yes, in most cases. Accidental data exposure, misconfigured systems that allow unauthorized access, and employee-driven phishing clicks are typically covered. Intentional acts by employees are generally excluded.
Is cyber insurance required by law?
Not federally, but some industries and states are moving toward requirements. Healthcare organizations subject to HIPAA face regulatory pressure to maintain adequate coverage. Many vendor and client contracts now require it as a condition of doing business. Even where it isn’t mandated, the financial exposure of operating without it far outweighs the premium cost.
How long does it take to get covered?
For most SMBs, a cyber insurance quote can be generated in under 24 hours and a policy can be bound quickly thereafter. Larger or more complex accounts take longer due to underwriting review.
What happens if I have a breach before I buy a policy?
Cyber policies cover incidents that occur after the retroactive date and are reported during the policy period. A known breach or ongoing incident at the time of application will typically be excluded. Don’t wait until after a problem surfaces to get covered.
How do I know if I’m paying the right price?
Benchmark your premium against current market rates for your industry and revenue tier. The market has shifted significantly in the past two years, and companies that haven’t shopped their coverage recently are likely overpaying. A current quote is the only way to know.
Don’t wait for a breach to find out what your coverage actually covers. Get a competitive standalone cyber quote at SeedPod Cyber and benchmark your current protection today.