📊 Pricing Guide · Updated June 2026

How Cyber Insurance Pricing Actually Works for Small Business

Most small businesses have no idea what they're paying for or why. This guide breaks down every factor that determines your premium — and what actually moves the needle on cost.

Get Your Cyber Readiness Score → Insurance Requirements Guide →

What Drives Your Premium

6 Factors That Determine Your Cyber Insurance Cost

Insurers price cyber policies based on your risk profile — not just your industry. Here's what they actually look at.

🏭

Industry Classification

Healthcare, legal, accounting, and tech companies pay more — they handle sensitive data and face targeted attacks. Retail and construction typically face lower base rates. Your NAICS code directly influences the quote.

💰

Annual Revenue

Revenue is a proxy for potential loss exposure. Higher revenue = larger data assets at risk = higher premium. A $500K revenue firm will pay materially less than a $5M firm for the same coverage limits.

🔐

Security Controls (MFA, EDR, Backups)

The single biggest cost lever. Insurers verify MFA on all remote access, EDR on endpoints, and immutable offline backups. Businesses with all three typically pay 20–40% less than those without.

📋

Claims & Incident History

A ransomware incident in the past 3 years can increase premiums by 30–100%. Insurers ask about prior claims on the application. Disclose everything — failure to disclose voids coverage when you need it.

📂

Data Type & Volume

Businesses handling PII, PHI, payment card data (PCI scope), or large volumes of customer records face higher rates. The more sensitive the data, the higher the exposure if it's breached.

📐

Coverage Limits & Deductible

Higher per-incident limits (e.g., $1M vs $250K) and lower deductibles increase the base premium. A higher deductible ($5K vs $1K) can reduce the annual cost by 15–25%. Balance cash flow vs. risk appetite.

2026 Market Rates

What Small Businesses Actually Pay in 2026

Ranges based on aggregated quote data from multiple carriers for businesses with 1–50 employees, reviewed Q1–Q2 2026. Your quote will vary based on your specific risk profile.

Business Type Typical Annual Revenue Entry-Level Policy Mid-Tier Policy Comprehensive
Solo / Micro (1–2 employees) <$250K $500–$900/yr
$100K–$250K limit, basic coverage		 $900–$1,500/yr
$250K–$500K limit, ransomware included		 $1,500–$2,500/yr
$500K–$1M limit, full suite
Small (3–10 employees) $250K–$1M $900–$1,500/yr
$250K limit, standard exclusions		 $1,500–$2,500/yr
$500K limit, ransomware + BI		 $2,500–$4,000/yr
$1M limit, social engineering
Growing SMB (10–50 employees) $1M–$10M $1,500–$2,500/yr
$500K limit, basic first-party		 $2,500–$4,000/yr
$1M limit, full first + third party		 $4,000–$7,500/yr
$2M limit, all sublimits included
High-Risk Industry * Any Healthcare, legal, accounting, and financial services typically pay 40–80% more due to elevated breach risk and regulatory exposure. PCI scope adds additional underwriting requirements.

* High-risk industry surcharges apply on top of the base tier pricing. Rates vary by carrier — get multiple quotes to compare.

Coverage Tiers

What Coverage Level Should You Prioritize?

The right tier depends on your data exposure, revenue, and risk tolerance. Here's the honest breakdown.

Entry Level

First Party Coverage

$500–$1,500/yr

Best for: Businesses with minimal digital footprint, few employees, low PII exposure.

  • Ransomware response costs (recovery, forensics)
  • Data restoration and recreation
  • Business interruption losses
  • Third party / privacy liability lawsuits
  • Regulatory fine coverage
  • Social engineering / BEC fraud
Recommended

Full First + Third Party

$1,500–$4,000/yr

Best for: Any business that handles customer data, email, or runs on cloud services.

  • Everything in First Party coverage
  • Privacy liability (plaintiff lawsuits)
  • Regulatory defense costs / fines
  • Notification costs (legally required breach letters)
  • Crisis management / PR expenses
  • Social engineering / BEC fraud
Maximum Protection

Comprehensive (SMB+)

$4,000–$7,500/yr

Best for: Businesses with significant customer PII, PCI scope, or vendor contract requirements.

  • Everything in Full First + Third Party
  • Social engineering / BEC fraud coverage
  • Higher per-incident and aggregate limits
  • Direct breach response team (24/7 hotline)
  • Sublimits for regulatory fines, notification
  • Vendor breach liability extension

Action Steps

How to Lower Your Cyber Insurance Premium

Insurers reward good security posture. Here's what actually moves the needle before your next quote.

  1. 1
    Enable MFA everywhere. Email, VPN, admin consoles, cloud services (AWS/GCP/Azure). This is the #1 control insurers check — no MFA often means declined coverage.
  2. 2
    Deploy EDR on all endpoints. Microsoft Defender for Business, SentinelOne, or CrowdStrike Falcon Go cover the requirement. EDR enables 24/7 threat detection that insurers want to see.
  3. 3
    Create immutable backups. Automated backups with a write-once copy that ransomware cannot overwrite. Cloud backup with versioned snapshots satisfies this. Test restores quarterly.
  4. 4
    Document your Incident Response Plan. Written IRP with defined roles, containment steps, notification timeline, legal counsel, and forensics process. Insurers want the paper, not just the plan.
  5. 5
    Run a cyber readiness assessment first. Identify gaps before your insurer's questionnaire does. CyberStackHub's free assessment scores your posture across 20+ controls and tells you exactly what to fix.
  6. 6
    Quote 3+ carriers via a cyber specialist broker. Pricing varies significantly. A cyber-specialist broker (not a general P&C broker) can match your industry and risk profile to the best-fit carrier and avoid application mistakes that haunt renewals.

Common Questions

Frequently Asked Questions

The questions small business owners actually ask — answered directly.

How much does cyber insurance cost for a small business?
Small business cyber insurance typically costs between $500 and $2,500 per year for base coverage (First Party / Third Party Liability), and $1,500 to $5,000+ per year for comprehensive policies with full coverage limits of $1M+. Costs scale with annual revenue, industry classification, and the security controls in place. Businesses with strong cyber hygiene — MFA, EDR, documented IRP — consistently pay 20–40% less than peers with minimal controls.
What factors affect cyber insurance premiums for small businesses?
Six primary factors determine cyber insurance pricing: (1) Industry classification — healthcare, legal, finance, and tech firms pay more due to higher breach risk. (2) Annual revenue — larger top-line means higher potential loss exposure. (3) Security controls — insurers check for MFA on all accounts, EDR deployment, immutable backups, and a written incident response plan. (4) Claims history — prior breaches or ransomware incidents spike premiums. (5) Data sensitivity — businesses handling PII, PCI, or PHI face higher rates. (6) Coverage limits and deductibles — higher limits and lower deductibles increase premiums.
Does having MFA reduce cyber insurance costs?
Yes. Multi-factor authentication is the single most impactful control for both reducing risk and lowering premiums. Insurers view MFA as a baseline requirement in 2026 — without it, many carriers will decline coverage or apply a significant surcharge. Businesses with enforced MFA across all accounts (email, VPN, admin consoles, cloud services) typically see 15–25% premium reductions compared to similar businesses without MFA.
What does a typical cyber insurance policy cover?
Standard cyber insurance policies include: First Party Coverage (ransomware response costs, business interruption losses, data restoration, crisis management/PR), Third Party Coverage (privacy liability lawsuits, regulatory fines, notification costs), and in premium tiers, Social Engineering Fraud (BEC/phone fraud losses). The specific sublimits and per-incident caps vary by insurer and tier — always review the policy wording carefully before binding.
Can I get cyber insurance with a prior breach or ransomware incident?
Yes, but expect higher premiums and more scrutiny. Insurers will ask about prior incidents in the application. A single ransomware incident in the past 3 years can increase premiums by 30–100% or result in coverage restrictions. The key is demonstrating what controls are now in place post-incident — updated IRP, EDR, MFA, and staff training. Some carriers specialize in 'post-breach' coverage. It's always better to apply than to go without coverage.
What cyber security controls do insurers require before quoting?
Most insurers in 2026 require: (1) MFA on all remote access, email, and admin accounts. (2) EDR on all workstations and servers. (3) Immutable offline backups — backups that cannot be overwritten or deleted by attackers. (4) Written Incident Response Plan. (5) Patch management process with documented updates. (6) Phishing/security awareness training for all employees. Failure to meet these minimums often results in declined coverage or significant premium load.
Is cyber insurance required by law for small businesses?
Not federally mandated in the US as of June 2026, but several states and industries have requirements: New York requires cyber insurance for financial services firms (DFS 500 regulation). California SB 553 mandates written IRP for businesses with $25M+ revenue handling personal data. HIPAA-covered entities (healthcare) effectively need breach response coverage as part of compliance. Your clients may also require you to carry cyber insurance via vendor contracts — check your agreements.
Does cyber insurance cover ransomware payments?
Most policies cover ransomware response costs (forensics, restoration, business interruption) and many cover the ransom payment itself, subject to the policy sublimits. However, war exclusions and sanctions clauses can void payment if the attacker is on an OFAC-sanctioned list. Always notify your insurer before paying any ransom — unauthorized payments may not be reimbursed. Your insurer's response team will guide the decision process.

Get Your Cyber Readiness Score to Lower Your Premium

Insurers reward businesses that can demonstrate strong security posture. Find out where you stand before your next quote — and what to fix first.

Take Free Cyber Assessment → Generate IRP for Insurers