Cyber Insurance Small Business Cost Calculator
Cyber insurance covers ransomware, data breach, business interruption from cyberattack. Premium driven by revenue, industry, MFA adoption, EDR deployment, backup strategy.
| Annual revenue | — |
| Industry risk factor | — |
| Base premium (per $1K revenue, by industry) | — |
| Coverage limit factor | — |
| Security controls discount | — |
| Estimated annual premium | — |
| Typical deductible | — |
Cyber insurance has become essential for small and mid-sized businesses in 2026. Premiums vary widely based on revenue, industry risk, and security controls. A $5M-revenue retail business might pay $3K-$8K/year for $1M coverage; a $5M healthcare business pays $15K-$30K for the same coverage. Strong security controls (MFA, EDR, offline backups, employee training) qualify for 25-40% discounts and may be required to obtain coverage at all.
What Cyber Insurance Covers
Standard cyber insurance policies cover: (1) Ransomware payments and negotiation (with restrictions). (2) Data breach response (forensics, notification, credit monitoring). (3) Regulatory fines (HIPAA, GDPR, state breach laws). (4) Business interruption from cyber events. (5) Third-party liability (customer data breach lawsuits). (6) Social engineering fraud (limited sub-limits, typically $250K). Most policies have separate sub-limits for each coverage type — don't assume your $1M policy covers $1M of any one category.
Required Security Controls
Insurers in 2026 require demonstrable security controls before issuing coverage: (1) MFA on all admin and email accounts. (2) EDR (endpoint detection and response) software like CrowdStrike or SentinelOne. (3) Offline or air-gapped backups tested regularly. (4) Employee phishing training. (5) Vulnerability patching policy. (6) Incident response plan. Failure to maintain stated controls during the policy period can void coverage on claim.
Major Exclusions
Read your policy carefully — common exclusions include: war and cyber-war (Lloyd's of London 2022 clause excludes nation-state attacks like NotPetya), criminal acts by insureds, fines from intentional violations, pre-existing breaches you knew about, supply chain attacks affecting your vendor (typically separate coverage required), social media reputation damage. Source: NAIC, Marsh Cyber Insurance Report, Verizon DBIR.
Last updated May 2026. Sources: NAIC Cyber Risk.