How much does cyber insurance cost for a small business?

Most small businesses pay $500–$3,500 per year for cyber insurance ($42–$290/month), with the median around $1,200–$1,800/year. Cost depends on your industry, revenue, number of employees, data sensitivity, and existing security controls. Retailers, healthcare practices, and financial services firms pay more; professional services and consultants typically pay less.

Is cyber insurance worth it for small businesses?

Yes — emphatically. The average cost of a small business data breach now exceeds $200,000 when you account for notification costs, legal fees, business interruption, and customer remediation. A $1,500/year cyber policy that covers $1 million in liability pays for itself the moment a single incident occurs. 43% of cyberattacks target small businesses, and most lack the cash reserves to absorb a major breach out-of-pocket.

What does cyber insurance actually cover?

Cyber insurance typically covers: (1) First-party costs — your own losses including data recovery, business interruption, ransomware payments, and forensic investigation. (2) Third-party liability — claims from customers, vendors, or partners whose data was compromised. Coverage also typically includes crisis communications, legal defense, regulatory fines (where insurable), and credit monitoring for affected individuals.

What does cyber insurance NOT cover?

Common exclusions include: intentional or fraudulent acts by the insured, pre-existing breaches, war/terrorism (including state-sponsored cyberattacks in some policies), bodily injury or property damage, and intellectual property theft in some cases. Many policies also exclude social engineering fraud (wire transfer scams) unless you add a rider.

Do I need cyber insurance if I have general liability insurance?

Yes. Standard general liability insurance does not cover cyberattacks, data breaches, ransomware, or digital liability. General liability covers physical injury and property damage. Cyber liability is a distinct product covering digital incidents. These are not interchangeable, and assuming your GL policy covers cyber risks is one of the most expensive mistakes small business owners make.

What is the difference between first-party and third-party cyber coverage?

First-party coverage pays for your own direct losses — the cost to recover your systems, hire forensic investigators, notify affected customers, and cover lost income while you're offline. Third-party coverage pays for claims made against you by people whose data was breached — customers suing you for exposing their information, or regulatory fines. You want both.

How quickly can I get cyber insurance?

Most small business cyber insurance policies can be quoted online and bound in 10–20 minutes for low-risk businesses. Larger businesses or those in high-risk industries (healthcare, financial services) may go through a more detailed underwriting process taking a few days. Providers like Coalition, Corvus, and Embroker offer same-day digital policies for small businesses.

What security measures reduce my cyber insurance premium?

Multi-factor authentication (MFA) on email and remote access, regular data backups stored offline or in the cloud, endpoint detection software, employee security training, and patch management programs all meaningfully reduce premiums. Some insurers (Coalition, Corvus) continuously scan your systems and alert you to vulnerabilities — catching issues before they become claims.

Best Cyber Insurance for Small Business (2026 Guide)

2026-03-10

Best Cyber Insurance for Small Business: The Complete 2026 Guide

A ransomware attack hit a mid-sized dental practice in Ohio last year. Attackers encrypted every patient record, appointment history, and billing file. The ransom demand was $85,000. The forensic investigation cost $40,000. Legal notifications to 4,200 patients cost $28,000. Business interruption while the practice ran on paper for three weeks: $60,000. Total damage: over $200,000.

The practice had cyber insurance. Their out-of-pocket cost: their $5,000 deductible.

That's what cyber insurance does. And in 2026, it's no longer optional for any small business that stores customer data, processes credit cards, or relies on digital systems to operate.

This guide compares the best cyber insurance providers for small businesses, breaks down what coverage actually means, and explains exactly what to buy — before you need it.

Why Small Businesses Are the Primary Target
What Cyber Insurance Covers
What Cyber Insurance Does Not Cover
Best Cyber Insurance Providers for Small Business
Side-by-Side Comparison
How Much Does Cyber Insurance Cost?
How to Choose the Right Cyber Policy
How to Lower Your Cyber Insurance Premium
What to Do After a Cyber Incident
FAQ

Why Small Businesses Are the Primary Target

Small businesses are not too small to be targeted. In fact, they're specifically targeted — because they typically have weaker security than enterprises but still hold valuable data: customer payment information, health records, employee Social Security numbers, and confidential business information.

The numbers are stark:

43% of all cyberattacks target small businesses, according to Verizon's annual Data Breach Investigations Report
The average cost of a data breach for a small business is $200,000–$300,000 when all costs are tallied
60% of small businesses close within 6 months of a major cyberattack, primarily due to cash flow collapse during recovery
Ransomware attacks on small businesses increased by 300% between 2022 and 2025

The threat landscape is no longer theoretical. Ransomware-as-a-service kits sell on the dark web for a few hundred dollars. Phishing campaigns are automated. A single misconfigured cloud storage bucket can expose thousands of customer records.

What changed between 2020 and 2026 is the attackers' business model: they now target volume. Running 10,000 automated attacks on small businesses with weak security and collecting $10,000–$50,000 per successful ransomware hit is more profitable than targeting one large enterprise with robust defenses.

Your business doesn't need to be famous to be a target. It just needs to be online.

What Cyber Insurance Covers

Cyber insurance policies are not uniform — coverage varies significantly by provider and policy tier. Understanding the two main categories (first-party and third-party) is essential before buying.

First-Party Coverage (Your Own Losses)

First-party coverage pays for direct losses your business suffers as a result of a cyber incident:

Data recovery and system restoration — The cost to recover, restore, or recreate data and systems after an attack. This includes IT forensic services, data recovery specialists, and new hardware if necessary.

Business interruption / income loss — Revenue lost while your systems are offline. If you can't process orders, access customer data, or operate normally for a week because of a ransomware attack, business interruption coverage replaces that lost income.

Ransomware and extortion payments — If attackers demand payment to restore access to your systems or to not publish stolen data, many policies cover the ransom itself (subject to legal restrictions and insurer approval). They also cover the cost of professional negotiators.

Forensic investigation — Understanding how an attack happened and what was compromised is legally and operationally necessary. Forensic IT firms charge $200–$500/hour; a thorough investigation can run $20,000–$100,000.

Notification costs — 48 U.S. states have data breach notification laws requiring you to notify affected individuals in writing. For 5,000 affected customers, notification costs (printing, postage, call center) can easily reach $50,000–$100,000.

Credit monitoring for affected individuals — Many states and customers expect you to provide credit monitoring services (typically 12 months) for affected individuals. Cost: $10–$20 per person.

Crisis communications and public relations — Managing your reputation after a public breach requires professional PR. A PR crisis team can charge $10,000–$50,000 for incident response communications.

Third-Party Coverage (Claims Against You)

Third-party coverage pays for liability claims made by other parties whose data or systems were affected by an incident at your business:

Privacy liability — Claims from customers, vendors, or employees whose personal information was exposed. If a customer sues you because their credit card was stolen in a breach of your systems, third-party coverage pays your legal defense and any settlements.

Network security liability — Claims from other businesses whose systems were compromised because of a breach that originated at your company. If your vendor network is breached through your systems, this pays for those claims.

Regulatory fines and penalties — Data protection regulations (HIPAA, CCPA, GDPR, state laws) carry significant fines for breaches. Many cyber policies cover regulatory defense costs and penalties where legally insurable.

Media liability — Claims related to content you publish online, including defamation, copyright infringement, and privacy violations in digital media.

Additional Coverages to Look For

Social engineering / wire transfer fraud — Employees deceived into wiring money to fake bank accounts. This coverage is often sold as a rider; confirm it's explicitly included if your business processes significant wire transfers.

Cyber crime / funds transfer fraud — Direct financial losses from criminals accessing your bank accounts through stolen credentials.

Technology errors and omissions (Tech E&O) — If your business provides technology products or services, coverage for claims arising from failures or errors in those services. Often bundled with cyber liability for tech companies.

Dependent business interruption — If a cloud provider, SaaS vendor, or utility you rely on experiences a cyber incident that disrupts your operations, this coverage applies. Increasingly important as businesses depend on third-party cloud services.

What Cyber Insurance Does Not Cover

Understanding exclusions is as important as understanding coverage. Common cyber insurance exclusions include:

State-sponsored attacks ("war exclusion") — Attacks attributed to nation-state actors (North Korea, Russia, China) may be excluded as "acts of war." This exclusion caused major disputes after the 2017 NotPetya attack and remains contested. Look for "hostile cyber act" language and understand your policy's specific carve-outs.

Prior or known incidents — Coverage applies to new incidents, not breaches that occurred before your policy effective date or that you were already aware of.

Intentional acts — Damage your employees deliberately cause is excluded. If a disgruntled employee intentionally deletes your database, that may be covered under a crime policy rather than cyber.

Bodily injury and property damage — Cyber insurance covers digital losses. If a cyberattack causes physical damage (e.g., an attack on industrial equipment causes a fire), property insurance handles that component.

Infrastructure failure — General power outages or internet service disruptions not caused by a cyber incident are excluded.

Unencrypted devices — Many policies exclude claims arising from lost or stolen unencrypted laptops or USB drives. Confirm whether encryption is required.

Poor security practices — Insurers increasingly deny or reduce claims when basic security controls were absent (no MFA, no patches, default passwords). Document your security practices.

Best Cyber Insurance Providers for Small Business

1. Coalition — Best Overall for Small Businesses

Starting price: ~$750/year for very small businesses; $1,200–$3,000/year for most

Coalition is the leading specialized cyber insurance provider for small and mid-sized businesses, and for good reason. What distinguishes Coalition is its active risk management approach: every policyholder gets free access to Coalition Control, a continuous security monitoring platform that scans your internet-facing systems and alerts you to vulnerabilities before they become incidents.

What makes Coalition stand out:

Active cybersecurity monitoring — Coalition's platform continuously scans your domain, IP addresses, and exposed services. When they find an unpatched vulnerability or exposed credential, they alert you immediately. This proactive approach means many incidents are prevented entirely, not just covered after the fact.

Broad coverage — Coalition's policies include first-party and third-party coverage, ransomware, social engineering fraud, funds transfer fraud, business interruption, and dependent business interruption (cloud provider outages).

Incident response included — Coalition has in-house incident response teams available 24/7. You don't need to find a forensics firm during a crisis — they send one.

Competitive pricing — Coalition frequently offers lower premiums than traditional insurers because their security monitoring reduces claim frequency. Businesses with strong security hygiene (MFA, patched systems) are rewarded with lower rates.

Coverage limits: Up to $15 million for mid-market; $1–$3 million commonly available for small businesses

Deductibles: $1,000–$25,000 depending on business size and risk

Best for: Any small business serious about both coverage and prevention. Especially valuable for tech companies, professional services, and e-commerce businesses.

2. Chubb — Best for High-Limit Coverage and Complex Businesses

Starting price: $1,500–$4,000/year for small businesses

Chubb is one of the world's largest and most financially stable insurers, and their Cyber Enterprise Risk Management (ERM) policy is widely considered the gold standard for comprehensive cyber coverage. Chubb is the choice when you need high limits, broad coverage language, and the certainty of a carrier that will be there when a large claim hits.

What makes Chubb stand out:

Broadest coverage language — Chubb's policies are known for few exclusions and broad definitions of covered events. Their "manuscript" policy approach means complex businesses can customize coverage.

High available limits — Chubb can provide cyber coverage up to $100 million for larger businesses. Small businesses can access $1–$10 million limits easily.

Financial strength — Chubb's AM Best rating of A++ means you don't need to worry about the carrier being able to pay a large claim.

Reputation in claims — Chubb is known for paying claims promptly and fairly. This matters more than almost any other factor when evaluating an insurer.

Drawbacks: Chubb's pricing is premium — you pay for the quality. Not always the best value for micro-businesses with simple risk profiles.

Best for: Established small and mid-sized businesses with revenue over $2 million, businesses in high-risk industries (healthcare, legal, financial), and any business that needs high limits.

3. Hiscox — Best for Micro-Businesses and Startups

Starting price: ~$500–$1,200/year

Hiscox has built a reputation for small business insurance — particularly for professional services, consultants, and freelancers. Their cyber insurance offering is straightforward, affordable, and easy to purchase online in minutes.

What makes Hiscox stand out:

Lowest entry price — Hiscox offers cyber coverage starting around $500/year, making it accessible for solo practitioners, freelancers, and very small businesses.

Bundling discounts — Hiscox is well-known for professional liability (E&O) insurance. Bundling cyber coverage with an existing Hiscox E&O policy often results in meaningful discounts.

Simple online application — The Hiscox quoting process is among the fastest in the market. Low-risk businesses can get a quote and bind coverage in under 10 minutes.

Broad small business focus — Hiscox covers over 180 professions and industries at the small business level, giving them deep expertise in common small business risk scenarios.

Drawbacks: Coverage limits are lower than Coalition or Chubb. Policies max out around $2–$5 million. For businesses with significant data assets or high revenue, you may outgrow Hiscox quickly.

Best for: Freelancers, consultants, solo practitioners, and businesses under $2 million in revenue that want straightforward, affordable coverage.

4. Travelers — Best for Businesses with Existing Travelers Policies

Starting price: $1,000–$3,000/year

Travelers is one of the largest commercial insurers in the US and offers a robust cyber product — CyberRisk — that integrates well with other Travelers policies. If your business already has a Travelers BOP (Business Owner's Policy), adding cyber coverage is straightforward and often discounted.

What makes Travelers stand out:

Integrated commercial coverage — For businesses with Travelers BOP or GL policies, adding cyber is simple and avoids coverage gaps that can occur when cyber and property coverage are from different carriers.

Threat intelligence — Travelers provides policyholders access to threat intelligence reports and security resources.

Strong claims handling — Travelers has decades of claims experience and the infrastructure to handle complex cyber claims.

Drawbacks: Travelers doesn't have Coalition's proactive security monitoring. Pricing is competitive but not always the lowest. Requires working through an agent rather than direct online purchase.

Best for: Businesses that already use Travelers for other commercial insurance and want to consolidate policies.

5. Embroker — Best for Tech Companies and Startups

Starting price: ~$1,000–$4,000/year

Embroker is a digital-first insurance platform that specializes in startup and tech company coverage. Their cyber product is purpose-built for technology businesses — software companies, SaaS providers, MSPs, and any business where technology is the core product.

What makes Embroker stand out:

Tech-specific coverage — Embroker's policies are designed for the specific risks tech companies face: software failures, API security incidents, cloud infrastructure breaches, and technology errors.

Digital platform — Embroker's entire workflow is digital. Apply, compare, bind, and manage policies through their platform. Certificates of insurance generate instantly.

Tech E&O bundling — For tech companies, bundling cyber liability with technology E&O in one policy from Embroker is cleaner than managing two separate policies from different carriers.

VC and investor familiarity — Embroker is well-known in the startup ecosystem. Investors sometimes expect specific coverage terms that Embroker's standard products meet out of the box.

Best for: Software companies, SaaS businesses, MSPs, tech startups, and any business where technology is the primary product or service.

6. Corvus Insurance — Best for Data-Intensive Businesses

Starting price: ~$800–$2,500/year

Corvus is a specialist cyber insurer that uses AI-driven underwriting and continuous security scanning — similar to Coalition — to price policies based on real security posture rather than just industry and revenue. Corvus tends to be particularly competitive for businesses in data-intensive industries.

What makes Corvus stand out:

AI-driven risk assessment — Corvus analyzes your actual security posture when underwriting, meaning businesses with strong controls get better pricing regardless of industry.

Continuous security scanning — Like Coalition, Corvus scans policyholder systems and alerts to new vulnerabilities.

Healthcare and financial services expertise — Corvus has strong coverage options for high-risk industries that face elevated regulatory scrutiny.

Threat intelligence — Corvus provides policyholders with threat intelligence specific to their industry.

Best for: Healthcare practices, financial services firms, law firms, and other data-intensive businesses where security posture varies widely.

Side-by-Side Comparison

| Provider | Starting Price/Year | Best For | Max Limits | Online Purchase | Security Monitoring | |---|---|---|---|---|---| | Coalition | ~$750 | Most small businesses | $15M | ✅ | ✅ Continuous | | Chubb | ~$1,500 | High limits, complex risk | $100M+ | ❌ (agent) | ⚠️ Limited | | Hiscox | ~$500 | Micro-businesses, freelancers | $5M | ✅ | ❌ | | Travelers | ~$1,000 | Bundling with existing Travelers | $10M+ | ❌ (agent) | ⚠️ Limited | | Embroker | ~$1,000 | Tech companies, startups | $10M | ✅ | ⚠️ Limited | | Corvus | ~$800 | Data-intensive industries | $10M | ✅ | ✅ Continuous |

Coverage Features Comparison

| Coverage Feature | Coalition | Chubb | Hiscox | Travelers | Embroker | Corvus | |---|---|---|---|---|---|---| | First-party data recovery | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Business interruption | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Ransomware / extortion | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Third-party privacy liability | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Social engineering (wire fraud) | ✅ | ✅ | ⚠️ Add-on | ✅ | ⚠️ Add-on | ✅ | | Regulatory fines coverage | ✅ | ✅ | ⚠️ Limited | ✅ | ✅ | ✅ | | Dependent biz interruption | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | | Tech E&O bundling | ❌ | ⚠️ Separate | ⚠️ Separate | ⚠️ Separate | ✅ | ❌ | | 24/7 incident response | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |

How Much Does Cyber Insurance Cost?

Cyber insurance pricing depends on several factors. Here's what to expect:

Primary Pricing Factors

Industry / business type — Healthcare, financial services, legal, and retail businesses pay more because they hold sensitive regulated data. Professional services and consulting businesses pay less.

Annual revenue — Higher revenue means more at stake. A $5M revenue business pays more than a $500K revenue business in the same industry.

Number of records — The number of customer, patient, or employee records you store directly affects potential notification and liability costs.

Security controls — MFA adoption, backup quality, patch management, and employee training measurably affect premiums.

Coverage limits and deductible — Higher limits cost more; higher deductibles lower premiums.

Claims history — A prior cyber claim significantly increases renewal premiums.

Typical Annual Premium Ranges by Business Type

| Business Type | Revenue | Typical Annual Premium | Coverage Limit | |---|---|---|---| | Freelancer / consultant | Under $250K | $500–$900/year | $500K–$1M | | Small retail / e-commerce | $500K–$2M | $800–$2,000/year | $1M–$2M | | Professional services firm | $1M–$5M | $1,200–$3,500/year | $1M–$3M | | Medical practice | $1M–$5M | $2,000–$6,000/year | $1M–$5M | | Law firm | $2M–$10M | $2,500–$7,000/year | $2M–$5M | | Financial services (RIA, CPA) | $1M–$5M | $2,000–$5,000/year | $1M–$5M | | SaaS / tech company | $1M–$10M | $1,500–$5,000/year | $2M–$10M |

What Affects Premiums Most

Multi-factor authentication (MFA): The single most impactful security control. Insurers often ask specifically whether MFA is enabled on email and remote access. Companies without MFA pay 25–40% more and may be declined coverage entirely.

Data backup quality: Verified, tested backups stored offline or in a separate cloud environment meaningfully reduce ransomware exposure. Insurers want to know you can recover without paying.

Employee training: Documented phishing simulation and security awareness training lowers risk in underwriters' eyes.

Prior incidents: A breach in the past 3 years typically means higher premiums, stricter exclusions, or difficulty finding coverage.

How to Choose the Right Cyber Policy

Step 1: Identify Your Specific Risks

Every business has different cyber exposures. Before shopping for a policy, answer these questions:

What personal or sensitive data do you store? (Payment cards, Social Security numbers, health records, financial data)
How many customers / patients / employees' records do you hold?
Do you process online payments?
Do you have employees with remote access to company systems?
Do you use cloud services (AWS, Microsoft 365, Google Workspace) for critical operations?
Do you have regulatory obligations (HIPAA, PCI-DSS, CCPA, GLBA)?
Do you wire transfer money regularly? (Social engineering risk)

Step 2: Set Your Coverage Limits

A general rule: your cyber coverage limit should be at least equal to your realistic maximum loss scenario. Work through this calculation:

| Potential Cost | Estimate | |---|---| | Forensic investigation | $20,000–$100,000 | | Business interruption (1–4 weeks) | $50,000–$200,000 | | Notification costs (per record × number of records) | $2–$10 per record | | Credit monitoring (12 months per affected individual) | $10–$20 per person | | Legal defense | $50,000–$200,000+ | | Regulatory fines | $10,000–$500,000+ | | Ransomware payment (if applicable) | $20,000–$500,000+ |

For most small businesses, $1 million in coverage is the minimum; $2–$3 million is more prudent. If you hold healthcare data (HIPAA-covered) or financial data, $5 million is worth considering.

Step 3: Confirm Key Coverage Details

Before binding, confirm:

✅ Is ransomware / extortion coverage included without a sublimit?
✅ Is social engineering / wire fraud covered? (Often excluded or sublimited)
✅ Is business interruption calculated on actual vs. estimated revenue loss?
✅ Is dependent business interruption included (cloud provider outages)?
✅ What is the retroactive date? (Breaches discovered now but initiated earlier)
✅ What are the notification requirements when you suspect a breach?
✅ Does the policy give you choice of incident response vendor, or must you use their panel?

Step 4: Understand Your Deductible

Cyber deductibles typically range from $1,000 to $25,000 for small businesses. A higher deductible lowers your premium but means more out-of-pocket cost in a claim. For most small businesses, a $2,500–$5,000 deductible balances premium savings against manageable out-of-pocket risk.

Cyber Coverage Limits Recommendation

| Business Size | Recommended Limit | Typical Annual Cost | |---|---|---| | Solo / freelancer | $500K–$1M | $500–$900 | | Small business (under $2M revenue) | $1M–$2M | $900–$2,500 | | Mid-sized business ($2M–$10M revenue) | $2M–$5M | $2,000–$5,000 | | Data-intensive (healthcare, financial, legal) | $5M+ | $3,000–$10,000+ |

How to Lower Your Cyber Insurance Premium

Cyber insurers base pricing on risk — and risk is something you can actively reduce. These security controls have the most impact on premiums:

High-Impact Security Controls

Enable MFA on everything — Multi-factor authentication on email (Microsoft 365, Google Workspace), remote access (VPN, RDP), and any cloud services that store sensitive data. MFA prevents 99% of credential-based attacks. Insurers may decline to cover businesses without MFA on email.

Verified, tested backups — Daily automated backups stored in a location isolated from your main network (offline or separate cloud account). Test your recovery process quarterly. Backups that work reduce ransomware exposure dramatically.

Endpoint detection and response (EDR) — Tools like CrowdStrike Falcon Go, SentinelOne, or Microsoft Defender for Business detect and block malware that traditional antivirus misses. Several insurers offer discounts for documented EDR deployment.

Patch management — Apply operating system and application security updates within 30 days of release. Attackers actively scan for unpatched systems. Documented patch management processes lower underwriting risk.

Email filtering — Advanced spam and phishing filtering (beyond basic email provider defaults) reduces the risk of successful phishing attacks. Microsoft Defender for Office 365 or Proofpoint Essentials are common choices.

Employee security training — Annual security awareness training plus quarterly phishing simulations. Document completion rates. Several insurers ask specifically about this during application.

Password management — A company-wide password manager (1Password, Bitwarden) ensures employees use strong, unique passwords without the friction that leads to password reuse.

Expected Premium Impact

| Security Control | Premium Reduction Estimate | |---|---| | MFA enabled on email and remote access | 15–25% | | Verified offline backups | 10–20% | | EDR software deployed | 10–15% | | Documented patch management | 5–10% | | Security awareness training | 5–10% | | All of the above | 30–50% combined |

What to Do After a Cyber Incident

Having cyber insurance means nothing if you don't activate it correctly. Here's the essential playbook:

Immediately (First Hour)

Do not turn off affected systems — Forensic investigators need the systems in their compromised state to understand what happened. Turning systems off can destroy evidence.
Disconnect from the network — Isolate affected systems to prevent spread without powering down.
Call your insurer's incident response hotline — Every major cyber policy includes 24/7 incident response. Call them before you call anyone else. They'll direct the response.
Do not pay a ransom without consulting your insurer — Insurers may cover the payment, but you need their approval first. Paying without notification can void coverage.
Document everything — Screenshot ransom notes, log what you observe, note the time of discovery.

First 24–72 Hours

Work with the insurer's forensic team — Let their designated incident response firm lead the investigation. Using your own vendor without approval may not be covered.
Preserve logs — Server logs, email logs, and access logs are critical evidence. Request your IT team or provider preserve them immediately.
Notify law enforcement — Report ransomware or data theft to the FBI's Internet Crime Complaint Center (IC3.gov). This documentation can support your claim and is required in some states.
Begin legal counsel — Your insurer will likely provide coverage for attorney fees. Start this process early — regulatory notification timelines are tight.

Within 30–72 Hours (Depending on State Law)

Assess what data was exposed — Determine whose data was compromised and what type of information was affected.
Notify affected individuals per state law — All 50 states have breach notification laws with varying timelines (30–90 days typically). Your attorney and insurer will guide this.
Notify regulators if required — HIPAA requires HHS notification within 60 days for breaches affecting 500+ individuals. Financial services firms face additional requirements.

The Bottom Line: Why You Can't Skip Cyber Insurance in 2026

Three years ago, cyber insurance was something large companies bought. Today, it's something every business with a computer, a customer database, or an online payment system needs.

The math is simple:

Average annual premium for a small business: $1,200–$1,800/year
Average cost of a small business data breach: $200,000+
The deductible you'd pay instead of $200,000: $2,500–$5,000

For the cost of about $100–$150/month, you transfer a potentially company-ending financial risk to an insurer.

Coalition is the top recommendation for most small businesses — their combination of competitive pricing, comprehensive coverage, and active security monitoring tools makes them uniquely valuable. Hiscox is the best entry-level option for micro-businesses and freelancers. Chubb is the choice when you need high limits and the strongest possible carrier.

Get multiple quotes. The online application for Coalition, Hiscox, and Corvus takes 10–15 minutes. Do it today — before a ransomware attack forces the decision.

FAQ

Ad Slot (bottom)