Expert Summary
- Ransomware attacks on small businesses (under 250 employees) increased 67% in 2025 according to CrowdStrike's 2026 Global Threat Report — the majority of attacks now target small businesses because they have weaker defenses.
- Average cyber insurance premiums for small businesses in 2026 range from $1,200–5,000/year depending on industry, revenue, data sensitivity, and security controls.
- Multi-factor authentication (MFA) on all accounts is now required by most cyber insurers — businesses without it are often denied coverage or charged significantly higher premiums.
Cyber insurance has moved from "optional coverage for large enterprises" to a practical necessity for small businesses in 2026. The threat landscape has shifted dramatically — attackers specifically target small businesses because they have weaker defenses, valuable data, and less ability to withstand disruption.
The Small Business Cyber Threat Landscape in 2026
The data from 2025–2026 is clear:
- 67% increase in ransomware attacks on businesses with under 250 employees (CrowdStrike Global Threat Report, 2026)
- Average ransomware payment: $812,000 (Sophos State of Ransomware 2026)
- Average total recovery cost (beyond ransom): $1.35 million — including downtime, data recovery, notification, and legal costs
- 60% of small businesses that suffer a significant cyber incident close within 6 months
The reason small businesses are increasingly targeted: large enterprises have invested heavily in security; small businesses represent lower-hanging fruit with less sophisticated defenses and often equally valuable data (payment card data, PHI, confidential contracts).
What Cyber Insurance Covers
First-Party Coverage (Your Business's Costs)
Ransomware response: Most policies cover the ransom payment itself and the cost of incident response — negotiators, forensics teams, and decryption services. Limits typically range from $100K to $5M.
Business interruption: Pays for lost revenue and additional expenses during system downtime caused by a cyber incident. The waiting period (like a deductible in time) is typically 8–24 hours before BI coverage activates.
Data breach notification: Many states (including California, New York, Texas) require businesses to notify affected individuals after a breach. Notification costs — letters, credit monitoring for affected customers — are covered. Average notification cost per record: $147 (IBM, 2025).
Forensics and investigation: Identifying how the breach occurred, what data was accessed, and how to remediate.
PR and crisis management: Protecting your brand reputation after a public breach.
Cyber extortion (non-ransomware): Threats to publish data without ransom demand, DDoS extortion.
Third-Party Coverage (Liability to Others)
Network security liability: Lawsuits from customers or partners whose data was exposed in a breach on your systems.
Regulatory defense and fines: Coverage for FTC, state AG, or EU GDPR investigations and fines resulting from a breach. Note: GDPR fines have limited coverage in most US policies — check exclusion language.
Media liability: Claims related to online content you publish — copyright infringement, defamation.
Average Premiums by Business Type (2026)
| Business Type | Annual Revenue | Average Premium |
|---|---|---|
| General small business, no sensitive data | Under $1M | $800–1,500 |
| Retail, e-commerce (payment card data) | Under $2M | $1,500–3,000 |
| Professional services (legal, accounting) | Under $2M | $2,000–4,000 |
| Healthcare (PHI) | Under $2M | $3,000–7,000 |
| Financial services | Under $2M | $2,500–6,000 |
| Education | Under $2M | $1,500–3,500 |
What Underwriters Look For
Cyber insurance underwriting has tightened significantly since the ransomware surge of 2021–2023. Expect to be asked about:
Security controls (most impactful on premiums):
- Multi-factor authentication (MFA): Required by nearly all insurers now. Must be on email, remote access (VPN, RDP), and cloud applications. Businesses without MFA face 2–3× premium surcharges or outright declination.
- Endpoint Detection and Response (EDR): Anti-malware at the endpoint level. CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint are commonly cited.
- Offline backups: The "3-2-1 rule" — 3 copies, 2 different media, 1 offsite — is the baseline. Insurers want immutable backups that ransomware cannot encrypt.
- Patch management: Systems updated within 30 days of critical vulnerability patches.
Data practices:
- What categories of data you hold (PII, PHI, payment card data)
- Number of records
- Encryption at rest and in transit
Incident response plan:
- Do you have a written IR plan?
- Have you tested it in the last 12 months?
Important note
44% of cyber insurance claims in 2025 were denied due to misrepresentation in the application — specifically, businesses checking "yes" on MFA questions when MFA was only partially implemented. Insurers now conduct technical validation of security controls for policies above $500K in coverage. Accurate applications are legally required and practically enforced.
Source: CrowdStrike Cyber Insurance Report, 2026
Coverage Gaps to Watch For
War exclusion: Cyber policies exclude acts of war. State-sponsored attacks (Russia, China, North Korea) have been classified as war by some insurers following the NotPetya precedent. Ensure your policy does not broadly exclude nation-state attacks that are not explicitly wartime acts.
Infrastructure exclusion: Some policies exclude outages caused by internet service provider failures or cloud provider outages, even if the outage results from a cyberattack on the provider.
Social engineering: Fraudulent wire transfer requests (business email compromise) are not always covered under standard cyber policies. Some insurers require a separate "crime" endorsement for social engineering fraud.
Bodily injury: Standard cyber policies exclude physical damage caused by a cyberattack (e.g., a hacked medical device harming a patient). Specialty coverage is available.
Comparing Policies: What to Look For
- Retroactive date: The date from which coverage applies. A retroactive date of "policy inception" means incidents that started before the policy date are not covered — even if discovered during the policy period.
- Claims-made vs. occurrence: Cyber is typically claims-made — coverage applies based on when the claim is made, not when the incident occurred.
- Sub-limits: Check if ransomware, business interruption, and regulatory defense have sub-limits below the total policy limit.
- Panel requirements: Some insurers require you to use their approved forensics and legal firms — verify you can use your own preferred vendors.
Recommended insurers for small business cyber in 2026: Coalition, Cowbell (AI-underwritten, fast quotes), Chubb, Travelers, AXA XL, and Beazley for higher-risk industries.
What does cyber insurance cover for small businesses?
Cyber insurance covers first-party costs including ransomware response, data breach notification, forensics investigation, business interruption losses, and PR management. Third-party liability coverage pays for lawsuits from customers or regulators resulting from a breach. Check that your policy includes both components.
How much does cyber insurance cost for a small business?
For a typical small business under $5M revenue with basic security controls, premiums average $1,200–2,500/year for $1M in coverage. Healthcare, legal, and financial services businesses typically pay $3,000–8,000/year. MFA implementation and regular backups can reduce premiums by 15–30%.
Do small businesses really need cyber insurance?
Yes — small businesses are now targeted more frequently than large enterprises. The average cost of a data breach for a small business exceeds $200,000. Without cyber insurance, a single ransomware incident can bankrupt a small business. Over 60% of small businesses that experience a significant cyber incident close within 6 months.