Cyber Insurance Cost Estimator
What cyber coverage costs, what a breach costs without it, and the controls insurers now demand
| What the policy pays for | Typical incident cost |
|---|
What cyber coverage costs, what a breach costs without it, and the controls insurers now demand
| What the policy pays for | Typical incident cost |
|---|
Cyber insurance became a small-business staple the same way GL did — clients and regulators started demanding it — but it earns its premium differently: 43% of attacks target small businesses, the median ransomware demand sits six figures, and the policy's hidden product is the 2am incident-response team no small firm could assemble alone. This estimator benchmarks premiums by your real exposure (revenue, records, data sensitivity) and prices the breach you'd otherwise self-fund.
| First-party (your costs) | Third-party (their claims) |
|---|---|
| Forensics & incident response, notification and credit monitoring (mandated by all 50 states), ransomware response and payments, data restoration, business interruption, funds-transfer fraud (verify — often sub-limited) | Customer/partner lawsuits, regulatory defense and fines (HIPAA, state AGs, PCI assessments), media liability |
A 5,000-record incident at a services firm typically stacks: $25–60k forensics, $30–60k notification/monitoring, days of downtime, and — if ransomware — a six-figure demand against your untested backups. IBM-style studies put SMB breach averages at $120k–$250k+; about 60% of small firms hit by a major incident close within a year. Against a ~$1,800 premium, the estimator's ratio column explains the product's growth.
Nobody 'targets' you; scanners and phishing kits harvest whoever clicks. 43% of attacks hit small businesses precisely because controls are weaker and wire-fraud emails work. Size is not obscurity; it's the absence of a security team.
No — GL explicitly excludes electronic data. Some BOPs bolt on $25–50k cyber sub-limits, useful as a token but a fraction of real incident costs. Standalone cyber is the actual product.
Most policies can (with negotiation panels and OFAC-sanction checks) — but payment is the last resort; the insurer-funded response team's first move is your backups. Sub-limits and coinsurance on ransomware are common; read that section twice.
The fake-CEO/vendor email that tricks your bookkeeper into wiring $80k — technically not a 'hack,' so base policies often exclude it. It's the single most common SMB cyber loss; buy the endorsement and verify the sub-limit.
The pass/fail list: MFA on email, remote access and admin accounts; tested offline/immutable backups; EDR (endpoint detection); and increasingly, phishing training. Weak posture means declined applications or 60% surcharges — and false attestations void claims.
Increasingly yes by contract: enterprise clients, healthcare partners (BAAs) and some state contractors require certificates with specific limits. HIPAA-adjacent firms should treat $1–2M cyber as table stakes.
Yes — every figure computes locally in your browser.
Turn on MFA, test the backups, then buy the policy with the honest application — in that order. The controls prevent the median incident; the policy and its 2am hotline handle the tail. Skipping both is how statistics get made.