Cyber Insurance Cost Estimator

What cyber coverage costs, what a breach costs without it, and the controls insurers now demand

$—
Est. Annual Premium
$—
Typical Breach Cost (Your Size)
Breach Cost ÷ Premium
What the policy pays forTypical incident cost

Cyber insurance became a small-business staple the same way GL did — clients and regulators started demanding it — but it earns its premium differently: 43% of attacks target small businesses, the median ransomware demand sits six figures, and the policy's hidden product is the 2am incident-response team no small firm could assemble alone. This estimator benchmarks premiums by your real exposure (revenue, records, data sensitivity) and prices the breach you'd otherwise self-fund.

What a Policy Actually Covers

First-party (your costs)Third-party (their claims)
Forensics & incident response, notification and credit monitoring (mandated by all 50 states), ransomware response and payments, data restoration, business interruption, funds-transfer fraud (verify — often sub-limited)Customer/partner lawsuits, regulatory defense and fines (HIPAA, state AGs, PCI assessments), media liability

What It Costs (and Why Yours Differs)

  • Baselines: $1M limits run ~$1,200–2,500/yr for a typical sub-$1M-revenue services firm; health/financial data or six-figure record counts multiply it.
  • The controls discount is real: post-2021 hard market, insurers price (and decline) on security posture — MFA everywhere, offline/immutable backups, EDR, and phishing training move premiums 25–40% and determine insurability at all.
  • The application is a warranty: answering "yes, we have MFA" falsely has voided real claims in court (the industry's most instructive case law). Audit before you attest.

The Breach Math Without Coverage

A 5,000-record incident at a services firm typically stacks: $25–60k forensics, $30–60k notification/monitoring, days of downtime, and — if ransomware — a six-figure demand against your untested backups. IBM-style studies put SMB breach averages at $120k–$250k+; about 60% of small firms hit by a major incident close within a year. Against a ~$1,800 premium, the estimator's ratio column explains the product's growth.

Buy It Right

  1. Fix the controls first — MFA and offline backups cost less than the premium savings they buy, and they're the actual protection.
  2. Verify the two commonly-gutted coverages: social-engineering/funds-transfer fraud (the fake-invoice wire) and ransomware payments — both get sub-limited to $25–50k in cheap policies.
  3. Match the limit to records × $15 + downtime, not to what's cheap — $1M is the small-firm floor, healthcare-adjacent firms need more.
  4. Know the hotline number before the incident — the panel breach coach, forensics firm and ransom negotiator are the policy; calling your own IT guy first can even prejudice coverage.

How to Use the Estimator

  1. Enter revenue, records held, data sensitivity, desired limit and honest security posture.
  2. Read premium vs typical breach cost — the ratio is the decision for most firms.
  3. Then do the controls audit the application will demand anyway; it's the rare insurance prerequisite that pays for itself.

Frequently Asked Questions

We're tiny — who would attack us?

Nobody 'targets' you; scanners and phishing kits harvest whoever clicks. 43% of attacks hit small businesses precisely because controls are weaker and wire-fraud emails work. Size is not obscurity; it's the absence of a security team.

Does general liability or my BOP cover cyber?

No — GL explicitly excludes electronic data. Some BOPs bolt on $25–50k cyber sub-limits, useful as a token but a fraction of real incident costs. Standalone cyber is the actual product.

Will insurance pay a ransom?

Most policies can (with negotiation panels and OFAC-sanction checks) — but payment is the last resort; the insurer-funded response team's first move is your backups. Sub-limits and coinsurance on ransomware are common; read that section twice.

What's social-engineering coverage and why does it matter?

The fake-CEO/vendor email that tricks your bookkeeper into wiring $80k — technically not a 'hack,' so base policies often exclude it. It's the single most common SMB cyber loss; buy the endorsement and verify the sub-limit.

What controls do insurers require now?

The pass/fail list: MFA on email, remote access and admin accounts; tested offline/immutable backups; EDR (endpoint detection); and increasingly, phishing training. Weak posture means declined applications or 60% surcharges — and false attestations void claims.

Do we need cyber coverage for compliance?

Increasingly yes by contract: enterprise clients, healthcare partners (BAAs) and some state contractors require certificates with specific limits. HIPAA-adjacent firms should treat $1–2M cyber as table stakes.

Is my information private?

Yes — every figure computes locally in your browser.

Turn on MFA, test the backups, then buy the policy with the honest application — in that order. The controls prevent the median incident; the policy and its 2am hotline handle the tail. Skipping both is how statistics get made.

Found this useful? Share it