43% of cyberattacks target small businesses. Most don't have cyber insurance. Here's what's at stake — including the fraud coverages most businesses don't know they're missing.
There's a persistent myth that hackers only go after large corporations. The reality is the opposite. According to Verizon's 2024 Data Breach Investigations Report, 43% of cyberattacks target small businesses. Attackers know that small companies have weaker defenses — no dedicated security team, outdated software, employees who haven't been trained to spot phishing emails, and often no incident response plan.
The numbers are sobering: the average cost of a data breach reached $4.44 million globally in 2025 (IBM). For small businesses specifically, the average cyber insurance claim is $115,000 — and 60% of small businesses that suffer a major cyber incident close within six months. These aren't hypothetical risks. They're actuarial realities that carriers price into every policy.
A cyber liability policy covers two distinct categories of loss, and understanding the difference matters when you're comparing quotes.
First-party coverage protects your business from its own losses: forensic investigation to determine what happened and how to stop it, data recovery and system restoration, business income lost while your systems are down, ransomware payments and professional negotiation, crisis management and PR to protect your reputation, and notification costs (you're legally required to notify affected individuals in all 50 states).
Third-party coverage protects you from claims made by others: lawsuits from customers, clients, or partners whose data was compromised, regulatory fines and defense costs from state AGs, the FTC, HHS (HIPAA), or PCI assessors, payment card industry assessments and card reissuance costs, and media liability for defamation or copyright claims in digital content.
Most businesses need both. A single ransomware attack often triggers both sides simultaneously — encrypting your systems (first-party) while also exfiltrating customer data (third-party).
Here's what catches most business owners off guard: standard cyber liability policies cover data breaches and system attacks, but the fastest-growing category of cyber loss isn't hacking — it's fraud.
Social engineering fraud is when a criminal impersonates someone you trust — your CEO, a vendor, a client — and tricks an employee into wiring money. No malware, no hacking, just a convincing email. The average social engineering loss exceeds $120,000. Business email compromise (BEC) alone caused $2.9 billion in reported losses in 2023 (FBI IC3).
Funds transfer fraud covers situations where criminals manipulate your bank into moving money from your account. Computer fraud covers direct theft through unauthorized system access. These coverages are added as endorsements to your base cyber policy. They are not included automatically. They are not covered by your general liability, property, or standard crime policies. If you don't specifically ask for them, you don't have them.
When we quote cyber for our clients, we always include these endorsements. They're the difference between a policy that looks good on paper and one that actually protects you.
Ransomware accounts for approximately 60% of large cyber claim values. The average ransomware attack cost reached $5.75 million in 2025 — and that includes businesses that had backups and didn't pay the ransom. The cost comes from downtime, forensic investigation, system rebuilding, and the business income lost during recovery (average: 23 days of disruption).
A strong ransomware provision covers: the ransom payment itself (including cryptocurrency), professional negotiation by experienced specialists, forensic investigation to determine if data was stolen before encryption, system restoration and data recovery, business interruption during downtime, and regulatory notification if personal data was exfiltrated.
What varies between policies — and what you need to watch for — is whether the policy requires pre-authorization before paying a ransom, whether there are sublimits that cap ransomware below your overall limit, whether 'double extortion' is covered (attackers encrypt AND threaten to publish your data), and how the policy handles extended recovery periods beyond 30 days.
Modern cyber insurance isn't just about paying claims after an incident. Leading carriers now include pre-breach services that actively reduce your risk — and your premiums.
These typically include: employee security awareness training (82% of breaches involve a human element), phishing simulation programs that test your staff's ability to spot fake emails, vulnerability scanning that monitors your external attack surface, breach response plan builders to create and test your incident response plan, and access to cybersecurity consultants for vendor contract reviews.
Some carriers offer 24/7 managed detection and response (MDR) — essentially a security operations center monitoring your network, included with your policy. Others provide password management tools, MFA platforms, and endpoint detection software at discounted or no cost.
The takeaway: your cyber insurance carrier should be a cybersecurity partner, not just a claims payer. When we evaluate carriers for our clients, pre-breach services are a major factor in our recommendations.
Healthcare providers face the highest breach costs of any industry — $10.93 million on average — because HIPAA mandates breach notification with penalties up to $50,000 per violation. Professional services firms (law, accounting, consulting) hold clients' most sensitive data, and a breach exposes them to malpractice claims on top of cyber liability.
Technology and SaaS companies face a unique reality: their product IS the attack surface. Enterprise clients increasingly require $1M–$5M in cyber coverage before signing contracts. Retail and e-commerce businesses face PCI-DSS exposure through payment processing — a breach triggers card reissuance costs, fines, and customer lawsuits.
But here's the truth: if your business accepts credit cards, stores email addresses, or has employee payroll records, you have enough data to trigger breach notification requirements in all 50 states. The question isn't whether you need cyber coverage. It's how much.
Cyber liability premiums for small businesses typically range from $500 to $3,000 per year for $1M in coverage. The main rating factors are: your industry and regulatory exposure, annual revenue, volume and sensitivity of data you store, your security posture (MFA, EDR, backups, employee training), and claims history.
Having strong security controls — multi-factor authentication, endpoint detection, encrypted backups, and a documented incident response plan — can reduce premiums by 15–30%. Lacking these controls can result in higher premiums, higher deductibles, or outright declination.
Compare the premium to the average claim of $115,000, and the ROI is obvious. This remains one of the most underpriced coverages in commercial insurance — but premiums are rising as claim frequency increases. Locking in coverage now, while your claims history is clean, is the smart move.
The biggest mistake isn't failing to buy cyber insurance — it's assuming your general liability or BOP covers cyber events. It doesn't. Cyber is a standalone coverage that must be purchased separately.
Some BOPs offer a small cyber endorsement, but it's typically limited to $10,000–$50,000 — nowhere near enough for a real breach. And those endorsements almost never include social engineering fraud, ransomware negotiation, or regulatory defense. They're a checkbox, not a solution.
The second biggest mistake is buying a cyber policy without the crime endorsements. A base cyber policy without social engineering and funds transfer fraud coverage is like buying auto insurance without collision — it covers some scenarios, but not the one most likely to happen to you.
Take our free Cyber Risk Assessment — answer 8 questions and get a detailed risk report with estimated coverage costs and actionable recommendations.
Take the AssessmentWant to know if your business is exposed? Text risk|x — we'll assess your cyber risk and quote you in two business hours.
Start HereGet practical coverage advice, risk management tips, and industry updates from risk | x. No spam — just useful insights for business owners.
Unsubscribe anytime. We respect your inbox.
