How to Buy Cyber Insurance for a Small Business

Calculate coverage needs, compare policy types, and secure cyber insurance that matches your business risk profile and budget.

  1. Calculate your maximum potential cyber loss. Add up your worst-case scenario: revenue lost during a 30-day shutdown, cost to restore systems and data, regulatory fines for your industry, and legal fees. Most small businesses land between $100K-$2M in total exposure. This number sets your minimum coverage target.
  2. Document your current security posture. List your data types (PII, payment info, health records), security tools (firewalls, antivirus, backup systems), employee count, and annual revenue. Insurers use this to price your policy. Better security equals lower premiums—typically 15-30% discounts for businesses with formal cybersecurity training and multi-factor authentication.
  3. Choose between first-party and comprehensive coverage. First-party policies cover your direct losses: business interruption, data restoration, ransomware payments. Third-party coverage adds liability for customer data breaches. Most small businesses need both, packaged as comprehensive cyber liability insurance.
  4. Set coverage limits and deductibles strategically. Match your coverage limit to your maximum loss calculation from Step 1. Set deductibles at 2-5% of your annual revenue—higher deductibles cut premiums by 20-40%. A $2M policy with $10K deductible typically costs $2,000-$5,000 annually for most service businesses.
  5. Compare quotes from admitted carriers. Get quotes from 3-5 insurers who are admitted in your state and have A.M. Best ratings of A- or higher. Focus on coverage specifics, not just price—some policies exclude social engineering fraud or have restrictive business interruption triggers that gut your coverage when you need it.
  6. Review policy exclusions and incident response terms. Verify the policy covers ransomware, social engineering, and business email compromise. Check if you must use their incident response vendors or can choose your own. Good policies include 24/7 hotlines and pre-approved vendors for forensics and legal support.