Cyber Insurance for Small Business: What It Covers, Why You Need It, and What It Costs

Here’s a number worth sitting with: 70% of cyberattacks target small and mid-sized businesses. Not Fortune 500 companies. Not government agencies. Small businesses — because they’re easier targets, they hold valuable customer data, and they’re far less likely to have strong defenses in place.

And the average ransomware payment alone? Over $115,000 in 2025. That’s before you factor in lost revenue, legal fees, customer notification costs, and the time spent putting your business back together.

Most small business owners assume their general liability policy covers this. It doesn’t. Most assume their BOP covers it. It doesn’t. Cyber incidents are specifically excluded from standard business policies — which means without a dedicated cyber policy, you’re absorbing every dollar of that cost yourself.

---

Why Small Businesses Are the Target

It’s not personal. It’s math. Cybercriminals go where the risk-to-reward ratio is best for them — and small businesses offer an attractive combination: real customer data, real financial accounts, and far fewer security resources than large enterprises.

Think about what your business likely holds right now:

• Customer names, addresses, phone numbers, emails
• Credit card or payment information
• Employee records including Social Security numbers
• Health information if you operate in any care-related field
• Vendor and banking account details
• Login credentials for software, platforms, and financial accounts

Every one of those is valuable to a criminal. And collecting, storing, or processing any of that information — even just taking credit cards at a register — creates legal exposure if a breach occurs.

The threats are also getting harder to spot. In 2025, AI-generated phishing emails are nearly indistinguishable from legitimate messages. Voice phishing (vishing) attacks increased 442% in a single year. Deepfake technology is being used to impersonate business owners and executives to authorize fraudulent wire transfers. These aren’t just IT problems anymore — they’re business problems.

---

What Cyber Insurance Actually Covers

Cyber insurance is built around two categories of coverage: what it costs your business to respond to an incident (first-party), and what it costs when others come after you because of one (third-party).

First-Party Coverage — Your Own Costs After a Breach

Breach response and forensic investigation. When something goes wrong, the first thing you need to know is what happened, how far it went, and how to stop it. Cyber insurance covers the cost of a forensic IT review to determine the scope of the breach and contain further damage.

Legal review. A breach almost always triggers legal obligations — privacy laws, state notification requirements, potential regulatory exposure. A cyber policy covers the cost of getting legal guidance on your obligations immediately after an incident.

Customer and stakeholder notification. In most states you are legally required to notify affected individuals when their personal data is compromised. That means letters, emails, a response hotline, and often credit monitoring services for everyone impacted. Those costs add up fast at scale — and cyber insurance covers them.

Identity restoration services. For customers whose information was exposed, many policies cover the cost of providing identity restoration case management, fraud alert services, and credit report monitoring.

Public relations and reputation management. A data breach can do real damage to your reputation — especially in a relationship-based business. Cyber coverage can include crisis communications support to help manage the public-facing response.

Business interruption losses. If a cyberattack takes your systems offline and you can’t operate, business interruption coverage pays for the income you lose during that downtime. This is one of the most valuable parts of a robust cyber policy — the median recovery time after a ransomware attack is measured in days, not hours.

Cyber extortion and ransomware. If a criminal encrypts your data and demands payment to restore access, extortion coverage can help cover the response costs and, in some cases, the ransom itself. This is increasingly important given the volume and sophistication of ransomware attacks.

Hardware repair and data recovery. Some policies also cover the cost of repairing or replacing hardware damaged in an attack, and recovering data that was lost or destroyed.

Third-Party Coverage — When Others Come After You

Privacy liability. If a customer, vendor, or employee sues you because their personal information was compromised in a breach — or because you failed to properly protect it — this coverage pays for your legal defense and any resulting damages.

Regulatory fines and penalties. Data protection regulations at the state and federal level carry real financial penalties for businesses that fail to properly safeguard personal information. Cyber insurance can cover those fines and the cost of regulatory investigations.

Media liability. Claims arising from your website, social media, blog, or digital advertising — including copyright infringement, defamation, and advertising injury — can be covered as an add-on to a cyber policy.

Fraudulent funds transfer. Social engineering scams — where a criminal impersonates an employee, vendor, or executive to trick someone into wiring money — are now one of the most common and costly cyber claims. This coverage is typically available as an add-on and is increasingly worth having.

---

What Your Current Policies Don’t Cover

This is the gap most business owners don’t realize exists until they have a claim:

• General liability covers bodily injury and property damage to third parties — not digital data, not cyber incidents, not your customers’ stolen information.
• Business Owner’s Policy (BOP) combines GL and property coverage — your physical equipment may be covered, but the data on it is not.
• Professional liability / E&O covers professional service errors — not criminal intrusions into your systems.
• Commercial property covers physical damage — not digital loss.
• Commercial auto covers vehicles — full stop.

Cyber coverage is specifically excluded from most standard business insurance policies. It requires its own dedicated policy or endorsement.

---

Who Actually Needs Cyber Insurance

The short answer: any business that uses a computer, accepts payments digitally, or stores any customer or employee information. That covers the vast majority of small businesses operating today.

But some industries carry higher exposure and should treat it as non-negotiable:

• Healthcare and wellness providers (HIPAA creates mandatory notification requirements)
• Financial services, insurance, accounting, and bookkeeping
• Legal and professional services
• Retail and e-commerce (payment card data)
• Real estate and mortgage
• Any business with an employee payroll (SSNs, banking info)
• Contractors and service businesses that use client management software
• Food businesses, salons, and personal care services that process cards or store client records

If a breach happened today and you had to notify every person whose information you’ve ever stored, processed, or touched — how many people would that be? That number is a good proxy for your exposure.

---

What It Costs — And It’s Less Than You Think

Cyber insurance is one of the most underutilized coverages in small business insurance — partly because business owners assume it’s expensive. It’s not.

Business Type	Approximate Annual Cost	Monthly Equivalent
Very small business / add-on coverage (base limits)	$85–$200/year	$7–$17/month
Small business standalone policy	$360–$600/year	$30–$50/month
Small business with higher limits / more exposure	$600–$1,500+/year	$50–$125/month

What affects your rate:

• Industry and type of data you handle
• Revenue and business size
• Coverage limits and deductible
• Security practices already in place (strong practices = lower rates)
• Claims history
• Whether you want add-ons like fraudulent funds transfer or media liability

To put cost in perspective: the average data breach notification process alone — just the legal review and customer notifications — can easily exceed $10,000 for a small business with a few hundred affected customers. A cyber policy that costs $30–$50 a month is a straightforward trade.

---

Beyond Insurance: Prevention Matters Too

The best cyber policies don’t just pay claims — they help you avoid them in the first place. Look for coverage that includes proactive tools like:

• 24/7 incident response support — experts you can call the moment something looks wrong
• Employee phishing training and awareness programs
• Risk assessments that identify vulnerabilities before criminals do
• Data backup and monitoring services
• A dedicated response team if an incident occurs

The time between when a hacker gains access and when they accomplish their objective is often less than five hours. Having an expert response team on call — not a hold queue — can be the difference between a contained incident and a catastrophic one.

---

Ready to Get Covered?

Cyber insurance options are available for small businesses at every size and budget — from simple add-on endorsements to robust standalone policies with prevention tools built in. Finding the right fit depends on your industry, what data you hold, and what level of coverage makes sense for your operation.

Mitchell Insurance Agency works with multiple carriers to find cyber coverage that actually matches how your business runs — not a generic policy that leaves gaps you don’t find out about until there’s a claim.

Licensed in Minnesota, North Dakota, South Dakota, Iowa, Wisconsin, and Pennsylvania.

Call or text: 763-777-9599
Email: misty@mitchellinsurance.agency
Online: mitchellinsurance.agency

Mitchell Insurance Agency LLC is a licensed independent insurance agency serving MN, ND, SD, IA, WI, and PA.