Do I need multi-factor authentication to get cyber insurance?

In practice, yes, for most carriers. Multi-factor authentication (MFA) on email, remote access and privileged accounts has become a baseline requirement on the application. Insurers also increasingly expect endpoint detection and response (EDR), tested offline or immutable backups, email filtering, and a patching process. Missing MFA can mean a declined application, a much higher premium, or a coverage sub-limit on ransomware.

How much cyber insurance coverage do I need?

Size the limit to your realistic worst-case cost, not a round number. Estimate the cost of a breach of your records (notification, forensics, legal, downtime and potential ransom), check any contractual minimums your customers require, and consider your regulatory exposure. Many small businesses start at a USD 1 million limit; mid-size and data-heavy firms often carry USD 5 million or more. A breach-cost estimate is a better starting point than copying a competitor's number.

How do underwriters assess a cyber insurance application?

Underwriters score your risk from the application questionnaire and, increasingly, an external scan of your internet-facing systems. They look at revenue and industry, the volume and sensitivity of records you hold, your security controls (MFA, EDR, backups, patching, email security), your incident-response readiness, your claims and breach history, and your reliance on third-party vendors. Strong controls and a clean history lower both the premium and the retention; weak controls raise them or lead to declination.

How Much Does Cyber Insurance Cost? (2026 Buyer's Guide)

Q: How much does cyber insurance cost for a small business in 2026?

There is no single price, but for a small business buying a typical USD 1 million limit, annual premiums commonly fall somewhere in the low four figures — often roughly USD 1,000 to USD 3,000 a year for a low-risk firm that holds few sensitive records and has strong security controls. Businesses that store large volumes of personal or payment data, operate in high-risk sectors like healthcare or finance, or lack basics such as multi-factor authentication can pay several times that. Treat any figure as a range, not a quote — your actual price depends on revenue, industry, data held, controls, claims history, and the limit and retention you choose.

Q: What does cyber insurance actually cover?

A cyber policy splits into first-party cover (your own losses) and third-party cover (claims others bring against you). First-party typically includes breach response and forensics, notification and credit monitoring, business interruption, ransomware and cyber-extortion costs, and data restoration. Third-party typically includes privacy and network-security liability, regulatory defense and fines where insurable, and media liability. Many policies bundle a 24/7 incident-response team and breach coach, which is often the most valuable part for a smaller business.

Q: What does cyber insurance not cover?

Common exclusions include the cost of upgrading or fixing the security weakness that caused the breach (betterment), loss of future profits beyond the policy's business-interruption terms, intellectual property and patent loss, bodily injury and property damage (usually handled by other policies), insider or fraudulent acts by the insured, prior known incidents, and acts of war or state-sponsored attacks under some war-exclusion wordings. Fines and penalties are only covered where the law of the relevant jurisdiction allows them to be insured.

Q: How can I lower my cyber insurance premium?

The strongest levers are security controls the underwriter scores: deploy MFA everywhere, run EDR/MDR, keep tested and segregated backups, filter email and train staff against phishing, and patch promptly. Beyond controls, you can raise your retention (deductible) to lower the premium, right-size your limit instead of over-buying, document an incident-response plan, align to a recognized framework such as the NIST Cybersecurity Framework or ISO 27001, and present a clean application with a broker who specializes in cyber.

Q: What is the difference between first-party and third-party cyber cover?

First-party covers your own direct losses from an incident — forensics, notification, lost income from downtime, ransom payments and data restoration. Third-party covers your liability to other people — customers, partners or regulators — when their data or systems are harmed, including legal defense and settlements. Most businesses need both; a data-heavy company leans on third-party liability, while a company whose revenue depends on uptime leans on first-party business interruption.

Q: Does cyber insurance cover ransomware payments?

Many policies cover ransomware, including the extortion payment, the negotiation specialists, forensics and data restoration — but often with a specific sub-limit and stricter control requirements than the rest of the policy. Coverage can be reduced or void if you lacked the security controls you attested to, and sanctions law prohibits paying certain threat actors. The trend is toward covering ransomware only for insureds who can show tested backups and strong access controls.

Q: Is cyber insurance worth it for a small business?

For most small businesses that hold customer data or depend on systems to operate, yes — chiefly because the incident-response team, breach coach and forensics that come with the policy are hard to assemble at 2 a.m. on your own, and the average cost of a data breach runs well into six or seven figures even for smaller firms. The premium is usually modest relative to that exposure. The honest exception is a micro-business holding almost no sensitive data, where strong controls and a small retention may matter more than a large limit.

General information, not insurance or financial advice — get quotes from licensed brokers/carriers for your situation. Coverage terms, exclusions and pricing vary by carrier, state and year.

"How much does cyber insurance cost?" has the same honest answer as most business insurance questions: it depends, and the spread is enormous. Two companies with identical revenue can pay wildly different premiums because one has multi-factor authentication, tested backups and a clean claims history while the other does not. A small, low-risk business buying a USD 1 million limit might pay somewhere in the low four figures a year; a data-heavy firm in a high-risk sector, or one missing basic controls, can pay several times that for the same limit. This guide explains what you are actually buying, what moves the price, and where you can pull the cost down — so you can read a quote critically instead of anchoring on a single number you saw online.

What cyber insurance actually covers

Cyber insurance (also called cyber liability or cyber-risk insurance) protects a business against the financial fallout of a cyber incident — a data breach, ransomware attack, business email compromise, system outage or privacy violation. Every policy is structured into two halves: first-party cover for your own direct losses, and third-party cover for claims other people bring against you. Understanding the split is the key to buying the right limits.

First-party cover — your own losses

This is the money you spend cleaning up your own incident. For most small and mid-size businesses it is the part of the policy that earns its keep:

Breach response & forensics — the incident-response team, digital forensics to find out what happened, and a "breach coach" (specialist privacy counsel) who quarterbacks the whole event. This 24/7 access is frequently the single most valuable benefit, because assembling it yourself in the middle of a crisis is slow and expensive.
Notification & credit monitoring — the legally required cost of telling affected individuals their data was exposed, plus identity-protection or credit-monitoring services for them. US breach-notification laws exist in every state and these costs scale directly with the number of records you hold.
Business interruption — lost income and extra operating expense while your systems are down. If your revenue depends on systems being online, this can dwarf every other line item.
Ransomware & cyber-extortion — ransom negotiation specialists, the extortion payment itself where lawful, and the cost of recovering encrypted systems. This is usually subject to its own sub-limit and stricter control requirements.
Data & system restoration — the cost of rebuilding, recovering or re-creating data and software that was corrupted, deleted or encrypted.

Third-party cover — claims against you

This responds when someone else is harmed and comes after you for it:

Privacy & network-security liability — legal defense and settlements when customers, employees or partners sue because their data was exposed or your network spread harm.
Regulatory defense & penalties — the cost of responding to a regulator (a state attorney general, the FTC, or a data-protection authority) and any fines, where those fines are insurable under local law.
Media & content liability — claims such as defamation or IP infringement arising from your digital content, where the policy includes it.
Payment-card (PCI) liability — assessments and fines from card networks after a payment-data breach, on policies that offer it.

A useful rule of thumb: a data-heavy company (it holds lots of personal or payment records) leans on third-party liability, while a company whose revenue depends on uptime leans on first-party business interruption. Most businesses need a sensible amount of both.

What cyber insurance does not cover

Reading the exclusions is more important than reading the marketing. Cyber policies routinely exclude:

Betterment / security upgrades. The policy pays to restore you to where you were, not to fix the weakness that let the attacker in. Hardening your environment afterward is on you.
Future lost profits beyond the defined business-interruption period and terms — long-tail reputational revenue loss is generally not recoverable.
Intellectual property and trade-secret value — the loss of the data's competitive value (as opposed to the cost of restoring the files) is usually excluded.
Bodily injury and physical property damage — these belong to general liability or property policies, not cyber, though some overlap is being addressed in newer wordings.
Insider, criminal or fraudulent acts by the insured, and prior known incidents you were already aware of before binding.
War and state-sponsored attacks under certain war-exclusion clauses — an evolving and heavily negotiated area after several high-profile disputes. Read this wording carefully.
Uninsurable fines. Regulatory penalties are only covered where the law of the relevant jurisdiction permits insuring them; many do not.

The recurring theme: cyber insurance is a financial backstop for an incident, not a substitute for security or a guarantee against every conceivable loss. Treat the exclusions as the real definition of the product.

What drives the cost — the premium factors

Underwriters build your premium from a stack of risk factors. The biggest swings come from the data you hold and the controls you run, not just your size:

Factor	Why it moves the premium
Annual revenue	The primary exposure base — bigger firms have more systems, more records and more to lose, so premium scales with revenue.
Industry / sector	Healthcare, finance, legal, retail and education are high-risk because of the data they hold and how often they are targeted.
Records held	The number and sensitivity of personal, health (PHI) and payment (PCI) records drives notification and liability cost directly.
Security controls	MFA, EDR/MDR, tested backups, email filtering and patching. The single largest controllable lever on price and insurability.
Claims / breach history	Prior incidents signal future risk and raise premium and retention — much like a loss record in any other line.
Coverage limit	The maximum the insurer will pay. Higher limits cost more, but not linearly — the first dollar of cover is the most expensive.
Retention (deductible)	The amount you self-insure per claim. A higher retention lowers the premium and vice versa.
Third-party / vendor risk	Heavy reliance on outsourced IT or SaaS that touches your data adds aggregation risk underwriters now scrutinize.

The two factors you genuinely control are your security controls and the limit and retention you choose. Everything else — revenue, industry, the records the business must hold to operate — is largely fixed in the short term. That is why almost every cost-reduction strategy below is really a controls strategy.

Realistic premium ranges (frame as ranges, not quotes)

Be skeptical of any precise "average cyber insurance cost" figure — it blends a one-person consultancy with a hospital network and describes neither. What follows are directional ranges for a typical USD 1 million limit, to set expectations only. Your quote can land well outside them in either direction:

Business profile	Indicative annual premium (USD 1M limit)	Notes
Micro / low-risk (services, few records, strong controls)	~$500–$1,500 / yr	Often bundled or offered as an endorsement to a business owner's policy.
Typical small business (some customer data, MFA in place)	~$1,000–$3,000 / yr	The band most quoted small businesses see for a standalone USD 1M policy.
Data-heavy or higher-risk SMB (retail/PCI, professional services)	~$3,000–$10,000+ / yr	Driven by record counts, sector and any weak controls.
Mid-market (high-risk sector, larger limits)	Five figures and up	Often carrying USD 5M+ limits; priced on a detailed application and external scan.

Notice the pattern: the variation between profiles is larger than the typical premium itself. Missing MFA alone can move a quote from the lower band into the higher one — or get the application declined. This is why "what does cyber insurance cost?" is genuinely unanswerable without the controls picture, and why a five-minute conversation about your security posture changes the number more than your revenue does. Use the ranges to sanity-check a broker's quote, not to budget to the dollar.

How underwriters assess you

Cyber underwriting has tightened sharply over the past few years, and it now works on two tracks. First, the application questionnaire: a detailed set of questions about your revenue, industry, records held, controls and history. Answer it accurately — material misstatements (for example, attesting to MFA you do not actually enforce) can void a claim. Second, an external scan: many carriers now run an outside-in security assessment of your internet-facing systems before quoting, flagging exposed services, unpatched software, leaked credentials and email-security gaps. Your application and the scan have to roughly agree.

From those inputs the underwriter judges three things: how likely you are to have an incident (your controls and exposure), how expensive it would be (records, revenue, business-interruption dependence), and how well you would respond (incident-response plan, backups, history). Strong, well-documented controls and a clean history lower both the premium and the retention. Weak controls do the opposite — or lead to declination, sub-limits on ransomware, or coercive co-insurance terms. The practical takeaway: the assessment rewards security maturity, so it pays to look organized.

How to lower your premium

Because the price is so controls-driven, the best cost-reduction work is also good security hygiene. In rough order of impact:

Multi-factor authentication (MFA) everywhere — on email, remote access, VPN and especially privileged/admin accounts. This is now a baseline requirement; having it cleanly in place is the difference between a competitive quote and a decline.
Endpoint detection & response (EDR/MDR) — modern, monitored endpoint security rather than legacy antivirus. Underwriters reward continuous detection because it limits how far an attacker can spread.
Tested, segregated backups — offline or immutable backups that you have actually restored from in a drill. This is the foundation of ransomware coverage and resilience.
Email security & phishing training — filtering plus a recurring security-awareness program, since phishing and business email compromise start most incidents. A measurable training program is something you can show the underwriter.
Prompt patching and vulnerability management — a documented process to apply critical patches quickly; the external scan checks this directly.
A written incident-response plan — even a short, tested plan signals maturity and shortens (and cheapens) a real event.
Right-size the limit and tune the retention — do not over-buy a limit you do not need, and consider a higher retention to lower the premium if your balance sheet can absorb the first slice of a loss.
Align to a recognized framework — mapping your controls to the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) or working toward ISO 27001 gives underwriters a structured story and often improves terms. You do not need full certification to benefit from the structure.
Use a specialist cyber broker — one who knows which carriers favor your sector and controls profile, and who can present a clean, well-documented application.

Use AEGIS's free ransomware readiness check and NIST CSF self-assessment to find the gaps that underwriters score before you fill in an application — closing them is the cheapest way to move your premium.

How to choose your limit

Pick the limit from your realistic worst case, not a round number that "feels safe." Work through three questions: (1) What would a breach actually cost us? Estimate notification, forensics, legal, downtime and a potential ransom against the volume of records you hold — the global average cost of a data breach reported by IBM's annual study runs into the millions even for mid-size organizations, and the cost rises with the time it takes to detect and contain. (2) What do our contracts require? Many enterprise customers and partners mandate a minimum cyber limit (often USD 1M–5M) to do business with you. (3) What is our regulatory exposure? Holding health or payment data, or operating across many states, raises the defensible limit. Many small businesses start at a USD 1 million limit; data-heavy and mid-size firms commonly carry USD 5 million or more. A grounded breach-cost estimate beats copying a competitor's number every time.

Estimate yours with the free data breach cost calculator, then size the limit and retention to the figure it produces.

Worked example

Consider a 25-person professional-services firm with about USD 4M revenue that holds client personal and financial records. Two versions of the same firm apply for a USD 1M limit:

Posture	Controls	Indicative outcome
Firm A	MFA everywhere, EDR, tested backups, phishing training, IR plan	Competitive quote in the lower band, lower retention, ransomware fully within limit
Firm B	No MFA on email/remote access, legacy AV, untested backups	Higher premium or decline; if bound, a ransomware sub-limit and higher retention

Same revenue, same data, same limit — a materially different price and breadth of cover, decided almost entirely by controls the firm could implement in weeks. That gap is the dollar value of basic cyber hygiene, and it is why security investment and insurance cost are two sides of one coin. The fastest way to a cheaper renewal is to look more like Firm A before you next go to market.

Estimate your exposure — free tools

Don't guess from a national average. These free, no-signup tools run entirely in your browser and help you walk into a broker conversation prepared:

Cyber insurance estimator — model an indicative premium from revenue, industry, records and your control posture.
Data breach cost calculator — estimate the all-in cost of a breach of your records to size your limit.
Ransomware readiness check — score the backups and access controls insurers require before they cover ransomware.
NIST CSF self-assessment — map your controls to Identify, Protect, Detect, Respond and Recover.
Security-awareness ROI calculator — quantify the return on phishing training, a control underwriters reward.

Cyber insurance cost FAQ

How much does cyber insurance cost for a small business in 2026?
There is no single price. For a typical USD 1M limit, a low-risk small business with strong controls often falls roughly in the USD 1,000–3,000 a year range; data-heavy or weakly secured firms pay several times that. Always treat figures as ranges — your price depends on revenue, industry, records, controls, claims history, limit and retention.

What does cyber insurance actually cover?
First-party losses (breach response and forensics, notification, business interruption, ransomware/extortion, data restoration) and third-party claims (privacy and network-security liability, regulatory defense and insurable fines, media liability). A 24/7 incident-response team and breach coach are usually bundled and are often the most valuable part for a smaller firm.

What does cyber insurance not cover?
Common exclusions include security upgrades/betterment, future lost profits beyond the BI terms, IP value, bodily injury and property damage, insider/fraudulent acts, prior known incidents, and war or state-sponsored attacks under some wordings. Fines are only covered where local law allows insuring them.

Do I need MFA to get cyber insurance?
In practice, yes, for most carriers. MFA on email, remote access and privileged accounts is a baseline application requirement, alongside EDR, tested backups, email filtering and patching. Missing MFA can mean a decline, a higher premium, or a ransomware sub-limit.

How can I lower my cyber insurance premium?
Deploy MFA, EDR/MDR, tested backups, email filtering and phishing training, and patch promptly. Then raise your retention, right-size the limit, document an incident-response plan, align to the NIST CSF or ISO 27001, and use a specialist broker.

What is the difference between first-party and third-party cover?
First-party pays your own direct losses (forensics, notification, downtime, ransom, restoration). Third-party pays your liability to others (customers, partners, regulators), including defense and settlements. Most businesses need both.

How much coverage do I need?
Size the limit to your realistic worst-case breach cost, any contractual minimums, and your regulatory exposure. Many small businesses start at USD 1M; data-heavy and mid-size firms often carry USD 5M+. A breach-cost estimate beats copying a competitor.

How do underwriters assess an application?
From the questionnaire and, increasingly, an external scan of your internet-facing systems. They weigh revenue, industry, records, controls, incident-response readiness, claims history and vendor risk. Strong controls and a clean record lower both premium and retention.

Does cyber insurance cover ransomware payments?
Often yes — extortion payment, negotiation, forensics and restoration — but usually with a sub-limit and stricter control requirements, and never for sanctioned threat actors. Coverage can be reduced if you lacked the controls you attested to.

Is cyber insurance worth it for a small business?
For most firms holding customer data or depending on systems, yes — mainly for the incident-response team and forensics you cannot easily assemble mid-crisis, against a breach cost that runs well into six or seven figures. The exception is a micro-business with almost no sensitive data.

General information, not insurance, legal or financial advice, and AEGIS - AMA is independent of any insurer or broker. Coverage wordings, exclusions, underwriting requirements and pricing change frequently and vary by carrier, state and jurisdiction — get quotes and confirm terms with licensed brokers and carriers, and have any policy reviewed by a qualified advisor, before relying on it for your situation. References to IBM's Cost of a Data Breach research, the NIST Cybersecurity Framework and ISO/IEC 27001 are paraphrased for general explanation only.

← Back to home · Open the cyber insurance estimator →