Site icon AdvisorSmith

Small Business Cyber Insurance

Cyber Liability Insurance

If your business stores sensitive information electronically or depends on computer networks, systems, and data, you may be at risk for a hack, data breach, or ransomware attack. Cyber insurance can provide coverage for this risk and other cyberattacks.

What is cyber liability insurance?

Cyber liability insurance, also known as cyber risk insurance or cyber insurance, covers your business against liability and property losses caused by cyberattacks such as hacks, data breaches, denial of service attacks, and viruses.

With the increasing adoption of digital technologies in business, there are a number of new risks for businesses as they could be the victim of a variety of cybercrimes. Cyber insurance typically covers common cyber risks such as data breaches, hacking, ransomware and cyberextortion, denial of service attacks, and viruses.

Because cyber liability insurance policies vary widely between insurers, other forms of cyber mishaps, like social engineering fraud and phishing schemes, may also be covered depending on the insurer. Commercial general liability and commercial property policies generally exclude coverage for cyber liability and electronic data, so you may not have coverage for data breaches without a cyber liability insurance policy in place.

Get a quote on Cyber Liability Insurance

Cyber liability insurance can cover losses your business experiences due to cyberattacks, whether they are first-party losses or losses from third-party legal claims. Cyber liability insurance can provide coverage in a number of scenarios:

What is data breach insurance?

Data breach insurance is a type of cyber insurance that provides for a more limited set of protections than a broad cyber liability insurance policy. Also commonly known as first-party cyber liability insurance, data breach insurance deals only with first-party losses that your business directly incurs, rather than third-party losses where your company’s data breach causes a customer or employee to suffer a financial loss.

Who needs cyber liability insurance?

Business owners who store sensitive, confidential, or proprietary information can benefit from cyber liability insurance. If your business stores any of the following information, you should consider the protections provided by cyber liability insurance:

Cyber liability insurance can sometimes be added on to a business owner’s policy as an endorsement or additional coverage. It is also available on a standalone basis.

Do small businesses need cyber liability insurance?

Small businesses can benefit from cyber liability insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches likely involves security lapses at large corporations, like Equifax or Colonial Pipeline, the reality is small businesses are just as at risk. According to our small business survey, 42% of small businesses experienced a cyberattack in 2021, and 69% of small businesses were concerned about being attacked in the next 12 months.

In fact, small businesses may be even more vulnerable, as many smaller companies lack the time, expertise, and resources to establish advanced security protocols, train employees, and implement strong digital protections. Cybercriminals have also been increasingly targeting small businesses in the hopes that they can move up the supply chain and infiltrate larger companies that may share systems or information with smaller companies.

The consequences of a cyberattack on a small business can also be much more debilitating than for a larger company that has more resources to absorb any losses. Oftentimes, the financial costs necessary to remediate a data breach may simply be out of reach for smaller businesses.

What does cyber liability insurance cover?

Cyber liability insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events.

Cyber liability insurance generally has two major components: first-party coverage and third-party liability coverage. First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen. You may choose to purchase either or both types of coverage.

First-Party Coverage

First-party coverage provides protection against the financial losses your business incurs due to a data breach, hack, or other cyber event.

Data Breach

First-party coverage can provide for the costs of responding to and recovering from a data breach. These costs can include:

Data Recovery

If your company’s electronic data is lost, damaged, or corrupted due to a hack, virus, or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.

First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.

Data recovery coverage usually does not cover data loss due to mistakes made by your business or your employees. For example, if your employee accidentally deletes your critical business data, it would not be covered.

Because commercial property coverage usually excludes coverage for electronic data, having data recovery coverage can be valuable if your company experiences a hack or cyberattack.

Business Interruption

Business interruption insurance is also available on many cyber insurance policies. A typical business interruption insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.

If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.


Note, however, that this coverage may only apply to lost profits that are directly caused by the cyberattack. If your sales decline due to a hit to your reputation from the data breach or cyberattack, these declines may not be covered. Some insurers, however, are now including reputational loss coverage on cyber policies, which can provide coverage for extended financial damage due to reputation loss.

Cyberextortion and Ransomware

First-party coverage can also cover cyberextortion, including ransomware attacks. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage. Ransomware coverage can also come in standalone form.


First-party coverage can also provide coverage for the money you spend to respond to the extortion demand, in addition to any ransom you pay. The insurer’s consent is usually required before you pay these expenses.

Third-Party Liability Coverage

The third-party liability coverage provided by cyber liability insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.

Some of the claims and costs that third-party liability may cover include:

Third-party liability insurance is generally written on a claims-made basis, which means coverage is only available if the claim is submitted while the insurance policy is active. Most general liability policies are written on an occurrence basis, which covers claims submitted after the policy ends if the event causing the claim occurred while the insurance was active.

Deductibles and Sublimits

Many cyber insurance policies have sublimits for first-party coverage. A sublimit is part of the limits of insurance, but it places a maximum on the amount of coverage for that type of loss. For example, if you have a cyber liability insurance policy of $1 million with a 50% sublimit on first-party coverage, the most the policy will pay for first-party losses is $500,000, and the most it will pay for all kinds of losses including first-party losses is $1 million.

Many cyber liability insurance policies also have a deductible, which means that your business retains part of the risk of the loss, up to the amount of the deductible.

What does cyber liability insurance exclude?

Cyber liability insurance is primarily designed to protect your business from cyberattacks. However, there are some common exclusions that insurers may stipulate in cyber coverage. These can include:

It’s important to note that many policies have a waiting period, during which losses will not be covered. For example, a policy with a 12-hour waiting period will not pay for any losses incurred during the first 12 hours of a network outage.

There also may be some variance with regards to coverage of social engineering fraud. Social engineering attacks are often executed over email and can lead to data breaches as well as money loss. However, the schemes used in social engineering fraud are aimed at tricking an employee into voluntarily giving access or transferring funds to an attacker. Some cyber policies may provide coverage for social engineering fraud, and some insurers may offer coverage under a commercial crime policy.

Coverage for the personal liability of your directors and officers is also typically not covered in cyber policies. However, in the wake of a data breach or cyberattack, third parties may sue your business for damages, and they may also name your management team in the lawsuit, claiming mismanagement or breach of fiduciary duty. In order to protect your leadership team, it’s best to consider directors and officers liability insurance.

How much does Cyber Liability Insurance cost?

The average cost of cyber liability insurance in the U.S. was $1,589 per year in 2021, and our mid-year update in 2022 found that average premiums had risen 25% with some policyholders seeing an increase of over 80%. These increases are driven by an increasing number of cyber and ransomware attacks on businesses and a rise in demand for cyber coverage.

The costs of insuring your business against data breaches and hacking attacks will vary based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost for cyber insurance in each state, along with the difference between the state average and the national average.

StateAverage Cost of Cyber InsuranceDifference from National Average
Alaska$1,532.89 3.23%
Alabama$1,539.40 3.67%
Arkansas$1,646.50 10.88%
Arizona$1,581.50 6.50%
California$1,430.18 -3.69%
Colorado$1,521.67 2.47%
Connecticut$1,593.62 7.32%
District of Columbia$1,539.25 3.66%
Delaware$1,446.47 -2.59%
Florida$1,529.82 3.02%
Georgia$1,450.54 -2.32%
Hawaii$1,519.46 2.32%
Iowa$1,505.73 1.40%
Idaho$1,483.70 -0.08%
Illinois$1,434.59 -3.39%
Indiana$1,484.06 -0.06%
Kansas$1,501.38 1.11%
Kentucky$1,587.10 6.88%
Louisiana$1,623.94 9.36%
Massachusetts$1,380.59 -7.03%
Maryland$1,471.18 -0.93%
Maine$1,467.39 -1.18%
Michigan$1,339.33 -9.81%
Minnesota$1,708.11 15.03%
Missouri$1,509.00 1.62%
Mississippi$1,472.55 -0.84%
Montana$1,478.29 -0.45%
North Carolina$1,421.49 -4.27%
North Dakota$1,464.42 -1.38%
Nebraska$1,485.64 0.05%
New Hampshire$1,431.99 -3.57%
New Jersey$1,615.25 8.77%
New Mexico$1,355.36 -8.73%
Nevada$1,507.55 1.52%
New York$1,616.70 8.87%
Ohio$1,553.68 4.63%
Oklahoma$1,513.03 1.89%
Oregon$1,462.50 -1.51%
Pennsylvania$1,466.49 -1.24%
Rhode Island$1,541.58 3.81%
South Carolina$1,398.83 -5.80%
South Dakota$1,489.45 0.30%
Tennessee$1,500.20 1.03%
Texas$1,459.22 -1.73%
Utah$1,515.10 2.03%
Virginia$1,467.83 -1.15%
Vermont$1,457.70 -1.83%
Washington$1,449.80 -2.37%
Wisconsin$1,523.03 2.56%
West Virginia$1,629.64 9.74%
Wyoming$1,426.89 -3.91%

Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.

How do I apply for Cyber Insurance Coverage?

The cyber insurance application process is typically more rigorous than other types of policies, as cyber risk is a constantly evolving coverage area facing new and different threats every day. When it comes to cyber insurance, insurers want to understand and evaluate your cybersecurity infrastructure and determine your level of risk. How well can the people, processes, and technology you have set up for your company’s cybersecurity protect and respond to the ever-increasing number of cyber threats?

It’s important to be as thorough as possible in your application, as coverage can often be denied for a number of common reasons. The insurer may conclude that your company has inadequate cyber incident response plans, insufficient testing procedures, or incomplete policies and processes, among other reasons.

» Learn more about the cyber insurance application process.

Compare Cyber Insurance Quotes

There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.

» Read our full review of the best cyber insurance companies.

RankCompanyAdvisorSmith Rating
1Hiscox4.9 / 5.0
2Chubb4.8 / 5.0
3The Hartford4.7 / 5.0
4AIG4.7 / 5.0
5CNA4.6 / 5.0
6Arch4.5 / 5.0
7Hanover4.5 / 5.0
8Intact4.4 / 5.0
9Beazley4.3 / 5.0
10Axis4.3 / 5.0

Cyber Insurance Policy Forms

Cyber insurance is still in its early days, and insurers have yet to consolidate around a standard policy form for coverage. Coverage terms vary widely between cyber insurance providers, so you’ll need to pay extra attention to what exactly is being covered and what the definitions are on your policy form. If you’re interested in seeing what a few sample forms may look like, we’ve compiled a few below.

Large insurers:

Specialty cyber insurers:

Reducing the Risks of Cyber Liability Claims

Cyber insurance should be your last line of defense against hacking, viruses, and data breaches. It is best to be proactive and take precautionary steps to reduce your exposure to cyber liability.

After a data breach, customers or clients may be hesitant to do business with you in the future due to privacy risks.

Some ideas for reducing your cyber liability exposure include:

Final Word

As the economy relies more and more on digital systems, software, and the internet, businesses will increasingly be more exposed to cyber and privacy risk. From retailers that operate online e-commerce stores to restaurants that take online orders, businesses of all types need take steps to safeguard their data and protect their businesses from the financial consequences of a data breach or hack. Cyber insurance can provide coverage for both first-party and third-party liability losses if your business is the victim of a cyberattack.

Expert Commentary

AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.

Guanyu Tian

  • Chairperson & Associate Professor, Mathematics and Computer Science
  • Fontbonne University
Guanyu's Answers

Kevin Powers

  • Director, M.S. Cybersecurity Policy and Governance
  • Boston College
Kevin's Answers

Zahid Anwar

  • Associate Professor, Computer Science
  • Challey Institute Faculty Scholar
  • North Dakota State University
Zahid's Answers

Yayuan Ren

  • Associate Professor
  • Department of Finance, Insurance and Law
  • Illinois State University
Yayuan's Answers

Victor Puleo

  • Davey Chair of Risk Management and Insurance
  • Butler University
Victor's Answers

David Marlett

  • Managing Director, Brantley Risk & Insurance Center
  • Appalachian State University
David's Answers

Abhishek Tripathi

  • Associate Professor of Accounting & Information Systems
  • The College of New Jersey
Abhishek's Answers

Eugene Spafford

  • Professor of Computer Science
  • Executive Director Emeritus, CERIAS
  • Purdue University
Eugene's Answers

Michael Nizich

  • Director, Entrepreneurship and Technology Innovation Center
  • New York Institute of Technology
Michael's Answers

Patricia Born

  • Midyette Eminent Scholar in Risk Management & Insurance
  • Florida State University, College of Business
Patricia's Answers

Ragib Hasan

  • Associate Professor, Computer Science
  • The University of Alabama at Birmingham
Ragib's Answers

Clifford Rossi

  • Professor of the Practice
  • Executive-in-Residence
  • University of Maryland, Robert H. Smith School of Business
Clifford's Answers

Phil Susmann

  • President
  • Norwich University Applied Research Institutes (NUARI)
Phil's Answers

Levent Ertaul

  • Professor and Chair, Computer Science
  • California State University, East Bay
Levent's Answers

Kevin Streff

  • Professor
  • Dakota State University, Beacom College of Computer and Cyber Sciences
Kevin's Answers

Jonathan Weissman

  • Professor, Computing Security
  • Rochester Institute of Technology
Jonathan's Answers

Elias Bou-Harb

  • Associate Professor, Information Systems and Cyber Security
  • Director, Cyber Center for Security and Analytics
  • The University of Texas at San Antonio
Elias' Answers

Deborah Snyder

  • Adjunct Professor, Information Security and Digital Forensics
  • University at Albany, State University of New York
Deborah's Answers

Dwight Farris

  • Instructor, Information Technology and Cybersecurity
  • Grand Canyon University
Dwight's Answers

Jonathan Kamyck

  • Associate Dean, Cyber Security
  • Southern New Hampshire University
Jonathan's Answers

Rui Zhao

  • Assistant Professor, Cybersecurity
  • University of Nebraska Omaha
Rui's Answers

Jose Lineros

  • Clinical Assistant Professor, Department of Accounting
  • University of North Texas
Jose's Answers

Diane Murphy

  • Director, School of Technology and Innovation
  • Marymount University
Diane's Answers

Long Cheng

  • Assistant Professor, College of Engineering, Computing and Applied Sciences
  • Clemson University
Long's Answers

Christopher Ivancic

  • Associate Professor
  • Graduate Program Coordinator, Department of Computer Science
  • Stephen F. Austin State University
Christopher's Answers

Q. Should small businesses be concerned about cyber risk?

Q. How can a business effectively organize and manage cyber risk?

Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?

Exit mobile version