The average cost of cyber insurance in the U.S. is $1,485 per year or $124 per month. According to recent reports, the U.S. is the country that is most frequently targeted for cyberattacks. Companies in the U.S. spend almost $4 million dollars on average to respond to data breaches, according to IBM. For small businesses, the cost averages around $36,000 to recover from a data breach, according to First Data. For small and midsize businesses, the cost rises to an average of $86,000, as reported by Kaspersky.
Get a quote on Cyber Insurance
Average Cost of Cyber Insurance
AdvisorSmith conducted a study using quote estimates and rate filings from over 43 insurance companies nationwide and found premiums ranging from $650 to $2,357 for cyber insurance, based upon companies with moderate risks. These premiums were based upon liability limits of $1,000,000, with a $10,000 deductible, and $1,000,000 in company revenue.
The average cost of cyber insurance is $1,485 per year in the U.S. The costs of insuring your business against data breaches and hacking attacks vary based upon the nature and size of your business, as well as the state in which your business is located. For example, the average cost in Michigan was $1,339 for our example scenario, while similar coverage in Minnesota was $1,708. Below, we list the average cost of cyber insurance in each state, along with the difference between the state average and the national average.
|State||Average Cost of Cyber Insurance||Difference from National Average|
|District of Columbia||$1,539.25||3.66%|
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims or if it has been attacked or hacked in the past, your premiums may be higher.
Average Cost of Cyber Insurance (2020 vs. 2019)
In 2020, the average cost of cyber insurance was $1,485 per year, compared with $1,501 in 2019, a drop of 1%. Our analysis found that some of the highest priced insurers either lowered their premiums or exited the market, leading to slightly lower average premiums.
The table below shows the change in average premiums by state between 2019 and 2020. The largest jump in cost was in the state of Arizona, with annual premiums increasing 39% from $1,139 in 2019 to $1,581 in 2020. North Carolina saw the largest drop in average cost, with annual premiums decreasing 12% from $1,611 in 2019 to $1,421 in 2020.
|State||Average Cost of Cyber Insurance (2020)||Average Cost of Cyber Insurance (2019)||Percent Change|
|District of Columbia||$1,539.25||$1,536.00||0%|
How does coverage level affect cyber insurance costs?
In addition to the nature of your business, location, and claims history, a major factor in determining your insurance premium will be the level of coverage that you choose. The higher the limits of your cyber coverage, the higher your premiums will be. However, additional coverage usually costs less per dollar of coverage compared with the base coverage. For example, the first $250,000 of coverage costs an average of $739 in our example below, while the next $250,000 of coverage only costs an average of $407, for a total cost of $1,146.
In the following table, we show how the average annual premium changes for different levels of coverage with varying deductibles, based upon a business with moderate risk in the state of Connecticut. To create this table, we used quotes and rate filings from major insurance companies in Connecticut. Actual premium prices would vary depending upon the type of business, location, and claims history.
|Cyber Liability Limit||Deductible||Average Annual Insurance Premium|
Choosing the appropriate level of coverage for your cyber liability insurance is an important choice for your business. It is important to choose a level of premium that is affordable for your business, but you also want to ensure that the liability level is high enough so that in the event of a data breach or hack, you may be able to avert financial disaster.
How do deductibles affect cyber insurance costs?
A cyber insurance deductible is the amount of a loss that your company is responsible for in the event of a covered hack, data breach, or other event covered by your cyber liability insurance. A typical deductible for a $1 million policy could be $10,000, but you are free to choose higher or lower deductibles depending on your company’s situation. Choosing a lower deductible means you’ll pay less in the event of a breach, but it also means your premiums will be higher. When choosing your deductible, you should consider the impact of a loss on your business, and the amount of losses you’d be able to absorb in the event of a breach or cyber event.
How do business size and type affect cyber insurance costs?
Many insurance companies base their rates for cyber insurance on the revenues that a business has. The larger a company’s revenues, generally, the higher the premiums will be when compared with a similar company with lower revenues. A few insurance companies use the number of employees to determine a company’s premiums, with more employees causing premiums to be higher.
In addition to company size, the type of business that a company is in has a large impact on the premiums that a company pays. Most insurance companies segment businesses into different tiers of premiums based upon the type of business. Companies that do not store much third-party information and don’t have many data records usually have the lowest cyber insurance premiums. For example, a small manufacturing company with only a few clients would have very little customer information that would be affected in the event of a data breach.
Companies with moderate risks might have larger amounts of data on customers, but may not necessarily store highly sensitive customer information. A moderate risk company might be a retail store that accepts credit card transactions in their store. These types of companies will have higher premiums than low-risk companies.
The highest tier of risk would be companies that store sensitive information such as social security numbers, dates of birth, or other financial or personal information. Examples include professional services organizations such as accountants, medical offices, and apartment buildings. These companies would pay the highest premiums for their cyber insurance.
How does the number of sensitive records affect cyber insurance costs?
In addition to the revenue, size, and type of business, many insurers will ask for the number of sensitive records stored by an organization, as well as the number of financial or credit card transactions processed by your company. Usually, the higher the number of sensitive records or financial transactions stored, the higher your company’s insurance premiums will be.
How do security measures affect cyber insurance costs?
When applying for cyber insurance, many insurance companies will ask you to complete an assessment of your company’s existing security measures. The more security measures your company has put into place, the lower the insurance premiums for cyber insurance will be.
Some of the security measures that your company could take include hardware and software network security, data loss prevention procedures, multi-factor authentication, and encryption. Insurance companies also are interested in whether your company patches software vulnerabilities on a regular basis, and also whether your company uses third-party firms for security assessments and audits. Other steps your company could take include encrypting data and monitoring vendors who have access to your computers and data systems.
What are the most frequent cyber insurance claims?
The most frequent causes of cyber insurance claims are hacking, ransomware, phishing, and employee negligence. Having cyber insurance can protect your business against the financial consequences of some of these attacks.
Hacking claims account for some of the most common cyber insurance claims. If a hacker breaks into your company’s computer network and steals data, your company may be liable for a variety of costs to recover from and mitigate the damage from the hack. These costs may include forensic services to determine the cause and extent of the hack, legal costs to defend against third-party lawsuits related to the hack, notification and credit monitoring services for affected individuals, public relations costs, and regulatory fines and penalties.
Ransomware attacks occur when malicious software is installed on your company’s systems and your company’s data or critical software is threatened unless you pay a ransom. In these cases, cyber insurance can pay for the costs of the ransom so that your company’s data or systems can be recovered. Many cyber liability policies provide very limited coverage for ransomware or cyber extortion attacks, with coverage sublimits as low as $25,000, even when the cyber liability policy has a much higher total limit.
Phishing attacks induce your employees to disclose passwords or other login credentials to hackers. These attacks can happen when employees click on malicious links embedded in emails or on the web. They can also occur over the phone when your employees are tricked into disclosing passwords or other sensitive information. With phishing attacks, criminals can log into your company’s systems and steal data or conduct unauthorized financial transactions.
Employee negligence claims can arise from something as simple as an employee losing a laptop that contains sensitive customer or employee data. In the case of employee negligence, your company could be liable for lawsuits related to lost data, notifying affected individuals and providing them with credit monitoring services, public relations costs, and fines and penalties.
Purchasing Cyber Liability Insurance
There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.
|1||Hiscox||4.9 / 5.0|
|2||Chubb||4.8 / 5.0|
|3||The Hartford||4.7 / 5.0|
|4||AIG||4.7 / 5.0|
|5||CNA||4.6 / 5.0|
|6||Arch||4.5 / 5.0|
|7||Hanover||4.5 / 5.0|
|8||Intact||4.4 / 5.0|
|9||Beazley||4.3 / 5.0|
|10||Axis||4.3 / 5.0|
Cyber insurance is becoming more and more important for businesses, small and large. While the threat of hacking and data breaches increases, it’s important to understand how cyber insurance is priced and where pricing is going.
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
- Program Chair for Cybersecurity Management and Policy
- University of Maryland Global Campus
Dr. Shiu-Kai Chin
- Professor of Electrical Engineering & Computer Science
- Syracuse University
John Paul Broussard
- Professor, Director of the Online MS Finance Program
- University of Oklahoma
- Associate Professor, Cyber Security & Computer Science
- Shenandoah University
Q. Should small businesses be concerned about cyber risk?
Bruce: Absolutely. In fact, small businesses are a more likely target than a Fortune 500 company. Hackers know that the large companies have a staff of IT people dedicated to protecting the organization’s network. They also have CISOs and risk management people on staff. Small businesses have none of these things, but still have assets worth taking.
Shiu-Kai: Yes. Cyber risk involves more than information. It includes the control of funds and information, i.e., the command and control of your business operations. If you lose control, your business operations will stop. Just look at the recent collapse of Colonial Pipeline operations.
John Paul: Small business should be concerned about cyber risks. Smaller companies may not think they are vulnerable, and hence do not spend the requisite time and attention to cybersecurity matters. That lack of attention essentially creates opportunities for cybercrime. When small businesses suffer an attack, they have to spend a higher proportion of financial resources fixing the problems created. So yes, smaller companies need to be concerned about cybersecurity.
David: Yes, small businesses should be concerned about cyber threats. Typically, small businesses do not have large budgets to support specialized IT staff in addition to cybersecurity specialists. Thereby, smaller businesses are more vulnerable and have an easier infrastructure to propagate.
Though, this doesn’t mean that a small business has the same brand exposure as a large company. All it takes is an employee of a small company going to a compromised website, downloading an infected file, or becoming a victim to an email phishing scam where this could shutdown the entire business computing infrastructure, especially when there is a lack of protective IT security countermeasures.
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
Bruce: In my opinion, the cyber insurance market will increase. More companies are trying to transfer their risk and the best way to do that is by purchasing insurance. The main cyber insurance challenge is to determine what risks are covered by the policy.
Shiu-Kai: The challenges organizations and people have is adequately estimating cyber risk, i.e., how well a system is conceived, designed, implemented, operated, and monitored to assure mission-essential functions are available with safety, integrity, and security. Many risk methods are based on guesses in the form of probabilities of likelihood. The [research] by Romanosky, Ablon, Kuehn, and Jones of RAND have a devastating and amusing summary of the situation, after they reviewed cyber insurance policies: carriers don’t know to price cyber risk. The research we are doing with DoD, NSF, and relevant Defense Corporations applied directly to mission assurance, risk management, and certification of trustworthy systems.
David: The notion of ransomeware as being one of the many weapons of choice in the cyber threat arsenal is a certainly a real problem for IT infrastructure and data systems. This malicious attack quickly renders critical data useless, where the impact to business operations is immediate. The costs are hinged on a company’s ability to recover to an operative state either through solid IT security practices or payment for a decryption key to get their data back from the perpetrators.
The concept of cyber liability insurance is a safe bet in our given technology landscape, but one must also consider the collateral damages post breach such as reputational harm, consumer trust, and production downtime. The challenges are to align the insurable assets with a good Business Continuity Plan balanced with risk assessment and recovery. These are difficult measurements to achieve, but the essentials of impact analysis may shed some light on a pathway forward. The main outcome is to determine the company’s critical assets, where insurance would help bridge the degradation gap of the business.
Q. How can a business effectively organize and manage cyber risk?
Shiu-Kai: Mitigating cyber risk is much like mitigating risk in your financial operations. Just like you think about who touches or has access to your money and why, think about who touches and has access to your computer-based operations and why.
Think about the controls on your essential computer-based operations, transactions, command-control-and-communications (C3). Answer the question, “What controls are in place to assure that only those who are authenticated and authorized actually get to execute or deny those C3 operations?” If you think about authenticating and authorizing C3 operations as if those operations were money, you’ll be on the right track.
Bruce: Every business, regardless of size, should have a risk assessment done. Also, although they don’t need to employ a cybersecurity specialist full-time, they all should have one on retainer.
John Paul: Managing cyber risks is a continuous battle. Cybercriminals are always on the lookout for new ways to “attack” companies in the hopes of ransom payments. Some of the basic tools of two-factor authentication for employees to access company e-resources, email filters, and periodic independent review of electronic access are just a few protective tools.
David: An essential approach is to do an audit of your IT infrastructure including the appropriate penetration testing to identify the vulnerabilities of your company. Once you understand the current operating state of business, you could then determine your cyber risks through a cyber risk management process and then implement the cyber control measures to mitigate the critical vulnerabilities in your infrastructure.