๐Ÿ“ž (800) 373-2804 Direct: +1 (919) 859-5294
Insurance & surety specialists since 1994
2026 pricing guide

How much does cyber insurance cost?

Straight ranges, the factors underwriters actually price on, and why the number on your quote can swing 30โ€“50% for the same business. No rate-card fiction โ€” just how cyber pricing really works in 2026.

The short answer

Most U.S. small businesses pay roughly $1,500โ€“$3,500 per year for a standalone policy with a $1M limit. The median โ€” which is also many carriers' minimum account premium โ€” is $1,500/year. Mid-market firms ($10Mโ€“$50M revenue) typically pay $5,000โ€“$35,000, and large or high-hazard operations run well into six figures. Your price is set by your industry, revenue, the data you hold, and โ€” more than anything โ€” your security posture.

Typical premiums by business size

Cyber pricing is individually underwritten, so treat these as planning benchmarks rather than quotes. The ranges below assume a standard $1M-per-occurrence / $1M-aggregate standalone policy and reflect broker benchmarks compiled in mid-2026 (Insureon, MoneyGeek, Coalition, NAIC and IBM data).

Business profileAnnual premium ($1M limit)Notes
Micro / sole proprietor (<$1M revenue)$1,500At many carriers' minimum account premium; lower only if endorsed onto a business owner's policy
Small business (1โ€“100 employees, <$10M)$1,500 โ€“ $3,500Median โ‰ˆ $1,500/yr โ€” also a common minimum premium
Mid-market ($10M โ€“ $50M revenue)$5,000 โ€“ $35,000Rises sharply with weak controls
Upper-mid / high-hazard ($50M โ€“ $1B)$15,000 โ€“ $100,000+Layered towers, higher retentions
Enterprise ($1B+ revenue)$100,000 โ€“ $500,000+Bespoke, systemic-risk clauses

Industry matters as much as size. Healthcare, financial services and technology firms handle more regulated data and consistently price above the median; lower-data trades such as construction often price below it.

SegmentTypical annual range
Small business (general)$1,500 โ€“ $3,500
Mid-size ($1Mโ€“$10M revenue)$2,500 โ€“ $6,000
Larger firms ($10M โ€“ $50M revenue)$5,000 โ€“ $35,000
Healthcare & financial servicesHigher โ€” regulated-data premium
Billing Cyber premiums are written on an annual basis and paid once per year โ€” there is no monthly installment plan. Every figure on this page is an annual premium.

What actually drives your premium

Underwriters price cyber on the value and volume of the data you hold and the odds you'll suffer a claim. Six factors do most of the work:

  • Industry and data type. Protected health information (PHI), payment-card data (PCI) and financial records carry the highest exposure and the highest rates.
  • Revenue and record count. More customers and more transactions mean a larger notification and liability bill if you're breached.
  • Employee count. Every account is an attack surface; headcount is a proxy for how many ways in an attacker has.
  • Security controls. The single biggest lever you control โ€” see below.
  • Claims history. A prior breach or claim can raise your rate 30โ€“50%. A clean loss history is one of the most valuable things you bring to underwriting.
  • Limit and retention. Higher limits cost more; a higher deductible (retention) lowers premium, but only raise it to a level you could actually absorb after an incident.

How security controls change the price

In 2026, controls are the difference between a good rate, a loaded rate, and a declination. Documented multi-factor authentication, endpoint detection and response (EDR), tested offline or immutable backups, and a written incident-response plan can move a premium 20โ€“40% in either direction. Missing them doesn't just raise your rate โ€” it can get you declined outright.

What changed in 2026 Underwriters no longer accept self-attestation on critical controls. Screenshots, exports from your security tools, and third-party verification are increasingly required, and several carriers run pre-bind external scanning that surfaces exposed remote-desktop ports or unpatched systems before an underwriter even reads your application. If their scan finds a gap your application didn't disclose, you start from a credibility deficit.

What rates are doing in 2026

After two years of softening, the market in 2026 remains favorable for well-controlled risks โ€” there is ample capacity, and carriers continue to broaden coverage and raise sub-limits for businesses that can demonstrate strong security. Many buyers are seeing flat to slightly lower pricing on an apples-to-apples basis, even as claim activity rises. Analysts expect the market to firm gradually as loss costs climb, so the businesses that invest in the basics now will keep paying less โ€” and stay insurable โ€” while those that don't may find coverage harder to obtain at all.

Premium vs. the cost of a breach

The case for coverage is arithmetic. A small business paying around $1,500 a year is buying protection against an event whose U.S. average cost reached a record $10.22 million in 2025 (IBM). Even a scaled-down incident at a small firm โ€” forensics, notification, legal, downtime and possible funds-transfer fraud โ€” routinely runs into six figures. Business email compromise and funds-transfer fraud alone accounted for well over half of cyber claims by volume in recent carrier data, and the average ransomware demand now exceeds $400,000.

The math A few thousand dollars of premium against claims that average tens of thousands and breaches that average millions. That asymmetry โ€” small trigger, ruinous bill โ€” is the whole reason the coverage exists.

How to lower your cyber premium

  • Put the controls carriers reward in place โ€” MFA everywhere, EDR, tested backups, a written IR plan โ€” and document them so you can prove it at bind and at claim time.
  • Choose a retention you can actually absorb; a higher deductible lowers premium.
  • Bundle where it makes sense (cyber alongside a BOP or tech E&O) for a lower combined cost.
  • Reduce the sensitive data you retain โ€” the less PII, PHI or card data you store, the smaller your exposure and often your rate.
  • Keep your revenue and exposure data current โ€” auto-renewing on stale numbers means overpaying or being underinsured.
  • Work with a broker who submits to multiple cyber markets; the same risk can be quoted 30โ€“50% apart depending on carrier and application quality.

Why we don't post an instant price

Plenty of sites promise an instant cyber quote. That's marketing, not underwriting. Cyber is a manuscript-driven line โ€” the same business can receive very different terms depending on the form and the carrier. We're fast, but a real underwriting review is what stands between you and a policy that actually pays. We price each account on its own facts and walk you through the terms before you bind.

Frequently asked

How much is cyber insurance for a $1 million limit?

For a typical small business, roughly $1,500โ€“$3,500 per year. The median โ€” which is also many carriers' minimum account premium โ€” is $1,500. Professional-services and healthcare practices usually sit at the higher end; lower-data trades sit near the minimum.

Why is my renewal higher than last year?

Common reasons are a claim or near-miss in your history, revenue growth that increased your exposure, a control you dropped, or a carrier repricing loss costs. Documented controls are the fastest way to push back on an increase.

Is cyber insurance worth it for a small business?

For nearly any business that stores customer data, yes. The premium is a small fraction of a breach's cost, and most cyber claims come from small and mid-sized businesses precisely because they have fewer resources to defend and recover.

Figures on this page are general benchmarks compiled in mid-2026 from public industry data (Insureon, MoneyGeek, Coalition, NAIC and IBM) and are not a quote. Your premium depends on the policy issued after underwriting. Availability varies by state and carrier.

Want a real number for your business?

Skip the instant-quote theater. Send a short application and we'll underwrite it properly, then walk you through the terms before you bind.