Most U.S. small businesses pay roughly $1,500โ$3,500 per year for a standalone policy with a $1M limit. The median โ which is also many carriers' minimum account premium โ is $1,500/year. Mid-market firms ($10Mโ$50M revenue) typically pay $5,000โ$35,000, and large or high-hazard operations run well into six figures. Your price is set by your industry, revenue, the data you hold, and โ more than anything โ your security posture.
Typical premiums by business size
Cyber pricing is individually underwritten, so treat these as planning benchmarks rather than quotes. The ranges below assume a standard $1M-per-occurrence / $1M-aggregate standalone policy and reflect broker benchmarks compiled in mid-2026 (Insureon, MoneyGeek, Coalition, NAIC and IBM data).
| Business profile | Annual premium ($1M limit) | Notes |
|---|---|---|
| Micro / sole proprietor (<$1M revenue) | $1,500 | At many carriers' minimum account premium; lower only if endorsed onto a business owner's policy |
| Small business (1โ100 employees, <$10M) | $1,500 โ $3,500 | Median โ $1,500/yr โ also a common minimum premium |
| Mid-market ($10M โ $50M revenue) | $5,000 โ $35,000 | Rises sharply with weak controls |
| Upper-mid / high-hazard ($50M โ $1B) | $15,000 โ $100,000+ | Layered towers, higher retentions |
| Enterprise ($1B+ revenue) | $100,000 โ $500,000+ | Bespoke, systemic-risk clauses |
Industry matters as much as size. Healthcare, financial services and technology firms handle more regulated data and consistently price above the median; lower-data trades such as construction often price below it.
| Segment | Typical annual range |
|---|---|
| Small business (general) | $1,500 โ $3,500 |
| Mid-size ($1Mโ$10M revenue) | $2,500 โ $6,000 |
| Larger firms ($10M โ $50M revenue) | $5,000 โ $35,000 |
| Healthcare & financial services | Higher โ regulated-data premium |
What actually drives your premium
Underwriters price cyber on the value and volume of the data you hold and the odds you'll suffer a claim. Six factors do most of the work:
- Industry and data type. Protected health information (PHI), payment-card data (PCI) and financial records carry the highest exposure and the highest rates.
- Revenue and record count. More customers and more transactions mean a larger notification and liability bill if you're breached.
- Employee count. Every account is an attack surface; headcount is a proxy for how many ways in an attacker has.
- Security controls. The single biggest lever you control โ see below.
- Claims history. A prior breach or claim can raise your rate 30โ50%. A clean loss history is one of the most valuable things you bring to underwriting.
- Limit and retention. Higher limits cost more; a higher deductible (retention) lowers premium, but only raise it to a level you could actually absorb after an incident.
How security controls change the price
In 2026, controls are the difference between a good rate, a loaded rate, and a declination. Documented multi-factor authentication, endpoint detection and response (EDR), tested offline or immutable backups, and a written incident-response plan can move a premium 20โ40% in either direction. Missing them doesn't just raise your rate โ it can get you declined outright.
What rates are doing in 2026
After two years of softening, the market in 2026 remains favorable for well-controlled risks โ there is ample capacity, and carriers continue to broaden coverage and raise sub-limits for businesses that can demonstrate strong security. Many buyers are seeing flat to slightly lower pricing on an apples-to-apples basis, even as claim activity rises. Analysts expect the market to firm gradually as loss costs climb, so the businesses that invest in the basics now will keep paying less โ and stay insurable โ while those that don't may find coverage harder to obtain at all.
Premium vs. the cost of a breach
The case for coverage is arithmetic. A small business paying around $1,500 a year is buying protection against an event whose U.S. average cost reached a record $10.22 million in 2025 (IBM). Even a scaled-down incident at a small firm โ forensics, notification, legal, downtime and possible funds-transfer fraud โ routinely runs into six figures. Business email compromise and funds-transfer fraud alone accounted for well over half of cyber claims by volume in recent carrier data, and the average ransomware demand now exceeds $400,000.
How to lower your cyber premium
- Put the controls carriers reward in place โ MFA everywhere, EDR, tested backups, a written IR plan โ and document them so you can prove it at bind and at claim time.
- Choose a retention you can actually absorb; a higher deductible lowers premium.
- Bundle where it makes sense (cyber alongside a BOP or tech E&O) for a lower combined cost.
- Reduce the sensitive data you retain โ the less PII, PHI or card data you store, the smaller your exposure and often your rate.
- Keep your revenue and exposure data current โ auto-renewing on stale numbers means overpaying or being underinsured.
- Work with a broker who submits to multiple cyber markets; the same risk can be quoted 30โ50% apart depending on carrier and application quality.
Why we don't post an instant price
Plenty of sites promise an instant cyber quote. That's marketing, not underwriting. Cyber is a manuscript-driven line โ the same business can receive very different terms depending on the form and the carrier. We're fast, but a real underwriting review is what stands between you and a policy that actually pays. We price each account on its own facts and walk you through the terms before you bind.
Frequently asked
How much is cyber insurance for a $1 million limit?
For a typical small business, roughly $1,500โ$3,500 per year. The median โ which is also many carriers' minimum account premium โ is $1,500. Professional-services and healthcare practices usually sit at the higher end; lower-data trades sit near the minimum.
Why is my renewal higher than last year?
Common reasons are a claim or near-miss in your history, revenue growth that increased your exposure, a control you dropped, or a carrier repricing loss costs. Documented controls are the fastest way to push back on an increase.
Is cyber insurance worth it for a small business?
For nearly any business that stores customer data, yes. The premium is a small fraction of a breach's cost, and most cyber claims come from small and mid-sized businesses precisely because they have fewer resources to defend and recover.