Business Insurance

Cyber Liability Insurance for Small Businesses: Do You Need It? (2025)

Small accounting firm in my neighborhood got hit with ransomware last year. Hackers encrypted all their files and wanted $50,000 in Bitcoin to unlock them. The firm had client tax records, financial data, social security numbers—everything held hostage.

They didn’t pay the ransom. Instead they spent about $80,000 on IT forensics, data recovery, legal fees, notifying affected clients, credit monitoring for those clients, and rebuilding their systems. Plus they lost probably two months of productivity.

They had cyber liability insurance. It covered most of the $80,000 plus business interruption losses. Without it they might have closed. An accounting firm that loses all client data doesn’t really have a business anymore.

This isn’t a big company problem. Small businesses are actually MORE targeted because hackers know they have weaker security. Over 40% of cyberattacks target small businesses now. And most small businesses don’t have cyber insurance.

What cyber liability insurance covers

First-party coverage—your own losses:

Data breach response costs. Forensics to figure out what happened. Legal fees. Notification costs—you’re often legally required to notify affected people. Credit monitoring you provide to victims. PR help for reputation management.

Business interruption. Lost income while your systems are down. Extra expenses to get back up and running.

Ransom payments. Some policies cover ransomware payments if you decide to pay. (Whether to pay is a whole separate debate.)

Data recovery. Restoring lost or corrupted data.

Third-party coverage—when others sue you:

Liability if customers or partners sue you because their data was compromised in your breach.

Regulatory fines and penalties. GDPR, state privacy laws, industry regulations—violations can be expensive.

Legal defense costs even if claims are bogus.

Cybersecurity protection concept

What general liability doesn’t cover

Common misconception. “I have liability insurance, I’m covered.” No. General liability covers bodily injury and property damage. Data isn’t property under most general liability policies. Cyber incidents need cyber coverage.

Some business owners policys include minimal cyber coverage but usually not enough for a real incident. Check what you actually have.

Who needs it

Any business that:

Stores customer data—names, emails, payment info, anything personally identifiable.

Accepts credit card payments.

Uses computers for core business operations (so… everyone).

Has employees with access to sensitive information.

Has a website or online presence.

That’s basically every business. Even if you think you don’t have valuable data, you probably do. Employee records, vendor information, customer emails—all valuable to hackers.

Professional services—accountants, lawyers, consultants—are high-value targets because they have client data.

Healthcare, financial services, any business handling sensitive information is especially at risk and often has regulatory requirements around data protection.

What it costs

Varies based on business size, industry, security practices, coverage limits. Rough ranges for small businesses:

Low-risk small business: $500-1,500/year

Medium risk (retail, professional services): $1,000-3,000/year

Higher risk (healthcare, financial): $2,000-7,500/year

Prices have gone up a lot recently because claims are increasing. Insurers are also requiring better security practices before they’ll cover you—things like multi-factor authentication, employee training, updated software.

What insurers want to see

To get good rates (or get coverage at all), insurers increasingly require:

Multi-factor authentication on email and critical systems.

Regular data backups stored separately from main systems.

Employee security training.

Updated software and security patches.

Endpoint protection on all devices.

If you can’t check these boxes you might have trouble getting coverage or face higher premiums. Good security practices reduce both your risk AND your insurance costs.

That accounting firm now

They have cyber coverage, obviously. Also completely overhauled their security. Multi-factor on everything. Regular backups to offline storage. Employee training quarterly. Hired a managed IT service.

Cost them money upfront but they’re way less vulnerable now. Insurance company actually lowered their renewal premium because of the improvements.

Liability keeps pecking at the window which is distracting but the point is cyber risk is real for small businesses. You’re not too small to be targeted. You’re actually the perfect size to be targeted. Cyber insurance is increasingly essential, not optional. Check if your current coverage includes cyber. If not, get quotes. The cost of coverage is nothing compared to the cost of a breach.

Sarah Chen

Sarah Chen is a former insurance claims adjuster (2015-2021) based in Portland, Oregon. After six years of seeing preventable insurance mistakes, she started All Insurance FAQs to help people actually understand their policies before they need to file a claim. When she's not writing, she's probably arguing with her backyard chickens.

Leave a Reply

Your email address will not be published. Required fields are marked *