How Much Cyber Insurance Do I Need?

To help you in making the most informed decision possible, we cover the following topics in this article, which we recommend looking at in order:

• How Much Cyber Insurance Do I Need TLDR (Fastest)
• General Cyber Insurance Coverage Recommendations (Recommended)
• What Cyber Insurance Coverage Choices You Have
• What Determines How Much Cyber Insurance You Need
• How To Determine How Much Cyber Insurance You Need
• How You Should Use This Information For Next Steps
• The Next Steps You Should Take After Deciding Coverage

In order to give you a starting point for your decision, we analyzed the most common risks for general industry areas to give you a coverage range recommendation. Keep in mind our recommendations assume average risk profiles for claims that covers most, but not all businesses. You may need higher limits if you store large volumes of sensitive data, operate in a regulated industry like health care or finance, or rely on third-party vendors with system access.

The table below offers general coverage recommendations by industry area and some risks to consider in your area of work:

If you are comfortable with these general recommendations and want to take the next steps you can click here to move on.

When deciding how much cyber insurance you need, you'll have the following choices:

• Per-incident limit: Caps what your insurer pays for any single cyber event. If a ransomware attack costs $800,000 and your limit is $1 million, you're covered. If it costs $1.3 million, you pay the $300,000 difference.
• Aggregate limit: caps total payouts for all claims during your policy year. A business with $1 million aggregate facing three $400,000 incidents would be uninsured for the third claim, even though no single incident exceeded the per-incident cap.

These selections apply to two parts of cyber insurance which include first and third-party coverages. First-party coverage pays your direct costs: forensic investigation, customer notification, credit monitoring, public relations, ransom payments and lost income during downtime.

All limit selections for your cyber insurance coverage are for first-party and third-party risks which are separated out in a policy. Most policies bundle both under a single aggregate limit, but this can differ depending on the provider.

So, you understand what risks you'll be covering in reference to limit selections, we've broken down what each provides in terms of protection.

Your industry baseline is a starting point, not a final answer. Two consulting firms can have very different coverage needs: one stores basic contact information for a dozen clients, while another holds tax records and financials for hundreds. One retailer processes 5,000 card transactions a year; another processes 500,000. These differences matter more than industry alone.

The factors below push your coverage higher or lower. Not all will apply to your business, but the ones that do can shift your needs substantially.

Most businesses can choose coverage using the industry baselines and adjustment factors above. But if you want a more precise figure, or if your situation doesn't fit neatly into one industry, this calculation method gives you a defensible number based on your actual exposure.

The goal is to estimate what a serious breach would actually cost, then size your coverage to match.

The right coverage amount isn't fixed. Your needs shift as your business grows, data footprint expands and threats evolve. A limit that works today may fall short if you add product lines, enter regulated markets or onboard enterprise clients. Treat your calculation as a living assessment. Revisit annually, after major changes and at each renewal.

Your floor: The minimum required by contracts, or your industry baseline if contracts don't specify

1. Your ceiling: How much protection you want above the minimum

Most small businesses should carry at least $500,000. If you store sensitive data, work in a regulated industry or serve enterprise clients, $1 million to $2 million is safer.

If you're unsure, start with $1 million. The premium difference is usually modest, and you can adjust at renewal once you understand your actual exposure. It's far better to have slightly more coverage than to discover you're underinsured after a breach.

Revisit your coverage annually and after major changes: new product lines, acquisitions, entering regulated markets or significant data growth.

If you skipped to this section or want a quick refresher, these are the questions business owners ask most often about cyber insurance limits.

You've identified how much coverage you need. Now comes the part where most business owners make mistakes: buying the first policy they find or choosing based on price alone. Cyber insurance varies more than most business coverage, both in what's included and what's excluded. A cheap policy with a social engineering exclusion can leave you unprotected against the most common attack in your industry.

Take these steps before you buy.

If you're still deciding whether you need cyber insurance:

• What Does Cyber Insurance Cover?
• Do I Need Cyber Insurance?

If you're ready to compare options:

• Best Cyber Insurance for Small Businesses

Before you buy:

Audit your data. Inventory customer records, employee data, payment information and vendor access. Accurate application answers prevent claim disputes.

Get three quotes. Pricing varies widely. A $12,000 policy from one carrier might cost $7,000 from another. Compare terms, exclusions and deductibles alongside price.

Review exclusions. Common cyber exclusions include acts of war, unencrypted devices, unpatched vulnerabilities and social engineering. Ask which can be removed through endorsements.