Cyber Insurance for Small Business in 2026: What It Costs and What It Actually Covers
Cyber insurance in 2026 is not what it was three years ago. Premiums have stabilised after the market-wide repricing of 2020–2023, but in exchange, underwriting has become much stricter. Insurers now demand specific technical controls before they’ll write a policy, and policy wordings have quietly tightened in ways that can turn a headline £2M policy into a claim denial if you haven’t paid attention.
For a small business, the practical question is no longer “should I buy this?” — the answer is almost always yes, and a rising share of UK SMBs (62% in 2025, up from 49% the previous year) have arrived at the same conclusion. The real questions are: what should it cost, what should it cover, and what does the insurer actually expect you to have in place before they’ll pay out?
This guide answers those. It’s not an insurance brochure. We don’t sell policies and we don’t take affiliate commissions on cyber insurance products. The recommendations here reflect what actually matters when a policy gets claimed against — which is when most buyers discover, too late, what they were really paying for.
What you’re actually buying
Cyber insurance is two policies bundled together, and both halves matter.
First-party coverage pays for your losses. Forensic investigation costs, system restoration, data recovery, business interruption during downtime, ransom payments (where allowed and covered), notification costs for affected customers, PR and crisis management, and credit monitoring for anyone whose data was exposed. This is the part that matters most for a small business, because the direct costs of even a modest breach routinely run into five or six figures.
Third-party coverage pays for claims made against you. When a customer sues because their data was exposed, when a regulator fines you for a GDPR or HIPAA breach, when a vendor takes action because their systems were compromised through your access — third-party coverage handles the legal defence and settlement costs.
For most small businesses, first-party costs dwarf third-party costs. A ransomware attack that takes your systems offline for a week will cost you in operational disruption, restoration work, and lost revenue long before any third party files a claim. This matters when comparing policies: some cheaper policies have generous third-party limits but skimp on first-party business interruption coverage, which is exactly backwards for an SMB risk profile.
What it costs in 2026
Pricing stabilised in 2024 and has remained relatively flat through 2026. The market-wide rate increases of 50–100% seen during 2021–2022 are over; typical year-over-year increases now run 5–15% and are driven primarily by claims history and control posture.
Here’s what a small business actually pays:
UK market. A typical UK small business can expect £1,000–£3,000 annually for a £1M aggregate limit. Hiscox pricing for small businesses starts around £5.30 per month for basic liability bundles, with standalone cyber coverage typically running £60–£200 per month depending on revenue, industry, and controls. Lower-risk industries (consultancies, professional services with limited data handling) sit at the bottom end of that range; higher-risk industries (healthcare, legal, financial services, anything storing significant PII) sit at the top.
US market. US small businesses pay more on average. MoneyGeek’s 2026 analysis puts the median SMB cyber premium at $83 per month ($999 annually) for a $1M aggregate limit, while Insureon reports a median of $134 per month ($1,609 annually) across its small business customer base, with 38% paying under $100 monthly and 33% paying $100–$200. The split between those figures reflects the difference between minimum-viable coverage and practical coverage — if you’re looking at policies at $40 per month, check the exclusions very carefully before buying.
What drives your specific price. The biggest factors are industry (tech and IT firms pay roughly 88% above the national average in the US because of higher exposure and E&O overlap; recreation and non-data-handling businesses pay 38% below), revenue, the amount and type of sensitive data you handle, and — increasingly — your security controls. Missing basic controls like MFA or EDR can add 25–50% to your premium or disqualify you entirely. The same controls, properly evidenced, can knock 10–20% off.
| Coverage limit | Typical UK annual premium | Typical US annual premium | Fits which business |
|---|---|---|---|
| £/$500,000 | £500–£1,000 | $500–$900 | Micro-businesses with limited PII, under £250k revenue |
| £/$1,000,000 | £1,000–£3,000 | $1,000–$2,500 | Standard small business baseline, 10–50 staff |
| £/$2,500,000 | £2,500–£5,500 | $3,500–$6,500 | Mid-sized firm, regulated industry, or significant data holdings |
| £/$5,000,000 | £5,000–£10,000+ | $6,500–$10,000+ | Growing firm, high data volumes, significant third-party exposure |
These are indicative ranges. Actual quotes vary substantially based on industry, claims history, and control posture.
The controls insurers now require
This is the single most important thing to understand about modern cyber insurance: the policy wording assumes you have specific controls in place, and if you don’t, your claim can be denied regardless of what the coverage limit says.
Insurers call these “baseline requirements,” “minimum controls,” or (in the cynical but accurate phrasing) “failure-to-follow conditions.” They vary slightly between carriers, but the consensus list in 2026 looks like this:
Multi-factor authentication. Required on all remote access, all email, all privileged accounts, and increasingly on all accounts period. MFA is recommended by CISA as one of four core security controls for small businesses, and most insurers will decline to quote at all without it. If you claim MFA is enabled and it wasn’t active during the incident, expect claim denial under the failure-to-follow clause.
Endpoint detection and response (EDR). Real EDR — not just antivirus — on all endpoints. Insurers increasingly recognise the distinction and will either require EDR outright or price policies to reflect the difference. Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Sophos Intercept X, and Huntress all count.
Tested, immutable backups. This is the control that’s quietly tightened the most. Insurers want backups that are separated from production, immutable during their retention window, and actually tested for restoration. A backup you’ve never restored from doesn’t satisfy most carriers in 2026. We go deeper on this in our immutable backup guide, which also covers which specific backup products insurers explicitly recognise.
Privileged access management (PAM). Required at larger SMB scale (typically 50+ employees) and increasingly expected at smaller scale too. For a micro-business this may just mean “admin accounts are separate from daily-use accounts and are only used for admin tasks”; for a growing small business it typically means a vaulted credential solution.
Security awareness training. Regular, documented, phishing-simulation-inclusive training for all staff. Once-a-year onboarding slide decks no longer count.
Patch management. Evidence of a patch management process. For small businesses this can be as simple as “automatic updates enabled and documented monthly review of critical infrastructure patches.”
Email security. Inbound filtering (either via Microsoft 365 / Google Workspace defaults or a dedicated tool), DMARC enforcement on your outbound email, and in some cases advanced anti-BEC tooling.
These aren’t marketing requirements. They’re in the policy wording. Before you sign anything, read what your carrier considers baseline — and verify honestly that you have it. If you’re missing pieces, the small business cybersecurity checklist covers the full stack insurers now expect.
Coverage traps to watch for
Policies vary more than they should, and the differences matter. These are the five areas where cheap policies most commonly leave you exposed.
Social engineering fraud
When an attacker convinces an employee to wire money to a fraudulent account — the classic CEO-fraud pattern, or the modern deepfake-voice variant — many standard cyber policies exclude the loss. Social engineering fraud is typically offered as an endorsement (add-on) rather than core coverage, and the sub-limits are often much lower than the headline policy limit. If your business does anything involving outgoing payment instructions (which is almost all businesses), check this specifically. You want the endorsement, and you want a sub-limit that actually matches your exposure.
Dependent business interruption
When the outage isn’t yours — it’s your cloud provider’s, your SaaS tool’s, your payment processor’s — standard business interruption coverage may not trigger. Dependent business interruption (sometimes called contingent business interruption) handles this scenario, and it matters more than most SMBs realise. Modern small businesses depend on Microsoft 365, Google Workspace, Stripe, Xero, HubSpot, and a dozen other services any of which could be the source of multi-day downtime. If your policy doesn’t cover dependent interruption, you’re exposed to the single largest category of modern cloud-era outages.
Ransomware payments and negotiation
Some policies exclude ransom payments entirely. Others cover them but cap reimbursement at a small percentage of the policy limit. Others cover payment but require carrier pre-approval of any negotiation, which effectively means the carrier’s panel firms handle the negotiation (usually a good thing for the insured — they negotiate better than you will). Know which model your policy uses before you need it.
Also worth checking: does the policy cover legitimate sanctions-compliance costs? US OFAC and UK sanctions regimes have made payment to certain ransomware groups either illegal or severely restricted, and proper sanctions screening is now a standard part of any negotiation.
War and nation-state exclusions
Following the NotPetya attacks and subsequent insurance litigation, most modern policies include war-exclusion language that could (in theory) be invoked to deny claims from nation-state-attributed attacks. This has become a material concern with the rise in nation-state activity against Western infrastructure. Lloyd’s-syndicate policies have been particularly active in tightening this language; check what your carrier’s war exclusion actually says and whether there’s any carve-out for “cyber terrorism” or unattributed attacks.
Claims notification timelines
Policies typically require notification within a specified window — often as short as 48–72 hours — of discovering an incident, and some require the use of the carrier’s panel incident response firms for coverage to apply. Missing the notification window or using your own IR firm without pre-approval can void coverage. Put the carrier’s incident hotline in your incident response plan and call it before you call anyone else.
Which carriers are worth considering
The SMB cyber insurance market has three broad groups of carriers worth knowing.
Specialist cyber carriers include Coalition, At-Bay, Cowbell, and CFC Underwriting. These firms built their businesses around cyber insurance specifically and tend to have the most sophisticated underwriting, the clearest requirements, and often bundled risk-management services (vulnerability scanning, tabletop exercises, pre-incident hardening support). Coalition and At-Bay in particular provide active monitoring as part of the policy, which both reduces your premium over time and acts as an early-warning system. CFC Underwriting has strong UK presence and is often the specialist carrier of choice for UK SMBs working through brokers.
Traditional insurers with cyber lines include Hiscox, Beazley, AIG, Chubb, Travelers, and Zurich. Hiscox in particular has deep SMB penetration in both the UK and US markets — it covers more than 480,000 UK businesses with policies starting around £5.30 per month for bundled small business insurance and scaling up to £10M limits, and the cyber-specific product is solid if not as feature-rich as the specialists. The traditional insurers tend to be easier to bundle with your broader business insurance and are more established, which matters for some procurement processes.
Package products are cyber coverage bundled into a general business owner’s policy (BOP) or small business package. These are often the cheapest option for very small businesses and tend to have lower limits (£100k–£500k), fewer bells and whistles, and less sophisticated underwriting. For a micro-business with minimal data exposure, they can be adequate. For anything above that, standalone cyber coverage from a specialist carrier is usually better value.
| Carrier type | Examples | Strengths | Weaknesses | Fits which buyer |
|---|---|---|---|---|
| Specialist cyber | Coalition, At-Bay, Cowbell, CFC | Sophisticated underwriting; active monitoring; panel IR firms; deep sector expertise | Stricter control requirements; premium pricing for weak controls | 10–250 employee SMBs with meaningful data exposure |
| Traditional with cyber line | Hiscox, Beazley, Chubb, Travelers | Easy to bundle; established claims handling; broad UK/US presence | Coverage less feature-rich than specialists; less proactive services | SMBs wanting one broker, one relationship |
| Package / BOP bundled | Various | Cheap; simple purchase; zero friction | Low limits; basic coverage; limited incident response | Micro-businesses under 10 staff with minimal data holdings |
How to actually buy a policy
Through a broker, not direct. For anything above the smallest package product, work with a specialist broker. Cyber policies are complex and the cheapest direct-purchase policy is rarely the best fit. A good broker will place you with the carrier that best matches your risk profile and will negotiate on exclusions. Pick one with genuine cyber specialisation — not a general commercial lines broker for whom cyber is an afterthought.
Prepare your application honestly. The application form (often called a “cyber questionnaire” or “ransomware supplemental”) asks detailed questions about your security controls. Answer them accurately. Over-claiming controls you don’t have is a route to policy rescission or claim denial. Under-claiming controls you do have costs you money. If you’re not sure about a specific control, ask your IT provider to confirm before you answer.
Get three quotes minimum. Pricing varies significantly between carriers for the same risk, and the quotes will reveal which carriers are currently aggressive in your industry and which are pulling back. If one quote is dramatically cheaper than the others, that’s often a signal that the coverage is thinner rather than that you’ve found a bargain.
Review annually, not passively. Cyber insurance is not a renew-and-forget purchase. Revenue growth, new service lines, new systems, new regulatory exposure — any of these can move your risk profile in ways that matter at renewal. Set a diary reminder 60 days before renewal to reassess coverage and shop the market.
Frequently asked questions
Is cyber insurance mandatory?
No, it’s not legally required in either the UK or US for most businesses. Some client contracts (particularly with government, financial services, and healthcare clients) now mandate cyber insurance as a condition of doing business, and that requirement is becoming more common year-on-year. If you do B2B work at all, expect to see cyber insurance requirements appearing in client procurement questionnaires.
Will my cyber insurance pay the ransom if I get hit by ransomware?
It depends on the policy. Some policies cover ransom payments up to the policy limit; some cap ransom-specific reimbursement at a sub-limit (often 25–50% of the aggregate); some exclude ransoms entirely. All reputable policies require carrier pre-approval of any payment, both for legal/sanctions reasons and because the carrier’s panel firms can often negotiate the ransom down significantly. Read your specific policy wording — this is not an area where defaults are safe assumptions.
What’s the difference between cyber insurance and professional indemnity / tech E&O?
Cyber insurance covers losses arising from cybersecurity incidents — breaches, ransomware, business email compromise, data exposure. Professional indemnity (or tech errors and omissions) covers claims arising from failures in the professional services you provide — a software bug that causes a client loss, a consulting recommendation that turned out badly. IT firms and technology companies typically need both; most other small businesses only need cyber insurance.
Does my general business insurance (BOP) include cyber coverage?
Sometimes, at low limits. Most business owner’s policies now include some cyber endorsement, typically £50k–£250k of coverage with limited scope. For a micro-business, this may be enough. For anything above five staff or with meaningful data exposure, the bundled coverage is usually inadequate and standalone cyber insurance is the right call. Check your policy wording to see what’s actually included.
What should I do first after a breach if I have cyber insurance?
Call your carrier’s incident hotline before you call anyone else — before IT support, before law enforcement, before clients. The carrier will usually require notification within 48–72 hours, will typically assign a panel incident response firm at their cost, and may require their panel firms to be used for coverage to apply. After that, follow the IR firm’s guidance and your own incident response plan. A deeper walkthrough of the full post-breach sequence is covered in the broader cyber insurance 2026 guide.
Can I get cyber insurance with a prior breach?
Yes, but you’ll pay more and face more exclusions. Carriers will usually ask about any claims or incidents in the past 3–5 years. Disclose honestly — post-claim rescission is a far worse outcome than declined coverage. If your prior incident has been properly remediated with documented improvements to controls, some carriers will still write coverage, sometimes with a retroactive date excluding the prior incident.