BestGuide is reader supported and may earn affiliate commission. Learn More.

X Compensation, along with the company's reviews, determines which of the qualified companies we recommend as well as the order by which the companies appear. Learn More.

AD  

biBerk

Small business coverage from Berkshire Hathaway, starting at $27.50/mo.

Cybersecurity Now Top Business Insurance Risk: What To Know

US data breaches now cost a record $10.22 million on average, and 81% of small businesses suffered a breach last year. Here's what standalone cyber coverage actually pays for, and what to compare beyond premium.

Krystine Carneiro's Photo

By Krystine Carneiro

Journalist

Fact Checked

Published on June 26, 2026

Updated on June 26, 2026

Key Takeaway
Cyber incidents have overtaken property damage and business interruption as the leading threat driving demand for business insurance. As of 2026, nearly every US business faces a gap unless it reviews standalone cyber coverage, hardens its risk profile, and compares insurers’ incident-response resources, not just premium costs.

If you run a business, you have likely spent years worrying about fire, flood, or a supply-chain breakdown. Those risks still matter. But the risk landscape has shifted. Cyber incidents rank #1 in the Allianz Risk Barometer 2026 for the fifth consecutive year, scoring 42% of responses, the highest score in the survey’s 15-year history. AI emerged as the second-biggest concern, jumping from #10 to #2 in a single year, while business interruption, the top business risk for over a decade, dropped to #3 for the first time. For a US owner, that shift changes what a smart business insurance review looks like: you can no longer assume general liability or a property policy has you covered.

This post explains why cybersecurity has become the top business insurance concern, how coverage is changing, what typical policies include (and exclude), and how to evaluate a provider so your company is protected against the most expensive risk class facing American businesses today.

Open laptop on wooden desk displaying a red triangular cybersecurity warning alert in a small business office

Cyber incidents now rank as the #1 business risk for the fifth straight year, with the average US data breach reaching a record $10.22 million in 2025.

Why cyber risk has become the top business insurance concern

Two forces collided. First, the dollar cost of breaches kept climbing. IBM’s 2025 Cost of a Data Breach Report pegged the global average at $4.44 million, with US breaches reaching a record $10.22 million, the highest in IBM’s 20-year tracking history. The US is one of the few regions where average breach cost rose year over year, driven by tougher regulatory fines, slower detection times, and the rising cost of legal defense. Second, small and mid-size businesses are no longer flying under the radar. Automated attacks scan every IP address, and ransomware gangs target companies with under 100 employees because they often lack dedicated security staff.

The Identity Theft Resource Center’s 2025 Business Impact Report, released in December 2025, found that 81% of small businesses suffered a security breach, a data breach, or both in the past year. The same survey found that 62.5% of breached small businesses reported a total financial impact above $250,000 once lost revenue, remediation, and fines were tallied. The result: insurers now view cyber exposure as a primary underwriting factor, not an optional add-on.

How business insurance is evolving to meet the threat

The traditional property-casualty framework was never designed for intangible losses like data restoration, notification costs, or reputational harm. In response, carriers rapidly expanded standalone cyber liability policies. By 2024, the US cyber insurance market reached $9.14 billion in direct written premiums with about 4.37 million active policies, according to the National Association of Insurance Commissioners (NAIC) 2025 Cybersecurity Insurance Report. That marked the first ever year-over-year decline in cyber direct written premiums, down 7% from 2023, as pricing softened in a more competitive market with multiple new carrier entrants. Even with that decline, the number of active cyber policies remained essentially flat, indicating demand has not weakened.

Those policies typically bundle first-party coverages (forensic investigation, business interruption from a network outage, ransomware payments, data recovery) with third-party protections (legal defense, regulatory fines, customer notification). Meanwhile, many general liability and property forms now explicitly exclude cyber-related losses, making a separate cyber policy the only reliable way to avoid a coverage gap.

What a strong cyber policy includes, and what it may not

Every business owner should understand the six core components that appear in a well-built standalone cyber policy:

  • Incident response and forensic investigation
  • Business interruption and extra expense during a system outage
  • Data restoration costs
  • Ransom negotiation and payment (subject to strict OFAC compliance)
  • Legal defense and regulatory defense (state attorneys general, FTC, HHS/OCR for healthcare)
  • Notification and credit-monitoring for affected individuals

A genuine limitation to know: many policies contain strict “war exclusion” or “nation-state actor” clauses that may limit coverage if an attack is attributed to a foreign government. Also, pre-breach security gaps such as unpatched systems or missing multi-factor authentication can lead to denial of a claim if the insurer’s application misrepresented the company’s controls. Always read the “retroactive date” and “prior acts” provisions carefully.

Evaluating an insurer beyond the premium number

Price is easy to compare. The harder, more important task is vetting the carrier’s incident-response ecosystem. Ask these questions when you sit down with a broker or agent in 2026:

Evaluation Factor Why It Matters
Pre-approved incident response panel The insurer should have vetted legal counsel, forensic firms, and crisis communicators; you want the panel, not a slow reimbursement process.
Breach coaching included A dedicated breach coach guides you through regulatory notification deadlines and evidence preservation.
Ransomware supplemental endorsement Standard policies may sublimit ransomware; look for an endorsement that restores full limits.
Social engineering fraud coverage Business email compromise causes losses that some cyber forms exclude; a social engineering rider is critical.
Carrier financial strength rating Check AM Best ratings; a cyber carrier with weak reserves may tighten claims handling when a broad event triggers many losses.

Also, ask the carrier how many cyber claims it handled in the last 12 months. An insurer with substantial claim volume is more likely to have refined its adjustment process, though a newer entrant may offer more flexible underwriting.

The cost drivers in 2026

Cyber insurance pricing has moderated significantly from the steep increases of 2021 and 2022. According to data from the Council of Insurance Agents and Brokers (CIAB), cyber insurance pricing has been flat to decreasing in 2025 and into 2026, with the Q4 2024 CIAB index showing an average price decrease of roughly 1.6% as more carriers entered the market and competition intensified for well-controlled risks. A retailer with point-of-sale systems will pay more than a professional-services firm of similar size, and pricing remains sensitive to a company’s security posture.

The three biggest cost drivers today: multi-factor authentication adoption, the presence of endpoint detection and response (EDR) tools, and the frequency of employee security training. Insurers routinely ask for screenshots of admin panels. Companies that cannot demonstrate those basics face higher premiums or a flat declination.

Steps to take before you buy or renew business insurance

  1. Complete a cybersecurity self-assessment. The FTC’s Cybersecurity for Small Business portal and the NIST Cybersecurity Framework offer free, actionable checklists. Insurers reward documented assessments with lower rates.
  2. Separate cyber coverage from your package policy. Even if your business owner’s policy (BOP) offers a cyber endorsement, the sublimits are often capped at $50,000, which barely covers notification costs for a modest breach.
  3. Collect your data-breach response plan. A written incident response plan is now a standard application requirement for most standalone cyber policies. If you do not have one, many insurers offer a template.
  4. Work with a broker who specializes in cyber. Generalist agents may not understand how “regulatory defense” sublimits interact with a state’s data-breach notification law. A specialist helps match coverage to your actual data exposure.
  5. Revisit limits annually. As your company grows and collects more personal information, the cost of a breach scales. Make certain your limit keeps pace with the size and sensitivity of the data you handle.

The bottom line

  • Cyber incidents are the #1 business risk in the Allianz Risk Barometer 2026 for the fifth consecutive year, with the highest score in the survey’s 15-year history.
  • IBM’s 2025 Cost of a Data Breach Report shows the average US breach now costs a record $10.22 million.
  • Most general liability and property policies now exclude cyber losses, making standalone cyber coverage the primary mitigation tool.
  • Effective evaluation means looking past the premium to the insurer’s breach response panel, sublimits, and social engineering endorsements.
  • The pandemic-era pricing spikes have cooled, but premiums remain tied to verifiable security controls like multi-factor authentication and EDR.
  • One clear limitation: nation-state actor exclusions and pre-existing vulnerability clauses can leave a company uncovered even with a policy in force, so honesty on the application is essential.
  • Small and mid-size firms gain significant negotiating leverage by completing the FTC or NIST security framework before approaching an insurer.

BestGuide Buyer’s Guide

Compare Business Insurance

We compared the top business insurance providers on the factors that matter. See our ratings and find your best fit.

Compare Top Picks

Frequently asked questions

Does a standard business insurance policy cover ransomware attacks?
Almost never in 2026. General liability and property policies have added broad cyber exclusions. Ransomware is covered under a standalone cyber liability policy or a carefully crafted endorsement; review sublimits for ransom payments carefully.

How much does cyber business insurance cost for a small company?
For a firm with under $1 million in revenue and strong security controls, annual premiums typically range from $1,000 to $2,400, with the median around $1,500, according to 2026 broker benchmarks. Businesses with sensitive data (healthcare, financial services) or weak controls can see costs above $5,000.

What is the difference between first-party and third-party cyber coverage?
First-party coverage pays for your direct losses, such as data restoration, business interruption, and extortion payments. Third-party coverage responds to claims from people or regulators who were harmed because your systems were breached, including legal defense and settlements.

Can I buy cyber insurance if I have already had a breach?
Yes, but expect a more intensive underwriting process and possibly a higher premium. The carrier may ask for documentation showing you remediated the vulnerability and may impose a waiting period or a higher retention for future incidents.

What happens if my insurer finds out I misrepresented my security controls on the application?
The insurer can deny a claim and could rescind the policy entirely. In some states, regulators have affirmed that material misrepresentation on a cyber application is grounds for rescission even if the misstatement was unintentional.

How do I know if my state requires cyber insurance?
No US state explicitly requires private businesses to carry cyber insurance as of 2026, but several state data-breach notification laws and sector-specific regulations (HIPAA, GLBA) effectively make liability coverage a practical necessity for managing notification and defense costs.

Related BestGuide reviews:

Krystine Carneiro's Photo

Krystine Carneiro

Journalist

More: Best Business Insurance Companies