June 25, 2026 · 8 min read · Cybersecurity

Cyber Insurance for Small Business in 2026: What It Covers, What It Won't, and How to Lower Your Premium

Q: Does my general liability policy cover a cyberattack?

Almost certainly not. Standard general liability (GL) policies were written before cyber risk existed as a category and explicitly exclude electronic data loss, system outages caused by hacking, and third-party notification costs from a breach. Some older GL policies have a partial data-compromise endorsement, but it typically caps coverage at $10,000 to $25,000 — nowhere near the average SMB breach cost of $120,000 to $200,000. A standalone cyber liability policy is the only reliable way to transfer that risk.

Q: What security controls do insurers require in 2026?

The controls underwriters consistently require or heavily credit in 2026 are: multi-factor authentication on email and remote access, an endpoint detection and response (EDR) solution on all managed devices, tested and offsite backups with documented recovery time objectives, a patching policy that closes critical vulnerabilities within 30 days, and email security including anti-phishing filtering and DMARC/DKIM/SPF on your domain. Some insurers also ask about privileged access controls and employee security awareness training. Missing MFA on email or remote access is the single fastest way to either get declined or pay a 20–30% premium surcharge.

Q: What is a reasonable cyber insurance premium for a small business?

For a small business with 5 to 50 employees, solid security controls, and no prior claims, annual premiums typically range from $1,500 to $4,000 for $1 million in coverage. Businesses with a prior claim, weak controls, or operating in high-risk industries (healthcare, legal, financial services) pay significantly more. The biggest premium levers you control are whether you have MFA enforced everywhere, whether your backups are tested and offsite, and whether you have a documented incident response plan. A managed IT provider can often improve all three, which moves you into a lower risk tier.

Q: Will cyber insurance pay out if I paid a ransom?

Most cyber insurance policies do cover ransom payments, but with important conditions. The insurer typically must be notified before payment is made — paying first and filing later is a common reason claims get denied or reduced. Many policies also require use of the insurer's approved ransomware negotiation service. The payment must go through an approved process that screens against OFAC sanctions lists, since paying a sanctioned entity (even unknowingly) can void the claim entirely. Cyber insurance is not a blank check for ransomware — it is a structured response framework that works best when your IT team engages the insurer at the first sign of an incident, not after decisions have been made.

Ulises Paiz, Founder, Ghosxt

TL;DR — cyber insurance is no longer cheap, and insurers now require real security controls before they issue a policy

Cyber liability insurance pays for incident response, ransom, business interruption, breach notification, and legal costs when you get hit. But premiums have tripled since 2020 and underwriters now gate coverage behind MFA, EDR, tested backups, and documented patching. If your IT environment does not meet the baseline, you will either get declined or pay 20–40% more than you should.

What it covers: forensic investigation, ransom payment facilitation, business interruption losses, breach notification costs, credit monitoring for affected customers, regulatory defense, and third-party liability.
What it doesn't cover: pre-existing breaches, incidents caused by unpatched known vulnerabilities that were ignored, social engineering fraud (often excluded or sub-limited), and claims where you paid a ransom before notifying the insurer.
The security controls that directly lower your premium: MFA on email and remote access, an EDR solution on all endpoints, offsite tested backups with documented recovery objectives, and email authentication (DMARC/DKIM/SPF).
The connection to managed IT: having a managed IT provider handle these controls is something most underwriters specifically ask about — it moves you into a lower-risk tier and can reduce your annual premium by $500 to $1,500.

This post connects to the MFA fatigue post (one of the key controls underwriters require), the ransomware entry points post (the scenario cyber insurance is primarily designed to address), and the backup and disaster recovery service page (the control that most directly affects your payout eligibility).

Here is the version of this conversation I have every few months: a small business owner calls after they have already signed their renewal quote, and we spend twenty minutes identifying three or four security gaps that, if fixed before underwriting, would have saved them $800 to $1,200 a year on their premium. Sometimes the gaps are bad enough that they should not have qualified for the policy they signed, which creates a worse problem — a claim gets denied because the application understated the security environment.

Cyber insurance is not complicated once you understand what it is actually insuring against and what underwriters are actually looking for. Here is a clear-eyed walkthrough.

What cyber insurance actually covers

A cyber liability policy is structured around two main coverage buckets. First-party coverage pays for your own costs when you are breached. Third-party coverage pays when a breach at your business causes harm to someone else.

First-party coverage typically includes:

Incident response and forensics. When an attacker is in your systems, you need a forensic team to figure out what happened, when it happened, what was accessed, and how to stop it. A ransomware investigation by a qualified incident response firm costs $15,000 to $75,000 depending on the scope. Cyber insurance pays for that team.
Ransomware and extortion payments. Most policies cover ransom payments up to your policy limit, with important conditions covered in the FAQ below. The insurer also provides a ransomware negotiation service that typically reduces the actual payment significantly.
Business interruption losses. If your systems are down and you cannot operate, business interruption coverage replaces lost revenue during the outage, typically after a short waiting period of 8 to 12 hours.
Breach notification and credit monitoring. Every US state has breach notification laws requiring you to notify affected customers within a defined window. A breach affecting 500 customers requires notification letters, a call center to handle inquiries, and often 12 months of credit monitoring. These costs add up fast. Cyber insurance covers them.

Third-party coverage typically includes: regulatory defense costs and fines from bodies like the California AG or HHS (for HIPAA-covered entities), customer lawsuits stemming from their data being exposed, and payment card industry (PCI) fines if cardholder data was compromised.

What cyber insurance does not cover — and where claims get denied

Understanding the exclusions matters as much as understanding the coverage. The most common reasons small business cyber claims get reduced or denied:

Pre-existing breaches. If an attacker was in your systems before your policy effective date and you did not know it — which is the norm in sophisticated intrusions — many policies will dispute coverage for the resulting damage. This is one reason having an MDR or SIEM solution matters: it creates a documented record that you were actively monitoring and had no evidence of intrusion at binding.

Ignoring known vulnerabilities. If your systems were breached through a vulnerability that had a public patch available for more than 30 to 60 days, some insurers treat this as negligence and reduce or deny the claim. This is increasingly common as insurers get smarter about breach causation analysis. A managed patching program directly addresses this exposure.

Social engineering fraud. Business email compromise — where an attacker impersonates a vendor or executive to trick an employee into wiring money — is often excluded from the main cyber policy or sub-limited to $25,000 to $100,000. BEC losses routinely exceed those limits. Some insurers offer a separate crime or fraud rider; ask specifically about social engineering when you are shopping coverage.

Paying ransom before notifying the insurer. This is the most avoidable denial reason and it happens regularly. The policy requires you to notify your insurer before taking material steps including ransom payment. Paying first and filing later is grounds for claim reduction or denial. If you get a ransomware notice, the second call you make after calling your IT provider should be to your cyber insurer.

The security controls that actually move your premium

Cyber underwriting has matured significantly since 2019. Insurers are no longer accepting self-reported answers without verification, and the application questionnaire now reads more like a security audit than an insurance form. The controls that consistently determine whether you qualify and what you pay:

Multi-factor authentication on email and remote access. This is non-negotiable at most carriers. No MFA on Microsoft 365 or Google Workspace means either a flat decline or a 20 to 30 percent surcharge. MFA on remote desktop or VPN access gets weighted almost as heavily. If you have not enforced MFA across your organization, do it before you renew or shop coverage.

Endpoint detection and response on all managed devices. Traditional antivirus is no longer sufficient for underwriting purposes. Most carriers now distinguish between legacy AV and behavior-based EDR (tools like SentinelOne, CrowdStrike, or Microsoft Defender for Business at the right configuration tier). EDR on all company-owned and managed devices is a hard requirement at most carriers writing SMB policies in 2026.

Offsite and tested backups with documented recovery time objectives. The backup question on the underwriting application now asks three things: are you backing up, are backups stored somewhere the ransomware cannot reach, and have you actually tested a restore. Answering yes to all three and having documentation to prove it can reduce your premium meaningfully. Answering no to any of them flags you as a higher-risk account.

Email authentication — DMARC, DKIM, and SPF. Phishing is the entry point for the majority of claims. Insurers ask about email authentication because it is a cheap, verifiable control that reduces phishing success rates. Having DMARC at reject or quarantine policy, DKIM configured, and SPF records in place is increasingly treated as a baseline rather than a bonus.

Having a managed IT provider maintain these controls is something underwriters specifically ask about in the application. Being able to answer "yes, we have a managed service provider who monitors our endpoints, maintains our patching cadence, and manages our backup verification" places your application in a lower risk tier. The premium savings on a $2,000 annual policy often come close to covering the incremental cost of the managed IT engagement itself.

FAQs about cyber insurance for small business

Does my general liability policy cover a cyberattack?

Almost certainly not. Standard GL policies explicitly exclude electronic data loss, system outages from hacking, and third-party breach notification costs. Some older policies have a partial data-compromise endorsement capped at $10,000 to $25,000 — far below the average SMB breach cost of $120,000 to $200,000. A standalone cyber liability policy is the only reliable way to transfer that risk.

What security controls do insurers require in 2026?

The consistent requirements are: MFA on email and remote access, EDR on all managed endpoints, tested offsite backups with documented recovery objectives, a patching policy that closes critical CVEs within 30 days, and email authentication (DMARC/DKIM/SPF). Some insurers also ask about privileged access controls and employee security awareness training. Missing MFA on email is the fastest path to either a decline or a 20–30% premium surcharge.

What is a reasonable cyber insurance premium for a small business?

For a 5-to-50 person business with solid controls and no prior claims, annual premiums typically run $1,500 to $4,000 for $1 million in coverage. Businesses with prior claims, weak controls, or high-risk industries (healthcare, legal, financial services) pay more. The biggest premium levers you control are MFA enforcement, tested offsite backups, and a documented incident response plan. An MSP managing those controls often moves you into a lower risk tier.

Will cyber insurance pay out if I paid a ransom?

Most policies cover ransom payments, but only if you notify the insurer before paying. Paying first and filing later is a common reason claims get denied. Many policies also require using the insurer's approved ransomware negotiation service and screening the payment against OFAC sanctions lists. Engage your insurer at the first sign of a ransomware incident, before any decisions are made.

Want to know if your current security posture qualifies you for better cyber insurance rates?

30 minutes with a DoD-cleared engineer. We will review your MFA status, backup architecture, EDR coverage, and email authentication, identify what underwriters will flag on your next application, and give you a clear picture of what to fix before you renew — and what that fix would cost compared to the premium savings.

Book your free security assessment

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.