Resources
November 2025Business8 min read

Cyber liability is no longer optional for small business

Why even a five-person firm needs a standalone cyber policy — and the coverages that actually pay out.

JR
Javier Reyes
Principal Agent

The threat model has flipped

The mental model most small business owners carry — "I'm too small to be a target" — is roughly a decade out of date. Modern ransomware is automated. Attackers run scanners that find vulnerable Exchange servers, exposed RDP, and unpatched VPNs across millions of IPs at a time. They don't care if you're a five-person dental practice or a Fortune 500. They care if your endpoint is unpatched on a Tuesday.

The 2024 IBM cost-of-a-breach study put the average cost of a small business breach (under 500 employees) at $3.31M. The median is much lower — around $120k — but the tail is brutal, and small businesses are more likely to fold within 12 months of a major incident.

What a standalone cyber policy actually covers

There are typically two halves:

First-party (your costs):

  • Forensic investigation
  • Notification to affected customers (often required by state law)
  • Credit monitoring for those customers
  • Public-relations crisis management
  • Business interruption — lost income while systems are down
  • Ransomware payment (where legally permitted) and ransom negotiation
  • Data restoration

Third-party (claims against you):

  • Regulatory fines (HIPAA, state AG, GDPR if you touch EU customers)
  • Customer lawsuits for exposed PII
  • Defense costs for the above
  • PCI fines if cardholder data is exposed

What most "endorsement" cyber coverage misses

Many general liability and BOP policies now include a "cyber endorsement" of $25k–$100k. That number sounds like real coverage. It usually isn't.

A real-world ransomware incident at a 12-person law firm we worked with last year cost:

  • $48k — forensics
  • $22k — notification + credit monitoring (2,400 affected)
  • $61k — 9 days of lost billing
  • $35k — ransom (paid via negotiator)
  • $18k — legal/regulatory response
  • = $184k total

The endorsement on their BOP would have covered $50k. The standalone policy we'd quoted (and they'd declined the prior year) had a $1M limit at an annual premium of $2,400. They write that policy now.

What we look for when placing the coverage

  • No "sub-limits" buried in the policy — full-limit forensics, full-limit ransomware, full-limit business interruption.
  • Coverage for social engineering and funds transfer fraud — wire fraud is the #1 small business cyber loss and many cyber policies exclude it unless you add the endorsement.
  • No "failure to maintain" exclusions that void coverage if the carrier decides your patching wasn't current.
  • An incident-response retainer baked in — a 24/7 number that gets a real forensic firm on a call within an hour. This alone is worth the premium.

What it costs

For most small businesses without sensitive data (under $5M revenue), a $1M policy runs $1,800–$4,500/year. Healthcare, legal, and financial services run higher. We'll quote across the three carriers we trust most for small-business cyber and walk you through the application questions (which are also a useful security checklist).

Have a question?

Talk to a licensed advisor — no sales pitch.

Send us your current dec page or just describe your situation. We'll respond within one business hour.