Key Takeaways
- Standard business policies don’t cover cyber losses. General liability and commercial property insurance leave data breaches, ransomware, and hacking costs completely uncovered.
- The average U.S. data breach now costs $10.22 million. IBM’s 2025 report found U.S. businesses face the highest breach costs in the world — a record high driven by regulatory fines and slower detection.
- Small businesses are the primary target. Allianz found ransomware hit 88% of SMB data breaches in the first half of 2025, compared to 39% at large companies.
- Three types of coverage handle different risks. First-party protects the business directly, third-party handles lawsuits from affected customers and partners, and cyber crime coverage protects against financial theft and fraud.
- Coverage requirements depend on the industry. Healthcare, financial services, and retail face stricter rules, but most businesses handling customer data benefit from at least a basic policy.
What Is Cyber Insurance and How Does It Work?
Cyber attack insurance covers what happens when a hacker hits a business. It pays for the costs that follow — the legal bills, the cleanup, the customer notices, and the lost income while systems are down. Actsphere’s cyber insurance team helps Texas business owners figure out where their current coverage stops and where this kind of policy takes over.
Most standard policies don’t touch cyber losses at all. General liability covers injuries and property damage. Commercial property covers physical equipment. Neither one pays to notify customers their data was taken, hire a security expert to find the breach, or deal with a ransom demand. That’s what cyber coverage is for.
It works like any other business insurance policy. The business pays a monthly or annual premium. The rate depends on the industry, how much data the business holds, its revenue, and the security tools it has in place. If an attack happens, the policy pays covered costs up to the limit. The carrier also sends in a response team — lawyers, tech experts, and PR help — so the business isn’t figuring it out alone.
What Does Cyber Attack Insurance Actually Cover?
Most policies break into three parts. Each one handles a different type of loss.
First-party coverage pays costs the business takes on directly after an attack: finding out what happened and how, getting systems back online, lost income while the business is shut down, telling customers their data was affected, credit monitoring for those customers, responding to a ransom demand, fines from state or federal regulators, and public relations help.
Third-party coverage handles claims from outside the business. If a breach affects customers or partners, they may sue. This side of the policy covers legal defense, settlements, court rulings, and any formal investigations that follow.
Cyber crime coverage is the third bucket — and one a lot of small businesses don’t realize they may be missing. It handles financial theft driven by fraud. Wire transfer fraud, fraudulent payment instructions, and funds stolen through compromised email accounts all fall here. Most base cyber policies treat this as a gray area or exclude it outright. It’s usually available as an add-on, and it’s worth asking about specifically — especially in industries like construction, real estate, and professional services where large payments move by wire regularly.
The incidents covered under most policies include:
- Ransomware — Hackers lock the business’s data and demand payment to restore it. The policy covers hiring a negotiator and, in some cases, the ransom itself. Manufacturers hit by ransomware lose an estimated $1.9 million per day of downtime, and small businesses aren’t immune.
- Data Breaches — Someone gains access to customer records, payment data, or employee files. The business is then on the hook for notices, credit monitoring, and any lawsuits that follow.
- Phishing Attacks — IBM’s 2025 Cost of a Data Breach Report found phishing is now the top cause of data breaches worldwide. Fake emails or calls trick staff into giving up login details or approving bad transfers.
- Business Email Compromise — A hacker gets into a business email account and uses it to redirect payments or steal data. These attacks are common in construction, real estate, and professional services.
- System Damage and Website Attacks — Malware wrecks or corrupts systems. Flood attacks knock websites offline. Both cause downtime, and the policy covers lost income while things get fixed.
- Vendor Breaches — A supplier gets hacked and it spills into the business’s systems. Allianz found this type of attack jumped to 15% of major cyber claims in the first half of 2025.
What Cyber Insurance Does Not Cover
Knowing what’s left out matters just as much as knowing what’s in. Most policies won’t pay for:
- Breaches that happened before the policy started
- Attacks that came through a known gap the business never fixed
- An employee who stole or destroyed data on purpose
- Physical damage to hardware — that’s a property claim
- Long-term revenue lost because of a damaged reputation
- The cost of upgrading security after an attack
- System outages caused by internal errors or misconfigurations — if someone on the team makes a mistake that takes systems down, that typically isn’t covered
- Nation-state and acts of war attacks — Lloyd’s of London now requires all its syndicates to exclude losses from state-sponsored cyberattacks. Other major carriers have followed. If a foreign government is behind the attack, don’t count on the policy to respond
Social engineering fraud is still a gray area. If an employee is tricked into wiring money to the wrong account, many base policies won’t cover it. Some carriers add it on through a cyber crime endorsement for an extra fee. Ask specifically about business email compromise and fraudulent transfer coverage before signing anything — it’s a gap that surprises a lot of businesses after an incident.
The Real Cost of a Cyberattack for Small Businesses
IBM’s 2025 Cost of a Data Breach Report put the global average breach at $4.44 million. That number dropped 9% from 2024, mostly because AI tools helped companies find and stop breaches faster.
But in the U.S., costs went the other way. The average American breach hit a record $10.22 million in 2025, pushed up by higher fines and slower response times than other countries.
For small businesses, one attack can end things entirely. Allianz’s 2025 research found ransomware was behind 88% of data breaches at small and mid-size companies, compared to just 39% at large ones. Hackers target smaller businesses on purpose. The defenses are weaker, the owners are easier to pressure, and a $50,000 ransom is more likely to get paid than a demand aimed at a bigger company.
Downtime is often what breaks a small business. IBM found that for manufacturers, ransomware downtime costs up to $125,000 per hour. A three-day shutdown doesn’t just drain the bank account — it stalls orders, breaks client trust, and in some cases kills vendor deals that took years to build.
Standalone Policy or Add-On Coverage?
Most carriers offer two ways to get cyber coverage.
A standalone cyber policy gives higher coverage limits, a wider range of covered attacks, and a dedicated response team on call. It’s the better fit for businesses with lots of customer data — healthcare, legal, finance, and retail especially.
Adding cyber coverage to a Business Owner’s Policy costs less to start. It covers the basics — breach response and ransomware — and works well for service businesses with less data exposure. For most small Texas businesses, it’s a reasonable first step.
That said, BOP add-ons have limits. As the business grows or starts collecting more customer data, the coverage scope often can’t keep up. A standalone policy with higher limits and explicit cyber crime coverage makes more sense at that point. Most businesses start small and upgrade over time — the options aren’t permanent.
How Much Does Cyber Insurance Cost?
Most small businesses pay between $1,000 and $5,000 a year for a standalone cyber policy. The price depends on the type of business, how much data it holds, annual revenue, and the security tools already in use.
Businesses with stronger security pay less. Carriers look for two-step login on email and remote access, regular data backups, and staff training on phishing. A business that can show those things are in place is less risky to cover, and that shows up in the premium.
A business with no basic security in place may be declined or quoted a much higher rate. That’s one more reason to get the basics right before applying.
What Carriers Look for Before Issuing a Policy
Insurers check a few key things before writing a cyber policy:
- Two-step login (MFA) for email and remote access
- Antivirus software on all devices
- Regular backups stored off-site or in the cloud
- Basic staff training on phishing and email scams
- A written plan for what to do if an attack happens
- Software kept up to date to close known gaps
The businesses that have these in place tend to pay less and recover faster when something does go wrong. Carriers have gotten stricter about this over the last few years — some won’t even issue a quote without confirmed MFA on remote access.
Who Needs Cyber Insurance?
Any business that stores customer data, takes payments online, or uses email and computers to operate should think about this coverage. That’s most businesses in Texas.
The risk is highest for medical offices and clinics, law firms and accounting practices, retail shops and restaurants, contractors and service firms, and tech companies. Each one holds data that has real value to attackers.
The FTC notes that small businesses are among the most vulnerable targets precisely because they often lack dedicated IT staff and security resources. Smaller businesses sometimes assume they’re not worth targeting. That’s exactly the thinking that makes them easy targets — most don’t have a dedicated IT person, most don’t have a security team, and most hold more valuable data than they realize.
How the Claims Process Works
Here’s what happens after an attack with a cyber policy in place:
- Call the insurer right away. Most policies have a 24/7 line. Waiting can affect coverage.
- A response team gets deployed. The carrier sends in tech experts, lawyers, and crisis help.
- Experts figure out what happened. They trace the attack and find out what data was taken.
- Customers get notified. The team handles the legal notice process and sets up credit monitoring.
- Systems get restored. Tech teams get the business back online and close the gap that was exploited.
- The insurer reviews and pays. Covered costs get matched to the policy and paid out.
The big difference from handling it alone is that the business doesn’t have to find help under pressure.
Cyber Insurance FAQs
Q: Is cyber insurance required by law?
A: Not for most businesses, but certain industries face rules tied to data protection. Healthcare providers, financial firms, and retailers handling payment card data may face requirements. Even without a legal rule, most contracts with larger clients now require vendors to carry coverage.
Q: How much coverage does a small business need?
A: Coverage needs depend on the volume and type of data stored, revenue, and industry. Small businesses commonly start with $250,000 to $1 million in coverage. Businesses in regulated industries or those handling large amounts of customer data typically need $1 million to $5 million. An independent agent can walk through the specific exposure.
Q: Does cyber insurance prevent attacks?
A: No. Cyber insurance responds after an attack occurs. It doesn’t block hackers or secure systems. Many carriers provide risk management resources — security checks, training tools, and monitoring services — as part of the policy, but the coverage itself is for financial recovery, not prevention.
Q: What’s the difference between cyber insurance and data breach insurance?
A: Data breach insurance is one part of a broader cyber policy. It covers notices, credit monitoring, and legal costs tied to stolen personal data. A full cyber policy adds ransomware coverage, business interruption, system recovery, third-party liability, and potentially cyber crime coverage on top of that.
Q: Does general liability cover cyberattacks?
A: No. General liability covers bodily injury and physical property damage. It doesn’t apply to data breaches, ransomware, hacking, or digital asset loss. A business that assumes its existing policies cover cyber incidents is likely to find out otherwise after an attack has already happened.
Q: Can a business get coverage after it’s been hacked?
A: Coverage for prior incidents is excluded under most policies. A business that has already been breached can still apply, but the carrier will look hard at the security practices that led to the incident. Coverage for future attacks may still be available if the problems have been fixed.
Q: Will filing a claim raise rates?
A: Possibly, similar to other insurance. Carriers look at what happened and what security was in place at the time. A business that responded well and had basic controls in place typically fares better at renewal than one that had no safeguards and was slow to act.
Q: Does cyber insurance cover phishing and social engineering?
A: Phishing-related system breaches are commonly covered. Social engineering fraud — where an employee is tricked into wiring money — is sometimes excluded from base policies but can be added on through a cyber crime endorsement. Ask specifically about business email compromise and fraudulent transfer coverage when reviewing options.
Q: What security do insurers require?
A: Most carriers expect at least two-step login on remote access and email, documented backup procedures, up-to-date security software, and basic staff training on phishing. Requirements have gotten stricter in recent years — some carriers won’t issue a quote at all without confirmed MFA. Businesses without these in place may be declined or quoted much higher rates.
Q: Does a small business need a standalone policy or is a BOP add-on enough?
A: A BOP add-on is a reasonable start for businesses with low data exposure. As the business grows or enters regulated industries, the limits and scope of a BOP add-on often fall short. A standalone policy gives broader protection, dedicated response support, and more room to add cyber crime coverage — worth the added cost for higher-risk operations.
Ready to Protect Your Business from Cyber Threats?
A cyberattack can shut a business down in hours. The right coverage means you won’t face it alone — Actsphere’s team will help you figure out what you actually need and what you can skip.
Contact our insurance company today for a free quote!