Most articles about cyber insurance costs give you answers like "it depends" or "$500 to $5,000 per year." That's technically accurate and completely useless. You want to know what a business like yours actually pays. So here are real numbers based on market data and our experience quoting policies in the Pittsburgh area and nationally.
Fair warning: these are ranges, not quotes. Your actual premium depends on a dozen factors we'll break down below. But these ranges are tight enough to be useful for budgeting.
What Businesses Actually Pay
These figures are for standalone cyber liability policies with $1 million in coverage limits, which is the most common starting point for small and mid-size businesses. Based on AdvisorSmith's 2024 market survey of over 5,000 cyber insurance quotes and Marsh McLennan's 2024 Global Insurance Market Index.
| Business Size | Revenue Range | Annual Premium | Monthly Equivalent |
|---|---|---|---|
| Solo / Micro (1–5) | Under $500K | $500–$1,500 | $42–$125 |
| Small (5–25) | $500K–$5M | $1,500–$5,000 | $125–$417 |
| Mid-size (25–100) | $5M–$25M | $5,000–$20,000 | $417–$1,667 |
| Upper Mid (100–500) | $25M–$100M | $20,000–$75,000 | $1,667–$6,250 |
| Large (500+) | $100M+ | $75,000–$500,000+ | $6,250+ |
For context: the median annual premium for a $1M cyber policy in 2024 was approximately $1,485 according to AdvisorSmith. That's a small business with under $1 million in revenue and limited data exposure. If that sounds cheap, it's because the cyber insurance market has been softening since mid-2023 after two years of steep rate increases following the ransomware surge of 2020–2022.
Marsh McLennan reported that U.S. cyber insurance pricing decreased 6% in Q2 2024, the fourth consecutive quarter of rate decreases. Carriers are competing for business again after a period where many wouldn't touch certain industries. If you were quoted a high rate in 2022, it's worth getting re-quoted. The market has shifted meaningfully.
How Industry Affects Your Premium
Not all businesses are priced equally. A healthcare practice handling PHI will pay more than a construction company of the same size because the risk profile is fundamentally different. Here's how industries compare, using a baseline of a 25-employee company with $5 million in revenue seeking $1 million in coverage:
Healthcare
$6,000–$15,000/yrHighest premiums due to HIPAA regulatory exposure and the value of health records on the black market. IBM's 2024 report: healthcare breaches averaged $9.77 million, the most expensive of any industry for 14 years running.
Financial Services
$5,000–$12,000/yrHigh premiums driven by regulatory requirements (GLBA, SOX) and direct financial exposure. Average breach cost for financial services: $6.08 million (IBM 2024).
Legal
$4,500–$10,000/yrAttorney-client privilege makes law firm data especially sensitive. BEC attacks targeting real estate closings and trust accounts are a particular concern. The FBI's IC3 reported $2.9 billion in BEC losses in 2023.
Technology / SaaS
$4,000–$10,000/yrVaries widely based on whether you store customer data and your software's role in clients' operations. Errors & omissions coverage is often bundled. Pittsburgh's tech scene, from Robotics Row to the Strip, has seen growing demand here.
Manufacturing
$3,000–$8,000/yrLower data exposure but growing OT (operational technology) risk. The 2024 Verizon DBIR reported a 48% increase in confirmed manufacturing breaches year-over-year. CMMC requirements for defense contractors are pushing premiums up in this sector.
Retail / Hospitality
$2,500–$7,000/yrPCI-DSS compliance is the main driver. If you process credit cards, PCI fines for non-compliance after a breach can run $5,000–$100,000 per month until you're compliant.
Professional Services (Other)
$1,500–$5,000/yrConsulting, marketing, architecture, engineering. Businesses with moderate data exposure and limited regulatory requirements get the most competitive rates.
12 Things That Actually Affect Your Premium
Carriers use these factors during underwriting. Some you can't change (your industry), but many you can. Understanding what moves the needle helps you get the best rate.
Factors You Can't Change
- 1
Industry
Healthcare and financial services pay more. That's just how it is.
- 2
Annual Revenue
Higher revenue = more to protect = higher premiums. It's roughly linear.
- 3
Number of Records
Storing 50,000 customer records costs more to insure than 500.
- 4
Claims History
Prior claims increase premiums 20–50%. Similar to car insurance.
- 5
Type of Data
PHI and SSNs cost more to insure than email addresses and names.
Factors You Can Improve
- 6
Multi-Factor Authentication
MFA on email and remote access is now table stakes. Without it, many carriers won't quote you at all.
- 7
Endpoint Detection & Response
EDR on all endpoints can reduce premiums 10–15%. Basic antivirus doesn't cut it anymore.
- 8
Backup Strategy
Offline/air-gapped backups with regular testing. This is ransomware insurance on top of insurance.
- 9
Employee Training
Annual security awareness training with simulated phishing shows carriers you take the human factor seriously.
- 10
Patch Management
Demonstrating a systematic approach to software updates reduces risk scores significantly.
- 11
Incident Response Plan
Having a documented IR plan can shave 5–10% off premiums. Having one that's been tested is even better.
- 12
Deductible Selection
Higher deductible = lower premium. A $10K deductible vs $2,500 can reduce premiums 15–25%.
The ROI Math: Premium vs. Breach Cost
Insurance is a bet. You're paying a known small amount to avoid a potential large one. Here's how the math works for three real-world scenarios.
Scenario: 20-Person IT Consulting Firm
Without Insurance
- Annual premium: $0
- If breached (estimated cost): $285,000
- Probability of breach in any given year: ~8%
- Expected annual loss: $22,800
With Insurance ($1M policy)
- Annual premium: $3,200
- If breached (out-of-pocket with $5K deductible): $5,000
- Probability of breach: ~8%
- Expected annual cost: $3,600
Net expected savings with insurance: $19,200/year. That's using the Ponemon Institute's estimated probability that a company with 10,000+ records will experience a breach in any 24-month period (approximately 27.9%, or roughly 15% annualized, adjusted down for the smaller record count of a 20-person firm).
Scenario: 8-Doctor Medical Group
Without Insurance
- Annual premium: $0
- If breached (HIPAA scenario): $890,000
- Probability (healthcare targeting rate): ~12%
- Expected annual loss: $106,800
With Insurance ($2M policy)
- Annual premium: $8,500
- If breached (out-of-pocket with $10K deductible): $10,000
- Probability: ~12%
- Expected annual cost: $9,700
Net expected savings with insurance: $97,100/year. Healthcare is where the ROI case is most obvious because of the regulatory multiplier. HHS OCR doesn't care how small you are. HIPAA penalties apply the same way to a 3-person clinic as they do to a hospital system.
Scenario: 50-Person Manufacturing Company
Without Insurance
- Annual premium: $0
- If breached (ransomware + downtime): $420,000
- Probability: ~10%
- Expected annual loss: $42,000
With Insurance ($2M policy)
- Annual premium: $7,200
- If breached (out-of-pocket with $10K deductible): $10,000
- Probability: ~10%
- Expected annual cost: $8,200
Net expected savings with insurance: $33,800/year. For manufacturers, business interruption coverage is often the most valuable component. A Mon Valley machining shop losing $60,000/day in production during a ransomware attack recoups their entire annual premium in the first three hours of covered downtime.
Note on breach probability: These estimates draw from Ponemon Institute's 2024 data on breach likelihood by organization size and industry. Individual company risk varies significantly based on security posture, but the ranges are directionally accurate for planning purposes.
7 Ways to Lower Your Premium (That Actually Work)
These aren't theoretical. They're the specific things we've seen move the needle on real quotes.
1. Deploy MFA Everywhere
Multi-factor authentication on email, VPN, admin consoles, and cloud applications. This is the single biggest premium reducer. Some carriers discount 10–20% for comprehensive MFA deployment. Others simply won't quote without it.
2. Implement EDR (Not Just Antivirus)
Endpoint detection and response tools like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint are increasingly required by carriers. Traditional antivirus is no longer sufficient for underwriting purposes.
3. Accept a Higher Deductible
Moving from a $2,500 to a $10,000 deductible can reduce premiums by 15–25%. If you can absorb $10,000 without distress, this is free money. Think of it like car insurance: you don't file claims for fender benders.
4. Document Your Security Controls
Carriers can't give you credit for security measures they don't know about. Before your renewal, provide documentation of your security stack: MFA implementation, backup procedures, training records, patch management policies. Many businesses are underinsured simply because they didn't mention their security during underwriting.
5. Shop Multiple Carriers
Cyber insurance pricing varies more between carriers than almost any other line of business. We routinely see 40–60% differences between the highest and lowest quotes for the same risk. An independent agent who works with multiple carriers can make a significant difference.
6. Bundle with Other Policies
Some carriers offer 5–10% discounts when you bundle cyber with your general liability, professional liability, or business owner's policy. The tradeoff is flexibility. Bundled cyber coverage sometimes has lower limits or fewer features than standalone policies.
7. Get a Security Assessment
Some carriers offer premium discounts for businesses that complete a third-party security assessment or penetration test. The assessment might cost $3,000–$10,000, but if it saves you $2,000/year on premiums and identifies real vulnerabilities, it pays for itself quickly.
How Much Coverage Do You Actually Need?
More coverage costs more, obviously. But under-insuring defeats the purpose. Here's a rough guide to appropriate coverage limits:
| Business Profile | Recommended Limit | Why |
|---|---|---|
| Under $1M revenue, minimal data | $500K–$1M | Covers a typical small business breach response |
| $1M–$10M revenue, customer data | $1M–$2M | Adequate for most SMB breach scenarios including notification costs |
| $10M–$50M revenue, regulated data | $2M–$5M | Regulatory fines and larger notification costs need headroom |
| $50M+ revenue, complex operations | $5M–$10M+ | Business interruption and supply chain risks escalate with size |
| Healthcare with 10K+ patient records | $3M–$5M+ | HIPAA notification and penalty exposure alone can exceed $1M |
The cost difference between $1M and $2M in coverage is typically 30–50% more premium, not double. Going from $1M to $2M on a $3,000 policy might add $1,000–$1,500. For many businesses, that's an easy decision.
Mistakes We See Business Owners Make
Assuming general liability covers cyber
Most GL policies specifically exclude cyber incidents. Some offer a small cyber endorsement ($25K–$50K), but that won't cover a real breach. Check your policy language. Look for "electronic data liability" exclusions.
Choosing the cheapest policy without reading it
Not all $1M policies are created equal. A $1,200/year policy might exclude ransomware, have a $50K deductible, and limit business interruption to $100K. The $2,800/year policy might cover all of those with reasonable terms. Read the exclusions page. That's where the real differences live.
Ignoring sublimits
Your policy might say "$1 million" on the front page, but specific coverages like social engineering fraud, ransomware payments, or regulatory fines might have sublimits of $100K or $250K. That law firm BEC case we mentioned in our breach response article? They had a $100K social engineering sublimit on a $1M policy. The $387K wire transfer loss exposed that gap painfully.
Waiting for a breach to buy coverage
Cyber insurance has a retroactive date. It only covers incidents that occur after the policy starts. There's no backdating, and if you apply after a known incident, that's material misrepresentation (and grounds for voiding the policy). Buy before you need it.
Important: The prices and ranges in this article are estimates based on publicly available market data, industry reports (AdvisorSmith, Marsh McLennan, IBM, Verizon), and our experience in the cyber insurance market. Your actual premium will depend on your specific risk profile, the carrier, and market conditions at the time of quoting. This article is educational content, not a binding quote or guarantee of coverage. Coverage specifics vary by policy. Always read your actual policy documents.
Ready to Get an Actual Quote?
We'll run your specific profile against multiple carriers and come back with real numbers, not ranges. Takes about 15 minutes of your time and a few days for us to shop the market.
Get a Quote