We sell cyber insurance. So you'd expect us to say "absolutely, every business needs it." But that's not how we operate. The honest answer depends on what your business actually does, what data you handle, and how much a cyber incident would actually cost you.
Some businesses genuinely don't need a standalone cyber policy. A sole proprietor running a landscaping company with no customer payment data on file and a personal Gmail account? You're probably fine without it. Your general liability policy might cover the minimal digital exposure you have.
But if you store customer data, process payments, use cloud software for operations, or would lose serious money from a week of downtime, keep reading. The math might surprise you.
The Numbers Behind the Risk
IBM's 2024 Cost of a Data Breach Report puts the average breach cost at $4.88 million globally. That number gets thrown around a lot, and it's misleading for small businesses because it's skewed by massive enterprise breaches. So let's break it down by company size.
Average Breach Costs by Organization Size (IBM, 2024)
- Fewer than 500 employees $2.98 million
- 500–1,000 employees $3.31 million
- 1,000–5,000 employees $4.18 million
- 5,000+ employees $5.46 million
That "fewer than 500 employees" number, $2.98 million, is the one that matters for most businesses reading this. And according to the Verizon 2024 Data Breach Investigations Report, small businesses (under 1,000 employees) were involved in 28% of all analyzed breaches. You're not too small to be targeted. You're the right size to be targeted, because attackers know your defenses are thinner.
The Verizon DBIR also found that 68% of breaches involved a human element: phishing, stolen credentials, or simple mistakes. No amount of firewall spending fixes the fact that someone on your team will eventually click the wrong link.
Four Businesses, Four Different Answers
Rather than giving you a generic "every business needs cyber insurance" pitch, let's walk through four real scenarios. These are composites based on businesses we've worked with in the Pittsburgh area.
Scenario 1: Solo Consultant, No Employees
Marketing consultant. Works from home in Lawrenceville. Uses a laptop, Google Workspace, and Canva. Stores client logos and brand guidelines but no financial data. Revenue: $85,000/year.
Biggest risk: A compromised Google account leading to leaked client strategies or embarrassing communications. Annoying and potentially relationship-damaging, but unlikely to trigger regulatory action or lawsuits.
Estimated breach cost: $5,000–$25,000 (mostly lost clients, some remediation costs). The National Cyber Security Alliance found that 60% of small businesses close within six months of a cyber attack, but that stat includes businesses with employees, inventory, and much higher fixed costs.
Our take: A standalone cyber policy probably isn't cost-effective here. A good general liability policy with a cyber endorsement (usually $50–$150/year extra) covers your realistic exposure. Spend the money on a password manager and MFA instead.
Verdict: Skip the standalone policy. Get a cyber endorsement on your GL.
Scenario 2: Small Business, 10 Employees
Dental practice in Mt. Lebanon. Electronic health records for 3,200 patients. Processes insurance claims and credit card payments. Revenue: $1.2 million/year.
Biggest risk: Ransomware encrypting patient records, or a breach exposing protected health information (PHI). HIPAA violations start at $137 per record for unknowing violations and go up to $68,928 per record for willful neglect (HHS Office for Civil Rights, 2024 penalty structure).
Estimated breach cost: $150,000–$500,000. That includes HIPAA notification requirements (you must notify every affected patient individually), forensic investigation, legal counsel, potential HHS investigation, and credit monitoring for affected patients. IBM's 2024 report found healthcare breaches averaged $9.77 million, the highest of any industry for the 14th consecutive year.
Our take: You need a standalone cyber policy. A $1 million policy for a dental practice this size typically runs $1,500–$3,000/year. That's less than the cost of replacing one dental chair, and it covers breach response costs that would otherwise come straight out of your operating budget.
Verdict: Yes, get a standalone cyber policy. HIPAA exposure alone justifies it.
Scenario 3: Mid-Size Company, 50 Employees
Regional accounting firm with offices in Pittsburgh and Cranberry Township. Handles tax returns, payroll data, and financial records for 400+ clients. Revenue: $8 million/year.
Biggest risk: A compromised email account leading to fraudulent wire transfers (business email compromise), or ransomware during tax season shutting down operations when every day of downtime means missed deadlines. The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in BEC losses in 2023 alone.
Estimated breach cost: $500,000–$2 million. Beyond direct breach costs, you're looking at professional liability claims from clients whose data was exposed, potential state regulatory action (Pennsylvania's Breach of Personal Information Notification Act requires notification "without unreasonable delay"), and reputational damage that could cost you accounts for years.
Our take: Not only do you need cyber insurance, you need to make sure it includes business interruption coverage and social engineering fraud coverage. A $2 million policy for a firm this size typically runs $5,000–$12,000/year. Your clients may also start requiring proof of cyber coverage. We're seeing this more frequently in professional services contracts.
Verdict: Absolutely yes. Consider $2M+ coverage with business interruption and social engineering riders.
Scenario 4: Larger Business, 200+ Employees
Manufacturing company in the Mon Valley. Runs CNC machines connected to the network, has an ERP system managing supply chain, and processes orders from defense contractors. Revenue: $45 million/year.
Biggest risk: An attack on operational technology (OT) shutting down production lines, or a supply chain compromise affecting defense contracts. CMMC (Cybersecurity Maturity Model Certification) requirements mean losing compliance could mean losing contracts entirely. The 2024 Verizon DBIR found manufacturing experienced a 48% increase in confirmed breaches year-over-year.
Estimated breach cost: $2 million–$10 million. Production downtime alone at $45M revenue means roughly $175,000 per business day lost. Add regulatory exposure, customer notification, forensics, and potential loss of defense contracts, and you're looking at existential-level risk.
Our take: You should have had cyber insurance three years ago. At this size, you need a comprehensive program, potentially $5M+ in coverage, with specific endorsements for operational technology, supply chain disruption, and regulatory defense costs. Budget $25,000–$60,000/year for premiums, but weigh that against a single day of production downtime.
Verdict: Critical. Comprehensive coverage with OT and regulatory endorsements. This is a board-level discussion.
A Quick Self-Assessment
Answer these five questions honestly. If you answer "yes" to three or more, you should seriously look into standalone cyber coverage.
- 1
Do you store customer personal information digitally?
Names + emails count. SSNs, health records, or payment info count more.
- 2
Would a week without your computer systems cost you more than $10,000?
Include lost revenue, employee downtime, missed deadlines, and customer impact.
- 3
Are you subject to any data protection regulations?
HIPAA, PCI-DSS, SOX, GLBA, state privacy laws, CMMC, or industry-specific rules.
- 4
Do you process payments or handle financial data for clients?
Credit cards, ACH transfers, payroll processing, or financial records.
- 5
Have any of your vendors or partners experienced a breach in the past two years?
Supply chain attacks are one of the fastest-growing threat vectors.
What Cyber Insurance Actually Covers (and What It Doesn't)
Cyber insurance isn't a magic shield. It's a financial backstop. Understanding what's actually in a policy helps you decide if it's worth the premium.
Typically Covered
- Forensic investigation costs
- Legal defense and regulatory fines
- Customer notification expenses
- Credit monitoring for affected parties
- Business interruption losses
- Ransomware payments (with conditions)
- PR and crisis communications
Usually Not Covered
- Pre-existing vulnerabilities you knew about
- Loss of future revenue or market value
- Physical damage from cyber attacks
- Insider threats (intentional employee acts)
- War and nation-state attacks (exclusion varies)
- Upgrades or improvements to your security
- Intellectual property theft (often excluded)
The "I'm Too Small to Be a Target" Problem
This is the most common objection we hear, and it's backwards. According to the Verizon 2024 DBIR, 43% of cyber attacks target small businesses. Attackers aren't sitting in a room saying "let's go after the company with the best security." They're running automated scans looking for unpatched systems, weak passwords, and open RDP ports. A 15-person accounting firm in Squirrel Hill with an outdated firewall is a softer target than a Fortune 500 company with a 50-person security team.
The Hiscox Cyber Readiness Report found that the average cost of a cyber attack for businesses with fewer than 250 employees was $25,612. Not catastrophic for most, but that's the average. The median hides a long tail: 10% of affected small businesses faced costs exceeding $100,000.
The question isn't whether you're a target. The question is whether you can absorb the cost if you get hit. If $100,000 in unexpected expenses would seriously threaten your business, that's your answer.
Insurance Is the Last Line, Not the First
We'd be doing you a disservice if we didn't say this: cyber insurance works best when you've already done the basics. Carriers will ask about your security posture during underwriting, and your premiums will reflect your answers. Here's the minimum that most carriers expect:
- Multi-factor authentication on email and remote access (this is non-negotiable for most carriers now)
- Regular backups stored offline or in an isolated cloud environment
- Endpoint detection and response (EDR) on all company devices
- Employee security training (at least annual phishing awareness)
- Patch management: keeping software and systems updated
If you're not doing these things, start there. Some carriers will decline coverage entirely if you can't demonstrate basic security hygiene. Others will quote you, but the premiums will reflect the elevated risk.
The Bottom Line
Cyber insurance isn't a checkbox exercise, and it's not a substitute for security. It's a financial tool for transferring risk you can't afford to absorb. If a breach would cost you more than you can comfortably pay out of pocket. For most businesses with employees and customer data, that's the case, a cyber policy is worth investigating.
If you're genuinely unsure whether you need it, we're happy to walk through your specific situation. No pitch, no pressure. Sometimes the honest answer is "you don't need this from us, but here's what you should do instead."
That's not a sales tactic. It's just how we do business in Pittsburgh.
Not Sure Where You Stand?
We'll give you an honest assessment of your cyber risk, and whether insurance actually makes sense for your business. No obligation.
Talk to Us