Cyber Insurance for Small Businesses

Affordable, practical protection against the attacks that are targeting SMBs right now. Coverage from $500/year.

Get a Quote →

Takes under 2 minutes. No commitment required.

Last updated: March 2026

Why small businesses need cyber insurance

Small businesses are not just collateral damage in the broader cyber war. They are targeted specifically — and the statistics are sobering.

43% of all cyberattacks target small and medium-sized businesses. That is not a coincidence. Attackers know that SMBs typically have weaker defences than enterprises, fewer security staff, less security awareness training, and less money to spend on advanced protection. You are, from an attacker's perspective, ideal targets.

The consequences are severe. A typical ransomware attack costs a small business $120,000 to $150,000 in recovery, downtime, and ransom payments. But the damage goes deeper than money: 60% of small businesses close within six months of a major cyberattack. Not because the technical damage is irreversible, but because they lack the cash reserves, insurance, and incident response expertise to weather the disruption.

Cyber insurance bridges that gap. It does not prevent attacks — no insurance does. But it covers the costs that would otherwise destroy your business: incident response, data recovery, ransom payments, legal defence, customer notification, and business interruption.

What it costs

Small business cyber insurance is far more affordable than many business owners assume. Here is real pricing for UK small businesses in 2026:

Business Size Revenue / Employees Annual Premium Range Typical Coverage
Micro Under £100K / 1-2 staff £350-£900 £500K-£1M total
Small £100K-£1M / 3-20 staff £700-£2,200 £1M-£2M total
Growing £1M-£5M / 21-50 staff £2,200-£5,900 £2M-£5M total

Most small businesses can get meaningful, practical cyber insurance for less than £150 per month. Compare that to the cost of a single ransomware attack, a week of downtime, or the legal fees from a single data breach notification.

What small business cyber insurance covers

Generic cyber insurance policies are often overkill for small businesses. Here are the coverages that matter most to you:

  • Ransomware recovery. If attackers encrypt your data and demand payment, your cyber insurance covers the ransom negotiation, payment if approved, and recovery assistance. This is often the single most important coverage for SMBs.
  • Business interruption. When your systems are down, your revenue stops. Cyber insurance covers your lost income during the recovery period — critical for businesses with no cash reserves or revenue diversity.
  • Data breach notification. When customer data is compromised, you are legally required to notify affected individuals. Cyber insurance covers the cost of notification services, credit monitoring, and legal defence if the regulator investigates.
  • Legal defence. If a customer sues you after a breach, or a regulator investigates, your cyber insurance covers solicitor fees and defence costs. Often these costs exceed the regulatory fines themselves.
  • Incident response. When an attack happens, you need forensic investigators, recovery specialists, and expert advisors — people you could never afford to retain on your own. Cyber insurance gives you immediate access to a network of vetted incident response firms at no additional cost.

Top risks for small businesses

Not all cyber threats are equally likely. Here are the attacks that actually target small businesses:

  • Phishing and email compromise. 90%+ of cyberattacks begin with a phishing email. Attackers send you a fake invoice, a fake password reset, or a fake file share request. Someone on your team clicks it, and the attacker has network access. From there, they can steal data, deploy ransomware, or commit fraud.
  • Ransomware. Once inside your network, attackers deploy ransomware to encrypt your data and demand payment. Small businesses are hit hard because you have few offline backups and limited recovery capability.
  • Invoice fraud. Attackers compromise your email or your supplier's email and send you a fake invoice from a legitimate supplier. You pay the attacker instead of the supplier. This costs real money and is often not covered by normal business insurance.
  • Employee error. Your team members are not malicious, but they make mistakes. They misconfigure a cloud storage bucket, accidentally email sensitive data, or use a weak password. These errors expose customer data.
  • Supply chain compromise. You are compromised not through your own systems, but through a supplier or vendor. Attackers breach their network, gain access to yours, and steal or encrypt your data.

What insurers look for from small businesses

Cyber insurers want to know that you are taking basic security seriously. You do not need to be a Fortune 500 company with a dedicated CISO. But you do need to implement basic controls:

  • Multi-factor authentication (MFA). Enable MFA on all user accounts, especially email and cloud applications. This prevents most phishing attacks from succeeding.
  • Endpoint protection. Use antivirus or endpoint detection and response (EDR) software on all computers and mobile devices. Do not rely solely on Windows Defender.
  • Regular backups. Back up critical business data daily and store at least one backup offline. This is your recovery plan if ransomware hits.
  • Email security. Use email filtering to block phishing emails before they reach your team. This is one of the most cost-effective controls available.
  • Security training. Train your staff to spot phishing, never share credentials, and report suspicious activity. This costs very little and stops most attacks before they start.

These are not optional for good cyber insurance. They are table stakes. The good news: they are all achievable for even the smallest business, and many cost very little or nothing.

Common mistakes small businesses make

We see these patterns repeatedly:

  • Buying the cheapest policy. The £300/year policy will not cover you when a real attack happens. You will find exclusions, sub-limits, and gaps. Spend a little more and get proper coverage.
  • Underinsuring. If your business has £1M in annual revenue, get at least £1M in coverage. Too many small businesses insure for £250K and hope it is enough. It is not.
  • Not reading the exclusions. Every cyber policy has exceptions. Some policies exclude ransomware if you have paid a ransom before (why?). Some exclude legal defence if the breach was due to poor security practices (vague and unhelpful). Ask your broker to explain what is not covered.
  • Assuming general liability covers cyber. It does not. Your general liability or professional indemnity policy does not include cyber losses. You need a dedicated cyber policy.
  • Waiting until after an incident. You cannot buy insurance after a loss. You need cover in place now, before an attack happens. And cyber policies typically have a short waiting period before they take effect.

How to get started

The process is simple and free:

  1. Fill out our quick form. Tell us about your business: industry, size, revenue, number of employees, and your basic security practices.
  2. Get matched with a specialist broker. We match you with a broker who specialises in cyber insurance for small businesses. They understand your needs, not just enterprise requirements.
  3. Get a tailored quote within 24 hours. Your broker will contact you, ask detailed questions, and provide a personalized proposal with pricing and coverage details.
  4. Review, ask questions, activate. You have no obligation. Review the quote, ask questions, and activate when you are ready.

Ready? Fill out our quote form and get matched with a specialist SMB cyber insurance broker. Free, fast, no obligation. Get a quote →

Related guides and links