The US cyber threat landscape
The United States is the world's largest cyber insurance market, representing approximately $7.5 billion in gross written premium as of 2026. This market size reflects both the scale of the US economy and the severity of cyber risks facing American businesses.
The average cost of a data breach in the US is $5.09 million, the highest globally. This figure includes recovery costs, regulatory fines, litigation expenses, customer notification, credit monitoring services, business interruption, and reputational damage. Larger breaches involving millions of records often exceed $20 million in total cost.
The threat landscape in the US is characterized by ransomware epidemics targeting healthcare and critical infrastructure, sophisticated nation-state-backed attacks, supply chain compromises, and mass phishing campaigns. Additionally, the US has some of the world's strictest data protection laws and most aggressive enforcement by both regulators and private plaintiffs, which amplifies liability exposure.
In 2023, the SEC introduced new cyber disclosure rules requiring public companies to disclose material cyber incidents within four business days. This has triggered a significant shift in cyber insurance requirements across publicly traded companies and their supply chains.
US cyber insurance costs
Cyber insurance premiums in the United States vary based on business size, industry sector, annual revenue, employee count, data handling practices, and prior incidents. The table below provides typical annual premium ranges and coverage limits for different business sizes.
| Business Size | Annual Premium Range | Typical Coverage Limit |
|---|---|---|
| Micro (1-10 employees) | $500โ$1,500 | $500Kโ$1M |
| Small (11-50 employees) | $1,000โ$3,000 | $1Mโ$2M |
| Mid-market (51-250 employees) | $3,000โ$15,000 | $2Mโ$5M |
| Upper mid (251-1,000 employees) | $15,000โ$50,000 | $5Mโ$10M |
| Enterprise (1,000+ employees) | $50,000โ$500,000+ | $10M+ |
Premiums are indicative and based on 2024-2026 US market data. Actual costs vary significantly by industry, state, security maturity, and claims history.
The US cyber insurance market is highly competitive, with many carriers competing aggressively on price and coverage. However, the market has also hardened in recent years, with carriers implementing stricter underwriting standards and higher deductibles, particularly for ransomware exposure.
Key cost drivers include your business sector (healthcare and finance pay premium rates), employee count, annual revenue, your state of operation, security controls in place, prior claims history, and whether you handle cardholder data (PCI DSS scope). Businesses with strong security practices and incident response plans pay substantially less than those with minimal protections.
Regulatory landscape in the United States
The US regulatory environment is fragmented, with responsibility split among federal agencies, state regulators, and industry-specific bodies. Understanding this landscape is critical to ensuring adequate cyber insurance coverage.
State Breach Notification Laws: All 50 US states have enacted breach notification laws. These laws generally require businesses to notify affected individuals of breaches involving personal information without unreasonable delay. Some states impose notification obligations on third-party breach service providers as well.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): CCPA grants California residents rights over their personal data. CPRA, which became effective in 2023, expanded these rights and increased penalties. Fines can reach $7,500 per intentional violation. Because of California's size and market influence, many companies apply CCPA/CPRA standards nationally.
SHIELD Act (New York): New York's Shield Act requires "reasonable security" for private information and imposes penalties for negligent breaches. It applies to any business handling data of New York residents.
Health Insurance Portability and Accountability Act (HIPAA): Healthcare providers, health plans, and their business associates must comply with HIPAA's security and privacy rules. Fines can reach $50,000 per violation, with annual maximums in the millions. Healthcare cyber insurance is specialized and typically includes HIPAA liability coverage.
SEC Cyber Disclosure Rules (2023): Public companies must now disclose material cyber incidents within four business days of determination of materiality. This requirement has cascading effects on vendors, suppliers, and cloud service providers, many of whom must now carry cyber insurance to satisfy customer demands.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation: NYDFS-regulated entities (financial services firms, insurance companies) must meet strict cybersecurity standards, including multi-factor authentication, encryption, and annual penetration testing.
FTC Enforcement: The Federal Trade Commission aggressively pursues unfair or deceptive data security practices. FTC enforcement actions can result in consent decrees requiring ongoing security audits and substantial damages.
OFAC Sanctions Compliance: The Office of Foreign Assets Control prohibits US entities from paying ransoms to sanctioned entities. Any cyber policy should address OFAC compliance obligations.
US cyber insurance providers
The US cyber insurance market includes tech-enabled startups, specialty carriers, and traditional insurers. Major providers include:
Tech-Enabled Carriers: Coalition, At-Bay, and Corvus have emerged as market leaders by combining simplified underwriting, real-time risk monitoring, and rapid claims handling. These carriers often appeal to mid-market and smaller businesses seeking streamlined purchasing.
Specialty Carriers: Beazley, AIG, and Chubb offer comprehensive cyber coverage with strong claims teams and negotiating power across the marketplace.
Traditional Carriers: Travelers, Hartford, Zurich North America, and others have developed mature cyber programs with deep experience in complex, multi-state exposures.
Surplus Lines Markets: For unusual or complex risks, surplus lines (non-admitted) carriers provide coverage outside the standard markets. These are accessible only through licensed surplus lines brokers.
The US market is the most competitive globally, meaning you have options. Work with a licensed broker or agent to compare multiple carriers and secure the best terms for your risk profile.
US-specific coverage considerations
When purchasing cyber insurance in the US, ensure your policy addresses these jurisdiction-specific exposures:
- State-by-State Breach Notification Compliance: Notification laws vary by state. Your policy should cover notification costs, credit monitoring, and regulatory investigation costs across all 50 states.
- HIPAA Coverage: If your business handles protected health information, you must have specific HIPAA liability and breach response coverage. Standard cyber policies may exclude healthcare exposures.
- SEC Disclosure Obligations: If you are a public company or a service provider to public companies, ensure coverage for the costs of investigating and disclosing material cyber incidents under SEC rules.
- Class Action Exposure: The US has a robust class action litigation system. Your cyber policy should include coverage for class action defence and settlement costs.
- PCI DSS Coverage: If you process, store, or transmit payment card data, ensure your policy covers PCI DSS investigation costs, fines, and liability.
- Biometric Data Laws: Several states, notably Illinois (BIPA), have strict biometric privacy laws. If your business handles biometric data, ensure specific coverage.
- OFAC Compliance for Ransom Payments: Your policy should clarify whether ransom payments are covered and under what conditions OFAC licensing is obtained for payments to sanctioned entities.
Getting cyber insurance in the US
The process of securing cyber insurance in the US typically follows these steps:
Step 1: Determine Your Needs. Assess your business size, industry, data volumes, regulatory requirements, and risk tolerance. Consider whether you need standard coverage or specialized policies (e.g., HIPAA, E&O).
Step 2: Engage a Licensed Broker or Agent. A broker with expertise in cyber insurance will understand your industry, navigate multi-state requirements, and ensure competitive bids. Brokers are typically free to the buyer (they earn commission from insurers).
Step 3: Complete an Application. Your broker will guide you through the carrier's underwriting questionnaire. Be thorough and accurateโmisstatements can void your coverage.
Step 4: Receive Quotes. Brokers will shop your risk to multiple carriers. Typical turnaround is 1-2 weeks, though expedited underwriting is possible.
Step 5: Review Terms and Negotiate. Compare policies across carriers. Key variables include deductibles, sublimits, exclusions, and defence cost provisions. Your broker can negotiate on your behalf.
Step 6: Bind and Implement. Once you select a policy, your broker will bind coverage and provide you with a certificate of insurance. Most policies take effect immediately upon binding.
CyberPolicyFinder simplifies this process. Answer a quick questionnaire about your US business, and we will match you with a licensed broker specializing in your industry. The broker will handle all legwork and provide you with quotes, typically within 24 hours, at no cost to you.
Get a US Quote
Free matching with a licensed cyber insurance broker. No obligation, no cost.
Find My Policy โOther countries
Cyber insurance regulations, costs, and requirements differ significantly by jurisdiction. If you operate internationally or want to compare US costs with other regions, explore our guides: