The US cyber insurance market
The United States cyber insurance market is the largest globally, valued at approximately $7.5 billion in gross written premium and growing faster than almost any other insurance segment. This rapid growth reflects increasing regulatory requirements across all 50 states, rising breach costs, and growing board-level awareness of cyber risk.
For a small business (under 50 employees, under $5M revenue), cyber insurance typically costs between $1,000β$3,000 per year for $1M in coverage. But costs vary hugely based on industry, size, security posture, and claims history.
A micro business (1β10 employees) might pay as little as $500β$1,500 annually, while an enterprise with 1,000+ employees could pay $50,000β$500,000+ per year. Think of cyber insurance pricing like any other insurance: the bigger and riskier you are, the more you pay.
Cyber insurance cost by company size
Your company size is one of the strongest predictors of premium. Below is what typical annual premiums look like:
| Company Size |
Employees |
Typical Annual Premium (USD) |
Typical Coverage |
| Micro |
1β10 |
$500β$1,500 |
$500Kβ$1M |
| Small |
11β50 |
$1,000β$3,000 |
$1Mβ$2M |
| Mid-market |
51β250 |
$3,000β$15,000 |
$2Mβ$5M |
| Upper mid-market |
251β1,000 |
$15,000β$50,000 |
$5Mβ$10M |
| Enterprise |
1,000+ |
$50,000β$500,000+ |
$10M+ |
These figures are for standard coverage with a $10,000β$25,000 deductible. Prices vary by state, local regulation, and underwriter appetite.
Cost by industry
Some industries face significantly higher premiums because they handle sensitive data or are frequent targets. Insurers apply industry-specific multipliers to base rates. Here's how they compare:
| Industry |
Risk Level |
Premium Multiplier |
Why |
| Healthcare |
Very High |
2β3Γ |
HIPAA compliance, patient records, ransomware target |
| Financial Services |
High |
1.5β2.5Γ |
SEC disclosure, regulatory exposure, high-value data |
| Technology |
High |
1.5β2Γ |
IP, customer data, SaaS liability |
| Retail/E-commerce |
Medium-High |
1.3β1.8Γ |
Payment card data, PCI DSS compliance |
| Professional Services |
Medium |
1β1.5Γ |
Client confidential data |
| Manufacturing |
Medium |
1β1.5Γ |
OT/IT convergence, supply chain risk |
| Education |
Medium |
1β1.3Γ |
Student data, limited budgets |
| Non-profit |
Low-Medium |
0.8β1.2Γ |
Limited data, smaller targets |
Example: A small healthcare practice with 20 employees might see a 2.5Γ multiplier applied to base rates. If the base premium is $1,500, they'd pay around $3,750 instead.
US regulatory landscape and its impact on costs
The United States operates under a "patchwork" regulatory framework where cyber insurance costs are influenced by multiple overlapping requirements at the federal, state, and industry levels.
- State data breach notification laws. All 50 states mandate notification of affected individuals following a data breach. Notification costs (mailings, credit monitoring, forensics) are a major component of breach expenses, driving insurers to charge more.
- State-specific cybersecurity regulations. California's CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act) set strict standards for data handling and breach response. New York's NYDFS Cybersecurity Requirements (23 NYCRR 500) apply to financial services companies and require MFA, encryption, and breach notification within 72 hours. Companies operating in these states face higher premiums.
- HIPAA for healthcare. The Health Insurance Portability and Accountability Act requires healthcare organisations to implement safeguards and report breaches. HIPAA-covered entities and business associates face mandatory cyber insurance as part of compliance, which insurers price accordingly.
- SEC disclosure rules. Public companies must disclose material cybersecurity incidents to the SEC, creating liability and disclosure costs. This drives higher premiums for publicly traded firms.
- PCI DSS for payment processors. Companies handling payment card data must comply with PCI DSS standards, which influence insurance underwriting and premium calculation.
This regulatory complexity means that a company operating in California or New York, or a healthcare provider, will typically pay 20β40% more in cyber insurance premiums than equivalent-sized companies in states with fewer specific regulations.
What factors affect your premium?
Insurance underwriters assess dozens of variables when setting your rate. Here are the main ones:
- Revenue and employee count. Larger organisations pay more because they hold more data and face higher exposure.
- Industry and data types handled. If you process payment cards, health records, or personal financial data, expect a higher premium.
- Security controls in place. Multi-factor authentication (MFA), endpoint detection and response (EDR), regular backups, and security training can reduce premiums by 10β30%.
- Claims history. Previous breaches or cyber incidents significantly increase your premium (or may make you uninsurable).
- Coverage limits and deductible chosen. A $10M limit with a $50,000 deductible costs much more than $1M with $25,000. You can reduce premium by choosing higher deductibles.
- Retroactive date. A full retroactive date (no date limit on when the incident occurred) costs more than a claims-made policy.
- Geographic scope. US-only coverage costs less than global coverage.
- Regulatory compliance burden. Operating in heavily regulated states (California, New York) or regulated industries (healthcare, finance) increases premiums due to compliance-related costs.
How to reduce your cyber insurance costs
Your premium isn't set in stone. Improving your security posture can yield significant savings β and many insurers offer discounts for implemented controls:
- Implement MFA everywhere. Multi-factor authentication is now table stakes. Many insurers offer 5β10% discounts for organisation-wide MFA.
- Deploy endpoint detection and response (EDR). Real-time threat detection can reduce premiums by 10β20%.
- Run regular security awareness training. Demonstrating employee training reduces social engineering risk. Discounts: 5β15%.
- Have a tested backup and recovery plan. Proven backup procedures reduce ransomware impact. Discounts: 10β15%.
- Document an incident response plan. A written, practised plan shows you're prepared. Discounts: 5β10%.
- Perform regular vulnerability scanning and patching. Proof of vulnerability management: 5β15%.
- Implement privileged access management (PAM). Limiting admin access reduces breach likelihood. Discounts: 10β20%.
- Write and enforce an information security policy. A documented security policy demonstrates governance. Discounts: 5%.
Many businesses find that the cost of implementing these controls (often $5,000β$20,000) pays for itself through lower premiums within 12β24 months.
Is cyber insurance worth the cost?
The average cost of a data breach in the United States is $5.09 million β the highest globally. Even a small breach affecting just 1,000 records would cost you approximately $165,000 in recovery, notification, credit monitoring, and legal fees β far more than your annual insurance premium.
Quick maths: If you're a small business paying $1,500/year for cyber insurance with $1M coverage, it would take a breach of just 9,100 records at $165 each ($1.5M cost) to make that investment worthwhile. Most breaches affect far more records.
Beyond direct breach costs, cyber insurance covers:
- Business interruption (lost revenue during downtime)
- Incident investigation and forensics
- Customer notification and credit monitoring
- Legal and regulatory defence costs
- Reputational harm and PR response
- Ransomware payments (where legal)
- Network extortion payments
For most businesses, cyber insurance is not just worth the cost β it's essential risk management.
Ready to find the right cyber insurance for your business?
Get matched with a specialist broker who'll find a policy that fits your risk profile and budget.
Get a personalised quote β
Last updated: April 2026