Cyber Insurance for Small Business: What It Covers

Why Ecommerce Businesses Need Cyber Insurance

Every ecommerce business collects, transmits, and stores sensitive customer data. At minimum, you handle names, email addresses, shipping addresses, and payment information for every transaction. Many stores also maintain customer accounts with order histories, saved payment methods, and personal preferences. This data is a target for cybercriminals, and you are legally responsible for protecting it.

Small businesses are disproportionately targeted by cyberattacks because they typically have weaker security infrastructure than large corporations. According to Verizon's Data Breach Investigations Report, 43% of cyberattacks target small businesses, and 60% of small businesses that experience a significant data breach close within six months. The closure rate is not because the attack itself destroys the business, but because the financial costs of response, remediation, and lost customer trust are more than most small businesses can absorb without insurance.

Even if you use Shopify, BigCommerce, or another hosted platform that handles PCI compliance for payment processing, you still have cyber exposure. Your platform protects the payment data during checkout, but your email marketing system stores customer emails. Your CRM stores customer communications. Your admin account passwords protect access to your entire business. A compromised email account, a phishing attack on your team, or a malware infection on your computer can expose customer data that exists outside the payment flow.

Privacy regulations compound the financial exposure. The California Consumer Privacy Act (CCPA) allows statutory damages of $100 to $750 per consumer per incident for data breaches resulting from inadequate security. A breach affecting 5,000 customers could generate $500,000 to $3.75 million in statutory damages alone. States across the country have enacted similar privacy laws with their own penalty structures. Cyber insurance covers these regulatory costs, which can dwarf the actual technical costs of the breach.

What Cyber Insurance Covers

First-Party Coverage

First-party coverage pays for your own losses and expenses following a cyber incident.

Breach notification costs: Most states require you to notify affected individuals within 30 to 90 days of discovering a data breach. Notification costs include identifying which records were compromised, printing and mailing notification letters, setting up a call center to handle inquiries, and providing identity theft protection services. For a breach affecting 10,000 records, notification costs alone can reach $50,000 to $150,000.

Forensic investigation: After a breach, you need a digital forensics firm to determine what happened, how the attackers got in, what data was accessed, and whether the threat has been contained. Forensic investigations for small business breaches typically cost $10,000 to $75,000 depending on the complexity of your systems and the scope of the intrusion.

Data restoration: If your website, databases, or business files are destroyed or encrypted by ransomware, this coverage pays for the technical work to restore your data from backups or rebuild your systems. Restoration costs range from $5,000 to $50,000 depending on the extent of damage and the complexity of your infrastructure.

Ransomware payments: Many cyber policies cover ransom payments if your systems are encrypted and no other recovery option is available. The coverage also extends to the negotiation process, as many insurers have specialized ransomware negotiators who can often reduce the demanded amount. The average ransomware demand against small businesses is $50,000 to $200,000, though demands of $1 million or more are increasingly common.

Business interruption: If a cyberattack takes your online store offline, this coverage pays for lost revenue and ongoing expenses during the downtime period. For an ecommerce business doing $2,000 per day in sales, even three days of downtime represents $6,000 in lost revenue plus the ongoing costs of warehouse staff, software subscriptions, and marketing commitments that continue regardless of whether your store is operational.

Crisis management and PR: Some policies cover the cost of hiring a public relations firm to manage customer communications and protect your brand reputation following a breach. For businesses where customer trust is essential to revenue, this coverage can be valuable in minimizing long-term damage.

Third-Party Coverage

Third-party coverage pays for claims made against you by customers, partners, or regulators.

Legal defense: If customers sue you for failing to protect their data, your cyber policy covers the legal defense costs. Class action lawsuits following data breaches are common, and defense costs can reach $100,000 to $500,000 even for small business cases.

Settlements and judgments: If a lawsuit results in a settlement or court judgment against you, the policy pays up to your coverage limits. Data breach settlements for small businesses typically range from $10,000 to $250,000, though cases involving medical or financial data can be significantly larger.

Regulatory defense and fines: If the FTC, a state attorney general, or a privacy regulator investigates your breach, the policy covers your legal costs to respond to the investigation and any resulting fines or penalties. Regulatory fines under the CCPA, GDPR (if you sell to European customers), and state privacy laws can be substantial.

Payment card industry penalties: If your breach involves credit card data, the payment card brands (Visa, Mastercard) can impose fines on your payment processor, who will pass those costs to you. PCI non-compliance fines range from $5,000 to $100,000 per month. Cyber insurance typically covers these assessed penalties.

How Much Cyber Insurance Costs

Cyber insurance premiums for small ecommerce businesses depend on annual revenue, the volume of customer records you maintain, your security infrastructure, and the coverage limits you select.

Revenue under $250,000, under 10,000 records: $500 to $1,000 per year for $1 million in coverage. This is the typical range for small ecommerce stores with basic security measures in place.

Revenue $250,000 to $1 million, 10,000 to 50,000 records: $1,000 to $2,500 per year. Growing businesses with larger customer databases pay more because the potential breach impact is proportionally larger.

Revenue $1 million to $5 million, 50,000 to 200,000 records: $2,500 to $7,500 per year. At this level, insurers conduct more thorough underwriting and may require specific security controls to be in place.

Deductibles for cyber policies typically range from $1,000 to $10,000 for small business policies. A higher deductible lowers your premium but increases your out-of-pocket costs in a claim. Most small businesses choose deductibles in the $2,500 to $5,000 range as a balance between premium savings and manageable self-retention.

Several factors can increase or decrease your premium. Using multi-factor authentication on all business accounts, maintaining current software patches, having an incident response plan, training employees on phishing awareness, and encrypting sensitive data at rest all signal lower risk to underwriters and can reduce your premium by 10% to 25%. Conversely, a history of prior incidents, storing payment card data directly, or operating outdated systems increases your rates.

Cyber Insurance vs General Liability

General liability insurance does not cover cyber incidents. The insurance industry has consistently excluded digital risks from traditional liability policies through specific cyber exclusions added to general liability, commercial property, and professional liability forms. If you experience a data breach, your general liability insurer will deny the claim because it falls outside the scope of traditional liability coverage.

Similarly, your business owners policy does not cover cyber losses unless you add a specific cyber endorsement. Some BOPs offer limited cyber coverage as an endorsement, typically with low limits of $25,000 to $100,000. For most ecommerce businesses, these sublimits are insufficient, and a standalone cyber policy with $1 million in coverage provides substantially better protection.

How to Evaluate Cyber Insurance Policies

Not all cyber policies are created equal. When comparing quotes, look beyond the premium and coverage limits to evaluate the specific terms.

Retroactive date: This determines how far back the policy covers incidents that are discovered during the policy period. The best policies have a full prior acts retroactive date, meaning they cover any incident discovered during the policy period regardless of when it actually occurred. Policies with a limited retroactive date only cover incidents that occurred after a specific date.

Waiting period for business interruption: Most policies have a waiting period, typically 8 to 24 hours, before business interruption coverage begins. If your store goes offline, you do not receive lost revenue reimbursement for the first 8 to 24 hours. A shorter waiting period is better, but policies with 8-hour waiting periods typically cost more than those with 24-hour periods.

Social engineering coverage: Business email compromise, where an attacker impersonates a vendor or executive to trick you into wiring money, is one of the most common and costly cyber threats to small businesses. Not all cyber policies cover social engineering losses. Verify that your policy includes this coverage, or add it as an endorsement.

Regulatory coverage scope: Confirm that the policy covers defense costs and fines from both state and federal regulators, and if you sell internationally, from foreign privacy authorities like the UK's ICO under GDPR. Some policies limit regulatory coverage to specific jurisdictions.

Breach coach and vendor panel: Many cyber insurers provide a breach coach, typically an attorney specializing in data breach response, who coordinates your incident response. They also maintain a panel of pre-approved forensic investigators, notification vendors, and credit monitoring providers. Using the insurer's panel typically streamlines the claims process and may be required by the policy terms.