Learn what data breach insurance covers and how to get the best rates.
• Data breach insurance covers costs that traditional policies don’t – forensic investigation, legal fees, customer notification, regulatory fines. Without it, you’re paying those bills out of pocket
• Premiums range from $1,000-$7,500/year for small businesses up to $100,000+ for enterprises. Your industry and security controls are the biggest pricing factors
• Insurers commonly deny claims when companies had unpatched systems or lacked basic controls like MFA. Your policy won’t help you if you weren’t doing the minimum
• Insurers scan for your leaked credentials during underwriting. If they find exposed passwords before you do, expect higher premiums or denial. Credential monitoring lets you clean up that exposure before it counts against you
The average data breach costs $4.44 million according to IBM’s 2025 report. Most companies can’t absorb that kind of hit without help.
Cyber insurance covers what traditional policies don’t. Forensic investigation, legal fees, customer notification, regulatory fines – these costs add up fast after a breach.
But insurers are getting pickier about who they’ll cover and at what price. Your security controls directly affect your premiums and whether you can even get a policy.
This guide covers what data breach insurance includes, what it costs, what it won’t cover, and how to qualify for better rates.
Traditional business insurance won’t help you after a cyber attack. General liability and property policies specifically exclude digital incidents.
Data breach insurance (also called cyber insurance or cyber liability insurance) is a policy that covers the financial costs of responding to a data breach or cyber attack. It pays for forensic investigation and legal defense, plus customer notification and regulatory fines that follow a breach.
Data breach insurance coverage falls into two categories: first-party and third-party.
First-party coverage pays for your own costs:
Third-party coverage pays when others come after you:
The split matters because some policies emphasize one side over the other. Make sure your policy covers both.
Premiums depend on your company size, industry, and security controls.
Here’s what companies typically pay:
Several factors push premiums higher:
Industry matters. Healthcare and financial companies pay the most because they handle sensitive data and face strict regulations. A healthcare company might pay 2-3x what a retail business pays for the same coverage limits.
Data volume matters. The more records you store, the more a breach costs. Insurers price accordingly. If you hold millions of customer records, expect higher premiums.
Claims history matters. A previous breach can double or triple your renewal premium. Some insurers won’t renew at all after a claim.
Security controls matter most. This is the one factor you can directly influence. Companies with MFA and EDR get better rates than those without. Credential monitoring helps too. We’ll cover this in detail below.
Yes. Small businesses are targeted more often than most people realize, and they’re far less likely to survive the financial hit.
Cyber liability insurance is the broader category that includes data breach coverage plus other cyber-related protections. It covers network security failures and privacy liability in addition to data breach response costs. Data breach insurance is one component of a full cyber liability policy.
Small companies don’t have the cash reserves to pay for forensic investigation and legal fees on top of lost revenue from downtime. A single breach can wipe out months of profit.
There’s also a perception gap. Many small businesses assume they’re too small to be targeted. But attackers use automated tools that scan for vulnerabilities regardless of company size. If your systems are exposed, you’ll get hit.
The consequences of a data breach hit small companies hardest proportionally. A $200,000 breach response bill threatens a small business’s survival. For a Fortune 500 company, it’s a rounding error.
A basic cyber policy with $1 million in coverage costs many small businesses less than $200 per month. That’s cheap compared to the alternative.
Every policy has exclusions. What’s NOT covered matters as much as what is.
Common exclusions that catch companies off guard:
Unpatched known vulnerabilities. If a critical patch was available and you didn’t apply it, your insurer can deny the claim. The Equifax breach is the textbook example – they knew about the Apache Struts vulnerability for months before attackers exploited it. An insurer would have strong grounds to deny that claim.
Pre-existing conditions. If you knew about a security gap before the policy started and didn’t fix it, the insurer won’t cover a breach that exploits it. This includes leaked credentials. If your employees’ passwords are sitting on the dark web and you haven’t reset them, an insurer could argue you knew about the exposure and failed to act. Insurers actively scan for compromised credentials during underwriting – if they find leaked credentials before you do, expect higher premiums or outright rejection.
Intentional acts. If an employee deliberately causes a breach or steals data, most policies exclude the resulting costs.
Social engineering losses. Some policies exclude wire fraud from business email compromise. An employee getting tricked into wiring money to a fake vendor may not be covered. Check whether your policy covers “social engineering fraud” specifically.
War and nation-state attacks. Most policies include a “war exclusion” clause. If an attack is attributed to a nation-state, the insurer may deny coverage. This became contentious after the NotPetya attack, when insurers tried to classify it as an act of war.
Contractual penalties. Fines from PCI DSS violations or contractual breach penalties may not be covered depending on your policy.
What to look for in a policy:
Read the exclusions section before anything else. Ask your broker specifically about social engineering coverage and war exclusions. Make sure ransomware payments are covered if that matters to your risk profile. And confirm that regulatory fines in your jurisdiction are covered – some policies only cover “insurable” fines, which varies by state.
Insurers don’t just want your premium. They want to know you won’t file a claim. The better your security controls, the less risk you represent.
Controls that directly lower premiums:
Multi-factor authentication. This is table stakes. Most insurers won’t even offer a policy without MFA on email and VPN. Coalition’s 2024 data shows that 82% of denied claims involved companies without MFA. Having MFA everywhere is the single fastest way to lower your premium.
Endpoint detection and response (EDR). EDR on all endpoints with 24/7 monitoring is now a top requirement. 65% of insurers expect it because it cuts breach impact and speeds up response. Many won’t issue policies above certain coverage thresholds without it.
Tested incident response plan. Having a documented data breach response plan is good. Having one you’ve actually tested with tabletop exercises is better. Insurers know that companies with practiced response plans contain breaches faster and file smaller claims.
Encrypted backups. Immutable, offline backups are increasingly required. They’re your last line of defense against ransomware, and insurers know that companies with good backups file smaller claims.
Credential monitoring. This ties directly to the pre-existing conditions exclusion above. Insurers already use dark web exposure data to price your risk. Dark web intelligence vendors sell credential exposure data directly to underwriters to assess breach likelihood. In 2026, identity cyber scores that factor in credential exposure are becoming a standard underwriting metric. A poor score can mean automatic decline or higher premiums.
If your employees have hundreds of exposed passwords on the dark web, that’s already counting against you. Dark web monitoring lets you find and reset those credentials before they hurt your underwriting profile – and before attackers use them. IBM’s 2025 report found that credential-based breaches cost $4.67 million on average and take 246 days to detect. They’re the most expensive breach type specifically because stolen credentials are so hard to spot.
Patch management. Automated patching with documented compliance shows insurers you’re not leaving known vulnerabilities open. Given that unpatched systems are a common exclusion trigger, this protects both your security and your coverage.
Employee security training. Regular phishing simulations and security awareness training show that you’re reducing human error, the leading cause of breaches.
The application process itself is getting more rigorous. Expect detailed questionnaires about your security stack and access controls. Some insurers now require third-party security assessments before issuing policies.
Better security pays off twice: you’re less likely to get breached, and you pay less for insurance when you do.
If you want to see what employee credentials are already exposed, book a demo to see how Breachsense monitors the dark web for your leaked data.
Data breach insurance is a type of cyber insurance that covers the costs of responding to a data breach. This includes forensic investigation and legal fees, plus customer notification and regulatory fines. It also covers business interruption losses while your systems are down.
Premiums vary widely. Small businesses typically pay $1,000-$7,500 per year for $1 million in coverage. Mid-size companies pay $10,000-$50,000. Enterprise policies with higher limits can exceed $100,000 annually. Your industry and security controls are the biggest pricing factors.
No. Traditional general liability and property insurance policies specifically exclude cyber incidents. Some business owner policies include minimal cyber coverage, but it’s rarely enough to cover a real breach. You need a dedicated cyber insurance or data breach insurance policy.
Most policies exclude breaches caused by unpatched known vulnerabilities and pre-existing security gaps you knew about. Intentional acts by employees are also excluded. Some policies won’t cover social engineering losses or ransomware payments. War and nation-state attacks are commonly excluded too.
Yes. Small businesses are targeted more often than you’d expect, and they’re less likely to survive the financial hit. A breach that costs $200,000 to clean up can threaten a small company’s survival. Insurance can be the difference between recovery and shutdown.
Insurers give better rates to companies with strong security controls. MFA and EDR are the top two requirements. A tested incident response plan also helps. Insurers use dark web credential exposure data in underwriting, so monitoring for leaked credentials and resetting them improves your risk profile.
Threat Intelligence Dark Web Monitoring Infostealer Malware Ransomware Identity Security
What 2025 actually looked like Breachsense has indexed 90+ billion identity records across third-party breaches, …
Risk Management Data Security Best Practices
What is data risk management? Every company has data worth stealing. The question is whether you know where it is and …