Small firms often want one cyber price, and the coverage never gives one cleanly. The premium is built from what you could lose in a breach and how hard you are to breach in the first place. The honest way to get a number is a quote built on your actual operation. What follows is what moves that number and why.
The data you hold
The leading input is the sensitivity and volume of the data you keep. Client names, financial records, health information, and payment data all raise the stakes of a breach, because they drive notification costs, regulatory exposure, and the odds of a lawsuit. A small firm holding a large set of sensitive records can carry more exposure than a bigger firm that holds almost nothing. Carriers price the potential loss, and your data is what sets that ceiling.
Security controls
This is the input you most control. Multi-factor authentication, tested and offline backups, endpoint detection and response, patching discipline, and staff training are the first questions on most cyber applications. They map to the attack paths carriers see most often, so their presence or absence tends to move the rating directly. Turning these on before you shop is not just good hygiene, it changes how your application reads and can open doors to carriers that will not quote without them.
Revenue
Revenue scales the exposure. It stands in for how much business flows through your systems, how many clients could be affected, and how large a business-interruption loss could run if you went dark. More revenue generally means more to lose, so it lifts the rating even for a firm with strong controls. Like other rated figures, it is worth keeping accurate.
Industry
Your industry shapes both what you hold and what attackers want. A firm handling health records, legal files, or financial data sits in a different tier than one that holds little sensitive information, because the target value and the regulatory backdrop differ. Industry is largely fixed, but it explains why two firms of the same size can price apart on cyber. It also shapes the rules you answer to, because sectors that handle regulated data carry notification and reporting duties that raise the cost of an incident. A carrier pricing your policy is pricing that backdrop, not just your systems.
Claims and incident history
History follows the account. A prior breach, ransomware event, or even a reported fraud attempt tells a carrier something about future risk and how the firm responds under pressure. A clean record helps over time, and a documented, well-handled past incident reads better than a vague one. This driver rewards good records and steady improvement to your controls. It is also why documentation matters as much as the event itself, since a firm that can show what happened, what it changed, and how it hardened afterward reads as a better risk than one that cannot. Time and clean operation move this input in your favor.
What tends to lower it
The savings usually come from strengthening the account, not chasing the cheapest policy. Turning on multi-factor authentication everywhere, testing and isolating backups, deploying endpoint protection, keeping systems patched, and training staff on phishing all improve how you present. Matching the coverage to the data you actually hold, rather than a generic assumption, keeps you from paying for exposure you do not carry or leaving a gap you do.
Questions to ask your advisor
- What data do we hold that is driving our exposure?
- Which security controls would most improve how our application reads?
- Are our backups tested and isolated enough to matter to a carrier?
- Is our coverage sized to our real data and revenue, not a generic assumption?
- How would a prior incident be presented so it reads fairly?
A coverage review looks at both sides: that you are not overpaying for exposure you do not carry, and that you are not underinsured against a breach that would actually hurt.
Want guidance first? Compare your coverage. Already know what you need? Get a quote.