Hablamos Español Insurance Companies We Work With
Learning Center

Cyber Insurance Cost Drivers for a Small Firm

By Richard Sweet. Reviewed by Richard Sweet. Updated July 7, 2026.

Already know you need this? Get a quote Compare your coverage →

Small firms often want one cyber price, and the coverage never gives one cleanly. The premium is built from what you could lose in a breach and how hard you are to breach in the first place. The honest way to get a number is a quote built on your actual operation. What follows is what moves that number and why.

The data you hold

The leading input is the sensitivity and volume of the data you keep. Client names, financial records, health information, and payment data all raise the stakes of a breach, because they drive notification costs, regulatory exposure, and the odds of a lawsuit. A small firm holding a large set of sensitive records can carry more exposure than a bigger firm that holds almost nothing. Carriers price the potential loss, and your data is what sets that ceiling.

Security controls

This is the input you most control. Multi-factor authentication, tested and offline backups, endpoint detection and response, patching discipline, and staff training are the first questions on most cyber applications. They map to the attack paths carriers see most often, so their presence or absence tends to move the rating directly. Turning these on before you shop is not just good hygiene, it changes how your application reads and can open doors to carriers that will not quote without them.

Revenue

Revenue scales the exposure. It stands in for how much business flows through your systems, how many clients could be affected, and how large a business-interruption loss could run if you went dark. More revenue generally means more to lose, so it lifts the rating even for a firm with strong controls. Like other rated figures, it is worth keeping accurate.

Industry

Your industry shapes both what you hold and what attackers want. A firm handling health records, legal files, or financial data sits in a different tier than one that holds little sensitive information, because the target value and the regulatory backdrop differ. Industry is largely fixed, but it explains why two firms of the same size can price apart on cyber. It also shapes the rules you answer to, because sectors that handle regulated data carry notification and reporting duties that raise the cost of an incident. A carrier pricing your policy is pricing that backdrop, not just your systems.

Claims and incident history

History follows the account. A prior breach, ransomware event, or even a reported fraud attempt tells a carrier something about future risk and how the firm responds under pressure. A clean record helps over time, and a documented, well-handled past incident reads better than a vague one. This driver rewards good records and steady improvement to your controls. It is also why documentation matters as much as the event itself, since a firm that can show what happened, what it changed, and how it hardened afterward reads as a better risk than one that cannot. Time and clean operation move this input in your favor.

What tends to lower it

The savings usually come from strengthening the account, not chasing the cheapest policy. Turning on multi-factor authentication everywhere, testing and isolating backups, deploying endpoint protection, keeping systems patched, and training staff on phishing all improve how you present. Matching the coverage to the data you actually hold, rather than a generic assumption, keeps you from paying for exposure you do not carry or leaving a gap you do.

Questions to ask your advisor

  • What data do we hold that is driving our exposure?
  • Which security controls would most improve how our application reads?
  • Are our backups tested and isolated enough to matter to a carrier?
  • Is our coverage sized to our real data and revenue, not a generic assumption?
  • How would a prior incident be presented so it reads fairly?

A coverage review looks at both sides: that you are not overpaying for exposure you do not carry, and that you are not underinsured against a breach that would actually hurt.

Want guidance first? Compare your coverage. Already know what you need? Get a quote.

What many people don't realize

The part that catches owners off guard

  • The sensitivity and volume of data you hold is a leading input.
  • Security controls like MFA and backups change how you are rated.
  • Revenue and industry scale and shape the exposure.
  • Incident history follows the account over time.
  • Any real number comes from a quote built on your operation.
The Vantage Point

What we see most often

Small firms often assume cyber is priced on size alone, so a lean shop expects a small number. Size

matters, but carriers price cyber on what you could lose and how hard you are to breach. A small firm

holding sensitive client records can carry more exposure than a larger one that holds almost nothing.

The good news is that several of the biggest inputs are controls you can put in place before you shop.

Multi-factor authentication, tested backups, and endpoint protection are not just security hygiene, they

are underwriting inputs that change how an application reads.

A real example

Consider a composite example, illustrative only. A small firm was quoted as a higher risk because its

application showed no multi-factor authentication and no tested backups, the two controls carriers ask

about first. Tightening those before shopping is the kind of step a review flags early.

Details changed to protect privacy. Shared to illustrate, not to promise an outcome.

Free, two-minute check

See where your coverage stands

Answer a few quick questions and get a clear read on your current coverage in about two minutes. We flag what is worth a closer look.

Compare your coverage
When to review

It may be time for a coverage review if:

  • You hold client PII or PHI
  • You have not turned on multi-factor authentication everywhere
  • Your backups are not tested or are not offline
  • Your revenue or client list grew this year
  • You had a prior incident, breach, or fraud attempt
Compare your coverage Get a quote
Frequently asked

Frequently asked

What drives cyber insurance cost the most for a small firm?
Usually the sensitivity and volume of the data you hold, paired with the security controls you have in place. A firm with sensitive records and weak controls reads as higher risk. Terms vary by carrier.
Does having MFA really change my price?
Often, yes. Multi-factor authentication is one of the first controls carriers ask about because it blocks a common attack path. Its presence or absence tends to move how the account is rated.
Why does my industry matter if we are small?
Industry signals what data you hold and what attackers target. A firm handling health or financial records is a different exposure than one that holds little sensitive data, regardless of size.
Do backups affect cyber pricing?
Generally, yes. Tested, offline backups affect how quickly you can recover from ransomware without paying, which changes the loss a carrier is pricing. Untested backups read as higher risk.
What can a small firm control before shopping?
Mostly the controls: multi-factor authentication, tested backups, endpoint protection, patching, and staff training. These are the questions applications ask, so improving them changes how you present.
Is there a set cyber price for a firm my size?
No. It is assembled from your data, controls, revenue, industry, and incident history, so any single figure would be illustrative. A quote built on your operation is the only accurate number.
RS
Written and reviewed by

Richard Sweet

Founder and Principal Advisor, Vantage Point Risk

Richard Sweet runs Vantage Point Risk, an independent insurance and risk advisory for property owners, real estate investors, business owners, and families. He works with investors every week on the coverage decisions that decide how a claim actually turns out, and writes the Learning Center to put those decisions in plain language.

Reviewed for accuracy by Richard Sweet. Last updated July 7, 2026.

Richard also writes The Vantage Point, notes on building a better business.

This article is general information, not insurance or legal advice. Cyber coverage, controls requirements, and pricing vary by firm, carrier, policy form, and state. Actual premium depends on how your firm operates and comes only from a real quote from a licensed advisor.

Compare your coverage

It's not a quote. It's a real review.

Answer a few quick questions and get a clear read in about two minutes. We will flag what is worth a closer look, and you can hand us your current policy if you want us to dig in. No pressure, no obligation.

We review your current coverage for gaps and overlaps
We compare the market to see if you are overpaying
We tell you what is actually worth changing, and what is not
You get clear answers, even when you are already covered well