For a small healthcare practice, a one-million-dollar standalone cyber policy is often more affordable than owners expect. In one real comparison we ran for a small mental-health practice, with about one hundred fifty thousand dollars in revenue and roughly four hundred patient records, seven markets quoted the same one-million-dollar limit at a total annual cost ranging from about nine hundred thirty dollars to about seventeen hundred dollars. Those figures are a real example, not a rate for your practice, but they show the range is usually modest.
What you are actually paying for
A cyber premium buys a limit, but the coverage behind that limit is what matters. In that same comparison, every market offered the one-million-dollar limit, yet the coverage that responds to the most likely loss varied widely. Cyber crime and social engineering were commonly sublimited to two hundred fifty thousand dollars under the one-million-dollar policy, and invoice manipulation ranged from fifty thousand to two hundred fifty thousand dollars depending on the carrier. Two policies at the same price can protect the practice very differently.
What moves the premium
A handful of factors drive cyber pricing for a practice:
- Records held. More patient records means more notification exposure and a higher premium.
- Revenue and size. A larger or multi-location practice pays more than a solo office.
- Security controls. Multi-factor authentication, tested backups, and email security often lower the price, and their absence can raise it or make a market decline.
- Deductible. In the comparison, deductibles ran from one thousand to five thousand dollars, and a lower deductible generally raises the premium.
- Admitted or non-admitted. Non-admitted, surplus-lines markets carry taxes and fees that admitted markets do not, which can change the total even when the base premium is lower. See admitted vs non-admitted cyber.
Why the cheapest quote is not automatically the best
In the comparison, the lowest total came from a non-admitted, security-focused market, and it was a strong option. But a cheaper policy that sublimits social engineering more tightly, or leaves out an included service like proactive monitoring, is not actually cheaper if the loss you suffer is the one it underpays. The honest way to shop is coverage on equal terms first, price second.
How to get your real number
The only way to know your cost is a real quote, because it depends on your records, revenue, and controls. We compare multiple markets side by side so you see both the premium and the coverage behind it, then match it to how your practice runs. See the market comparison for practices for how the carriers stack up.
Questions to ask your advisor
- What is a realistic cyber premium for a practice my size?
- How do my security controls change the price?
- What sublimit applies to social engineering, and is it enough?
- Is this an admitted or non-admitted policy, and how do taxes and fees affect the total?
- Am I comparing these quotes on equal coverage, or just on price?
Want guidance first? Compare your coverage. Already know what you need? Get a quote.