Do I Need Cyber Insurance After a Data Breach? What Small Business Owners Should Know

The Short Answer

Cyber insurance covers breach response costs—forensic investigation, legal counsel, notification expenses, credit monitoring, and defense costs—but only if purchased before a breach occurs. State breach notification laws require disclosure within 30–90 days; federal rules impose stricter timelines

$4.88 million
Global average data breach cost in 2024

Review your state's breach notification law and CISA's incident response planning guidance to assess your security posture before applying for

A small contractor discovers unauthorized access to customer payment information stored in their accounting system. They must notify affected customers within 45 days under state law, hire a forensic firm to investigate, pay for credit monitoring services, and consult legal counsel on compliance—totaling $30,000+ out of pocket. They realize cyber insurance would have covered these costs and now face stricter underwriting because of the prior breach.

Hands-On Operator

Cyber insurance can cover breach response costs, but only if you had it before the breach occurred. If your business just had a data breach, you’re probably asking two questions: what do I have to do right now, and can insurance cover any of this? The global average cost of a data breach reached $4.88 million in 2024 [1] IBMIBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs, and while your small business won’t hit that average, the notification requirements alone will cost real money. Here’s what you’re legally required to do, what those requirements cost, and whether cyber insurance makes sense going forward.

What You’re Legally Required to Do After a Breach

All 50 states have enacted security breach laws, requiring disclosure to consumers when personal information is compromised, among other requirements. [2] National Conference of State LegislaturesSecurity Breach Notification Laws The notification requirements kick in the moment you discover unauthorized access to customer data. You’re not deciding whether to notify — you’re deciding how fast you can comply. The timeline varies by federal rule and state statute. If you handle health information covered by the FTC’s Health Breach Notification Rule, you must notify each affected person “without unreasonable delay” – and within 60 calendar days after the breach is discovered. [3] Federal Trade CommissionComplying with FTC's Health Breach Notification Rule Financial institutions must notify the FTC as soon as possible – and no later than 30 days after discovery – of a security breach involving the information of at least 500 consumers. [4] Federal Trade CommissionSafeguards Rule notification requirement now in effect If you’re a public company and the breach is material, you must file an Item 1.05 Form 8-K within four business days of the materiality determination. [5] U.S. Securities and Exchange CommissionDisclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents Most small businesses fall under state breach notification laws, which generally require notification “without unreasonable delay” or within a specific window — often 30 to 90 days depending on the state. The clock starts when you discover the breach, not when the breach occurred.

The Costs You’ll Face Without Insurance

Breach notification is not a one-email job. You’ll pay for forensic investigation to figure out what was accessed, legal counsel to navigate notification requirements, written notices to customers (postal mail is often required), credit monitoring services for affected individuals, call center support to answer questions, and potential regulatory fines if you miss deadlines or fail to comply. Recovery takes more than 100 days for most of the small number (12%) of breached organizations that are able to fully recover. [6] IBMIBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs During that time, you’re still running your business — or trying to. In 2024, the FBI reported over $2.7 billion in losses from business email compromise alone, just one of many threats businesses face. [7] Cybersecurity and Infrastructure Security AgencySecure Your Business — Small and Medium Businesses That figure captures direct financial theft, but doesn’t count the notification and recovery costs that follow a breach. For a small business, the notification costs alone can run tens of thousands of dollars if you’re notifying more than a few hundred customers. Add forensic investigation, legal fees, and credit monitoring, and you’re looking at a five-figure expense minimum. If the breach leads to a lawsuit or regulatory action, the costs escalate.

What Cyber Insurance Covers (If You Had It Before the Breach)

Cyber insurance is first-party coverage for your own breach response costs and third-party liability coverage for claims against you. It does not work like general liability, where you can buy it after an incident and file a claim. The breach has to occur during the policy period, and you need to have been insured before it happened. A typical cyber policy covers:
  • Forensic investigation to determine what was accessed and how the breach occurred
  • Legal counsel to guide breach notification and regulatory response
  • Notification costs — printing, postage, call center services
  • Credit monitoring services for affected individuals (usually required by state law)
  • Public relations support to manage the reputational damage
  • Business interruption losses if your systems go down during the breach or recovery
  • Ransom payments if the breach involves ransomware (coverage varies by policy)
  • Defense costs and settlements for lawsuits filed by customers, employees, or business partners
  • Regulatory fines and penalties (where insurable under state law)
What cyber insurance does not cover:
  • Breaches that occurred before the policy inception date
  • Losses from your own intentional misconduct
  • Infrastructure upgrades or improvements to your security systems (those are your cost)
  • Lost revenue from customers who leave after the breach (business income coverage is time-limited and tied to system downtime, not customer attrition)

Should You Buy Cyber Insurance After a Breach?

If you just had a breach, cyber insurance will not cover it. The question is whether you buy it going forward. Only 40% to 50% of mid-market companies with $100M to $1B in topline revenue have purchased cyber insurance. [8] American Academy of ActuariesCyber Insurance Nears an Inflection Point For smaller businesses, the uptake rate is lower. The reasons are cost, underwriting complexity, and the belief that “it won’t happen to us.” Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. [9] Cybersecurity and Infrastructure Security AgencyCyber Guidance for Small Businesses If your business meets any of these criteria, cyber insurance is worth evaluating:
  • You store or process customer payment information, Social Security numbers, health records, or other regulated personal data.
  • You rely on digital systems for daily operations — if your systems go down, revenue stops.
  • You have contracts with clients that require cyber insurance or that impose liability on you for data security failures.
  • You’ve already had one breach and cannot afford another uninsured response.
The underwriting process after a breach will be harder. Insurers will ask about the prior incident, what caused it, and what you’ve done to fix the gaps. Expect a detailed application covering your security controls: multi-factor authentication, encryption, endpoint protection, backup procedures, employee training, and incident response planning. If you can demonstrate that you’ve addressed the vulnerabilities that caused the first breach, you can still get coverage — but the premium will reflect your history.

What Underwriters Will Ask About

Cyber insurance applications are more detailed than general liability applications. Underwriters want to know:
  • Do you require multi-factor authentication for remote access and privileged accounts?
  • Do you encrypt sensitive data at rest and in transit?
  • Do you have endpoint detection and response tools on all devices?
  • Do you maintain offline, immutable backups that can survive a ransomware attack?
  • Do you conduct regular security training for employees?
  • Do you have an incident response plan that outlines roles and responsibilities?
CISA recommends that organizations lead development of an incident response and disaster recovery plan outlining roles and responsibilities. [10] Cybersecurity and Infrastructure Security AgencyCyber Essentials If you don’t have one, building it before you apply for cyber insurance will improve your insurability and lower your premium. Underwriters will also ask about your revenue, the type of data you handle, your industry, and whether you’ve had prior claims or breaches. If you disclose a recent breach, be prepared to provide a detailed timeline, root cause analysis, and remediation steps. Honesty here is non-negotiable — if you fail to disclose a known breach and later file a claim, the insurer can deny coverage based on material misrepresentation.

The Bottom Line

Cyber insurance does not fix a breach that already happened. If you’re in the middle of a breach response, you’re paying out of pocket unless you already had coverage in force. The decision to buy cyber insurance after a breach is a decision about the next incident — and whether you can afford to self-insure the notification costs, legal fees, and potential claims that follow. For small businesses that handle customer data, operate digitally, or face contractual liability for security failures, cyber insurance is risk transfer that makes sense. For businesses with minimal data exposure and strong internal controls, self-insurance may be viable — but only if you can cover a five- to six-figure breach response without jeopardizing operations. Start by documenting what you’ve fixed since the breach. Then get quotes from brokers who specialize in cyber insurance for small businesses. Compare the premium to the cost you just absorbed, and decide whether you’re willing to absorb it again.

Sources

  1. IBMIBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs “the global average cost of a data breach reached $4.88 million in 2024” Accessed 2026-06-04
  2. National Conference of State LegislaturesSecurity Breach Notification Laws “All 50 states have enacted security breach laws, requiring disclosure to consumers when personal information is compromised, among other requirements.” Accessed 2026-06-04
  3. Federal Trade CommissionComplying with FTC's Health Breach Notification Rule “you must notify each affected person "without unreasonable delay" – and within 60 calendar days after the breach is discovered.” Accessed 2026-06-04
  4. Federal Trade CommissionSafeguards Rule notification requirement now in effect “The amendment requires financial institutions to notify the FTC as soon as possible – and no later than 30 days after discovery – of a security breach involving the information of at least 500 consumers.” Accessed 2026-06-04
  5. U.S. Securities and Exchange CommissionDisclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents “it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination” Accessed 2026-06-04
  6. IBMIBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs “recovery taking more than 100 days for most of the small number (12%) of breached organizations that were able to fully recover.” Accessed 2026-06-04
  7. Cybersecurity and Infrastructure Security AgencySecure Your Business — Small and Medium Businesses “In 2024, the FBI reported over $2.7 billion in losses from business email compromise alone, just one of many threats businesses face.” Accessed 2026-06-04
  8. American Academy of ActuariesCyber Insurance Nears an Inflection Point “only 40% to 50% of mid-market companies with $100M to $1B in topline revenue have purchased cyber insurance.” Accessed 2026-06-04
  9. Cybersecurity and Infrastructure Security AgencyCyber Guidance for Small Businesses “Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware.” Accessed 2026-06-04
  10. Cybersecurity and Infrastructure Security AgencyCyber Essentials “Lead development of an incident response and disaster recovery plan outlining roles and responsibilities.” Accessed 2026-06-04