When I ask small business owners about their cyber exposure, the most common response is some version of: "We're too small for anyone to bother with." It's one of the more expensive misconceptions in commercial insurance, because it's precisely the opposite of how cybercriminals actually operate.
Small businesses are targeted specifically because they hold the same categories of valuable data as large companies — customer records, payment information, employee Social Security numbers, bank credentials — while typically having far weaker security infrastructure. They're easier targets. And most of them have no idea what a breach would actually cost them to resolve.
Start Here: What Data Does Your Business Actually Hold?
Before thinking about insurance, it's worth doing a quick inventory of what your business actually holds. Most owners are surprised by the answer.
| Data type | Who has it | Breach cost driver |
|---|---|---|
| Customer names & contact info | Almost every business | Notification, credit monitoring |
| Payment card data | Any business accepting cards | PCI fines, card replacement costs |
| Employee SSNs & payroll data | Any employer | Identity theft exposure, notification |
| Health-related information | Healthcare-adjacent businesses | HIPAA penalties, notification |
| Bank account & routing numbers | Any business banking online | Wire fraud, direct financial loss |
| Passwords & login credentials | Any business using cloud services | Account takeover, ransom |
Add up how many records you hold across those categories. A small Twin Cities accounting firm might hold tax returns for 400 clients — that's 400 sets of names, addresses, SSNs, income data, and financial account information. A breach affecting those 400 records triggers notification obligations to every one of them, credit monitoring costs, and potential regulatory scrutiny. Notification and monitoring costs alone often run $50–$150 per affected individual.
What Cyber Insurance Actually Covers
Cyber liability policies are typically structured in two parts:
First-party coverage — your own costs
- Breach notification — the cost of notifying affected individuals as required by Minnesota's data breach notification law (Minn. Stat. § 325E.61) and applicable federal regulations
- Credit monitoring — providing affected individuals with identity theft protection services
- Forensic investigation — determining how the breach happened, what was accessed, and how to secure the systems
- Ransomware payments — many policies cover negotiated ransomware payments, though this varies by carrier
- Business interruption — revenue loss during the period your systems are down due to a cyber event
- Social engineering / wire fraud — some policies cover losses from phishing and CEO fraud schemes
Third-party coverage — liability to others
- Lawsuits from affected customers or employees whose data was compromised in the breach
- Regulatory fines and penalties from state or federal agencies
- Media liability — defamation or copyright infringement claims arising from your digital content
The coverage gap most businesses don't know about: General liability policies explicitly exclude cyber events. Your GL will not cover a data breach, ransomware attack, or network intrusion. If you've never bought a separate cyber policy, you have no coverage for these incidents — regardless of what you may have assumed.
The Ransomware Reality for Small Businesses
Ransomware attacks — where criminals encrypt your files and demand payment to restore access — are now the most common cyber incident affecting small businesses. The attacks are largely automated; they don't require a criminal to specifically select your business. Malicious code sweeps for vulnerable systems and encrypts whatever it finds.
A small Minnetonka professional services firm with 12 employees might have their entire network encrypted on a Tuesday morning. No access to client files, accounting software, email, or internal documents. The ransom demand: $45,000 in cryptocurrency. Options: pay the ransom (not guaranteed to work), restore from backup (if recent backup exists), or rebuild from scratch (weeks of downtime).
A cyber policy covers the forensic investigation, the ransom negotiation, and either the payment itself or the recovery costs. It also covers the business interruption losses during the downtime period. Without coverage, every dollar of that comes from the business.
What It Costs — and What It Doesn't Cover
For most small Minnesota businesses, cyber liability premiums run $500–$2,000 per year for $1M in coverage. Businesses handling payment cards, health data, or large volumes of personal records pay more. The cost is also affected by your security practices — multi-factor authentication, regular backups, employee training, and endpoint protection all reduce risk and can lower your premium.
What cyber policies generally do not cover: intentional acts, pre-existing incidents, war and terrorism, and often insider theft (covered under a crime or fidelity policy instead). Social engineering coverage varies significantly by carrier — worth asking about specifically if wire fraud is a concern for your business.
Tom Wertish
President & AgentTom founded Options Insurance in 2014 and works with small businesses across the Twin Cities on cyber liability, data exposure assessment, and commercial insurance programs. If you've never looked closely at what data your business holds and whether it's insured, that conversation usually takes about twenty minutes and changes how owners think about their exposure.
Cyber coverage is one piece of a complete commercial insurance program. Our business insurance page covers the full picture.
Commercial Insurance in Minnesota →