Nadler Insurance — Since 1927
Commercial Lines

Cyber liability: it's not just for tech companies

By Zach Nadler·

If your business stores client emails, runs credit cards, or has a website with a login, you have cyber exposure. Cyber liability insurance isn't just for tech companies — it's for any business that handles data. Here's what it actually covers, what it costs, and how to know if you need it.

Cyber Insurance Sounds Like a Big-Company Thing. It's Not.

If your business does any of these:

  • stores client emails
  • runs credit cards
  • has a website with a login
  • uses cloud software (QuickBooks, Google Workspace, anything)
  • keeps customer data on a laptop

    • …you have cyber exposure.

    And yes, that includes the restaurant with the POS system, the contractor with the client spreadsheet, and the consultant with the inbox full of sensitive project files.

    What Cyber Liability Actually Covers

    Cyber liability typically breaks into two buckets:

    First-party coverage (your losses):

  • Data breach notification costs (California law requires you to notify affected individuals — CA Civil Code § 1798.82)
  • Forensic investigation (figuring out what happened)
  • Data recovery
  • Business interruption from a cyber event
  • Ransomware payments (controversial, but some policies cover this)

    • Third-party coverage (claims from others):

  • Lawsuits from clients whose data was compromised
  • Regulatory fines and penalties
  • Credit monitoring for affected individuals

    • "But I'm a Small Business. Who's Going to Hack Me?"

    This is the most common objection I hear. And I get it — it feels like cyber attacks target the big guys.

    The reality is the opposite. Small businesses are easier targets because they have less protection. Automated attacks don't care how big you are. They scan for vulnerabilities, and small businesses tend to have more of them.

    A phishing email doesn't know your revenue. It just knows someone clicked a link.

    According to IBM's Cost of a Data Breach Report, the average cost of a data breach for organizations with fewer than 500 employees exceeds $100,000 when you add up forensics, notification, legal, and lost business.

    Four Real-World Scenarios for Main Street Businesses

    The contractor whose email gets compromised. Someone sends a fake invoice from "your" email to a client. Client pays $40,000 to the wrong account. Now everyone's pointing fingers.

    The restaurant with a POS breach. Credit card numbers get skimmed. You're on the hook for notification costs, potential fines, and the forensic investigation to figure out what happened.

    The consultant whose laptop gets stolen. Client files, financial data, strategic plans — all on a device that's now in someone else's hands.

    The small business hit with ransomware. Your files are locked. Someone wants $10,000 in Bitcoin to unlock them. Your IT person says recovery could take weeks.

    None of these require a sophisticated hacking operation. They require one mistake, one weak password, or one stolen device.

    What It Costs

    Cyber liability for a small business is often surprisingly affordable. For a business with under $5M in revenue and basic cyber hygiene, you might be looking at $500 to $2,000 a year depending on your industry, data volume, and risk profile.

    Compare that to the six-figure cost of an actual breach.

    Key Takeaways

  • Any business that handles data has cyber exposure — emails, credit cards, client files, cloud software, all of it.
  • Standard BOP and GL policies almost never cover cyber events. Some have tiny sublimits. Most have outright exclusions.
  • Small businesses are disproportionately targeted because they have weaker defenses and automated attacks don't discriminate by size.
  • Cyber liability covers both your losses and claims from others — breach notification, forensics, business interruption, lawsuits, and regulatory fines.
  • Cost: roughly $500–$2,000/year for most small businesses with under $5M in revenue. That's a fraction of what a breach actually costs.

    • What I'd Recommend

    If you're a Peninsula business owner and you're not sure whether you need cyber coverage:

  • Ask yourself what data you hold. Client names, emails, credit cards, health info, financial records — any of those create exposure.
  • Check your existing policies. Your BOP or GL almost certainly does NOT cover cyber events.
  • Get a standalone cyber quote. It's usually the only way to get meaningful coverage.

    • Send me a quick note about what your business does and what data you handle. I'll tell you whether cyber coverage makes sense and what a ballpark quote looks like.

    Zach Nadler is a 4th-generation insurance broker at Nadler Insurance in San Carlos, CA. Get a cyber liability quote →

    Related Coverage

    Commercial InsuranceGeneral LiabilityWorkers Comp