Cyber liability insurance for Southeast contractors and small business (2026)
What contractors actually need, what it costs, why MFA matters, and the wire fraud coverage most small businesses skip.
Updated June 2026 · Reviewed by Winfield Lee, Bettr Coverage (Statesboro, GA)
Short answer
Cyber liability insurance for a small SE contractor in 2026 costs $1,200-$4,500 per year for $1 million in coverage on a clean operation with basic security controls (MFA, endpoint protection, backups). Contractors with under 25 employees and under $5M revenue land in the middle. Adding $5M coverage costs $3,500-$8,500/year. The biggest premium driver is multi-factor authentication — without MFA, premiums double or coverage gets declined.
What cyber liability covers for a contractor
First-party coverage (damage to your business)
Ransomware payment and recovery — if you choose to pay the ransom (most contractors don't; restoration from backups is usually faster)
Data restoration — rebuilding systems and data from backups, hiring incident response firms
Business interruption — lost revenue while systems are down
Breach notification costs — required by state laws if customer data is exposed
Credit monitoring — for affected customers (typically 1-2 years)
Public relations response — crisis communications
Regulatory defense — state attorney general investigations, HIPAA fines if applicable
Third-party coverage (lawsuits against your business)
Lawsuits from clients whose data was exposed
Lawsuits from employees whose PII was exposed
Defense and judgments related to the cyber incident
The #1 contractor cyber claim: wire fraud
The most common cyber claim for SE contractors in 2026 is not ransomware. It's wire fraud — also called Social Engineering Fraud or Funds Transfer Fraud. The attack pattern:
Attacker compromises a subcontractor's or supplier's email account (often through phishing)
Attacker monitors the email for weeks, learning your billing patterns and vendor relationships
At the right moment, attacker sends a spoofed email impersonating the vendor: "Hey, we've changed banks — wire the next payment to this new account. Need it today."
Your bookkeeper wires $50K, $100K, or $250K to the fraudulent account
By the time anyone notices, the money is in 3 international accounts
Standard crime policies and standard cyber policies often exclude or sublimit this coverage. Add an explicit Social Engineering Fraud endorsement of at least $250K-$500K. Cost: $400-$1,200/year. Worth every penny.
Why MFA is the underwriting line in 2026
Multi-factor authentication (MFA) reduces successful breach rates by over 90% on the most common attack vectors (credential stuffing, phishing, password spray). Carrier data shows MFA-deployed accounts experience dramatically fewer losses.
In 2026, the major cyber markets require:
MFA on email (Microsoft 365, Google Workspace) — table stakes
MFA on remote desktop and VPN — required by most
MFA on admin accounts (your accountant logging into QuickBooks, your IT person with domain admin) — required by most
Endpoint Detection and Response (EDR) — required for $5M+ limits
Offline or immutable backups — required for ransomware coverage
If your application says "yes, we have MFA" and you don't actually have it deployed at the time of loss, the carrier can rescind the policy. Don't lie on the app.
2026 cost ranges by contractor size
Annual revenue
$1M coverage
$3M coverage
$5M coverage
Under $1M
$900 – $1,800
$1,800 – $3,200
$2,800 – $5,000
$1M – $5M
$1,400 – $2,800
$2,600 – $4,500
$3,800 – $6,800
$5M – $15M
$2,200 – $4,200
$3,800 – $6,500
$5,500 – $9,500
$15M – $50M
$3,500 – $6,500
$5,800 – $10,500
$8,500 – $15,000
Add 30-60% if no MFA. Add Social Engineering endorsement at $400-$1,200/year regardless of size.
Most BOP policies include some cyber as an endorsement for $50K-$250K sublimits — enough for a contractor under $1M revenue but not for one handling credit cards, ACH wires, or larger contracts.