Business Insurance  /  Cyber Liability

Commercial Coverage

Cyber Liability Insurance
for Texas Small Businesses.

Most small business owners don’t think they’re a target. The numbers say otherwise. A data breach is a legal event in Texas — with mandatory notification requirements, real costs, and not one dollar of coverage from your existing policies.

The reality of cyber risk for small businesses — by the numbers

43%
of cyber attacks target small businesses
Not corporations. Not banks. Small businesses — because they’re easier to breach.

$200K
average cost of a cyber attack on a small business
Enough to permanently close 60% of the small businesses that experience one.

287
days — average time to identify and contain a breach
Most businesses don’t know they’ve been breached until months after it happened.

60%
of small businesses close within 6 months of a cyber attack
Not from the breach itself — from the financial fallout that follows.

📧
$2.7B
lost to business email compromise in 2022
The most common cyber attack on small businesses isn’t a sophisticated hack — it’s a fake invoice or a spoofed email redirecting a payment you’ve already approved.

💳
$150
average cost per breached record to notify and respond
A breach of 500 customer records triggers $75,000 in notification, legal, and monitoring costs alone — before a single lawsuit is filed.

🔒
1 in 5
small businesses hit by ransomware paid the ransom
The average ransom demand against small businesses has increased dramatically — and paying doesn’t guarantee your data is restored or not resold.

What Cyber Liability Insurance Covers

Coverage for the real costs of a cyber event — which your BOP, GL, and property policy specifically exclude.

Cyber liability covers your business when a data breach, ransomware attack, phishing scam, or other cyber event creates financial loss, legal obligations, or liability to others. Every standard business insurance policy — GL, BOP, commercial property — excludes cyber events. Cyber liability is the only policy designed for what a breach actually costs.

The costs of a cyber event break into two categories. First-party costs are what the event costs your business directly: breach notification, forensic investigation, system restoration, ransomware response, and business interruption while you’re offline. Third-party costs are liability claims from customers or partners whose data was in your systems when they were compromised. A complete cyber policy addresses both.

For small businesses, cyber liability is often available as a BOP endorsement at a modest additional premium — making coverage accessible even for businesses that haven’t previously thought about it. The cost of coverage is a fraction of the cost of a single incident.

“The question isn’t whether your business has cyber exposure. If you accept a credit card, store a customer’s name and email, or use email to run your business — you do. The question is whether that exposure is covered.”

Texas law requires businesses to notify affected customers when their personal information is breached — regardless of how small the business is or how few records were exposed. That notification process has legal and financial costs that no standard policy covers. Cyber liability specifically does.

What cyber liability covers:

Breach notification costs
Legal review, mailing, and credit monitoring required to notify customers under Texas law
Ransomware response
Ransom payment process, data recovery, and system restoration after a ransomware attack
Business interruption
Lost income and extra expenses when a cyber event takes your systems offline
Forensic investigation
IT forensics to identify how the breach occurred and what data was accessed or exposed
Third-party liability
Claims from customers or partners whose data was compromised by a breach of your systems
Regulatory defense & fines
Defense costs and covered fines from regulatory investigations following a data breach

Texas Data Breach Law — What It Requires

Texas law creates mandatory notification obligations when customer data is breached. Size of your business doesn’t matter.

Notification is required — with a deadline and penalties

The Texas Identity Theft Enforcement and Protection Act requires businesses to notify affected individuals “as quickly as possible” after a breach of personal information. For breaches affecting 250 or more Texas residents, you must also notify the Texas Attorney General within 30 days. Civil penalties for failure to notify can reach $500 per individual — up to $500,000 per breach event.

What triggers the notification requirement

Texas’s definition of personal information is broad: Social Security numbers, driver’s license numbers, financial account numbers, payment card information, and health insurance information when combined with a person’s name. If you process credit cards through a POS system, store customer emails paired with addresses, or hold any financial account information — you have notification obligations under Texas law if that data is breached.

Notification costs are uncovered without cyber insurance

Complying with the notification requirement costs money: legal review, mailing or electronic delivery to each affected customer, credit monitoring services, and a customer inquiry process. For a breach of 500 customers, estimated costs start around $75,000 and rise from there. None of this is covered by GL, property, or a standard BOP. Cyber liability covers it specifically — and that’s often what makes the difference between a manageable incident and a business-ending one.

First-Party vs. Third-Party Cyber Coverage

A complete cyber policy covers what the breach costs you — and what it costs others.

Cyber liability addresses two categories of loss. Both matter. A policy that only covers one leaves half the exposure uninsured.

First-Party Coverage

Direct costs your business incurs from a cyber event

Pays for what the breach or attack costs you as the business that experienced it — before anyone else makes a claim against you.

  • Breach notification — legal, mailing, credit monitoring

  • Forensic investigation to identify scope and cause

  • Data recovery and system restoration

  • Ransomware response and recovery

  • Business interruption — income lost while offline

  • Crisis communications after a breach

Third-Party Coverage

Liability to customers and others whose data was compromised

Pays for claims made against your business by parties who suffered harm because their data was in your systems.

  • Customer claims for harm from their data being exposed

  • Legal defense costs for lawsuits from a breach

  • Regulatory investigations and covered fines

  • Claims from business partners whose data you held

  • PCI-DSS fines after a payment card data breach

  • Settlements and judgments in covered claims

Important: Cyber policies vary significantly in sublimits, coverage triggers, and what’s included. A $1M policy with a $25,000 sublimit on ransomware is not $1M of ransomware coverage. We review actual policy terms — not just the summary — before placing any cyber coverage.

Who Needs Cyber Liability

Any business that holds customer data, takes payments digitally, or depends on email and cloud systems to operate.

The threshold is lower than most business owners expect. If you swipe a card, store a customer’s name, or use email to run your business — you have exposure.

Restaurants & Retail

POS systems, online ordering, and loyalty programs collect payment card data. A breach triggers notification obligations and potential PCI fines — regardless of business size.

Professional Services

Accountants, consultants, real estate firms, and others hold sensitive client financial and personal data. A breach creates both liability and significant reputational consequences.

Healthcare & Wellness

Health information is subject to HIPAA and Texas law. A breach carries regulatory consequences and liability well beyond a standard data breach.

Contractors & Trades

Online payment portals and digital project management tools hold customer data. Business email compromise — a spoofed invoice redirecting your payment — is also a constant risk.

Property Management

Tenant financial information, electronic rent payments, and lease records create meaningful breach exposure across every property managed.

Service Businesses

Any business collecting payment or personal information through online booking, scheduling, or checkout holds data with Texas notification obligations if breached.

Any Business Using Email

Business email compromise costs small businesses billions annually — a spoofed vendor email redirecting a payment is the most common incident. Cyber insurance covers the resulting financial loss.

Any Business Storing Customer Records

If you hold names, addresses, payment information, or any personal data — Texas law creates mandatory notification obligations when that data is breached. Cyber covers compliance costs.

Why Get Your Cyber Coverage Through McKnight

Not all cyber policies are equal — the coverage terms matter as much as the limit.

Cyber liability is one of the fastest-evolving coverages in commercial insurance. Policy forms, sublimits, coverage triggers, and security requirements vary significantly between carriers. A policy with a $1M limit but a $50,000 sublimit on ransomware isn’t a $1M ransomware policy. A policy that requires multi-factor authentication but doesn’t confirm you’ve implemented it voids coverage when you need it most. We read the actual policy before placing any cyber coverage — not just the summary sheet.

We also walk clients through what the carrier requires from a security standpoint — multi-factor authentication, backup protocols, employee training requirements. These are coverage conditions. Meeting them keeps your policy enforceable when a claim happens. Failing to meet them gives the carrier grounds to deny coverage at the worst possible moment.

For most small businesses, cyber coverage is accessible at a modest premium — often as a BOP endorsement. The cost of coverage is a fraction of what a single incident costs uninsured. We assess your actual exposure, find the right structure, and make sure the coverage holds up when it matters.

Policy terms reviewed before placement
Sublimits, triggers, and security requirements — we review the actual policy, not the summary, before binding.

Security requirements explained clearly
MFA, backups, employee training — we walk through what the carrier requires so your coverage holds when it’s needed.

100+ carriers
Cyber coverage varies widely. We find the right policy for your business size, data exposure, and budget.

Real answers when you call
817.277.6166, weekdays 8:30–5pm. A breach in progress or coverage questions — we pick up.

FAQ

Cyber liability questions we hear all the time.

Does my BOP or GL cover a data breach?
No — standard BOP and GL policies exclude cyber events and data breaches. Commercial property covers physical damage to physical property, not digital data or the costs of a breach. GL covers physical injury and property damage, not liability from a breach or ransomware attack. Cyber liability is a separate coverage specifically designed for these events. Some BOPs allow cyber to be added as an endorsement — for small businesses this is often the most cost-effective way to get coverage in place.
My business is small — am I really a target?
43% of cyber attacks target small businesses — not because they have more to steal, but because they’re easier to breach. Small businesses are less likely to have multi-factor authentication, employee security training, or dedicated IT staff. Attackers run automated tools that scan for vulnerabilities across thousands of businesses simultaneously — size doesn’t determine who gets targeted, security posture does. And Texas law doesn’t distinguish between large and small businesses when it comes to breach notification obligations. A breach of 50 customer records carries the same legal requirements as a breach of 50,000.
What is business email compromise and how common is it?
Business email compromise (BEC) is one of the most common and costly cyber incidents for small businesses — and it doesn’t require any sophisticated technology to execute. An attacker spoofs or hacks a vendor’s or employee’s email and sends a fraudulent invoice or payment request with updated banking details. You pay what looks like a legitimate bill, and the money goes to the attacker. The FBI reported $2.7 billion in losses to BEC in a single year. Most cyber liability policies cover fraudulent funds transfer — but sublimits vary significantly, so it’s a detail worth verifying when placing a policy.
What does Texas law require when personal data is breached?
The Texas Identity Theft Enforcement and Protection Act requires businesses to notify affected individuals “as quickly as possible” when their personal information is compromised. Personal information includes Social Security numbers, financial account numbers, payment card data, and driver’s license numbers when combined with a person’s name. For breaches affecting 250 or more Texas residents, you must also notify the Attorney General within 30 days. Civil penalties for failure to notify can reach $500 per individual, capped at $500,000 per breach event. Cyber insurance covers the cost of the notification process — legal review, letters, credit monitoring.
What security requirements do cyber insurers impose?
Multi-factor authentication on email, remote access, and administrative accounts is now a near-universal requirement. Regular data backups stored separately from primary systems are required by most carriers. Endpoint protection and patched operating systems are also typically required. These aren’t just underwriting questions — they’re often coverage conditions. A breach that occurs when a required security control wasn’t in place can result in a coverage denial. We walk through these requirements with every client before binding a cyber policy — because knowing what’s required upfront is how you ensure coverage holds when a claim happens.
What should I do immediately if I think I’ve been breached?
Contact your cyber insurance carrier immediately — before taking any other action. Most cyber policies include breach response services: a hotline that connects you with legal counsel, forensic investigators, and incident response specialists. Acting before calling your carrier — communicating publicly about the breach, making ransom decisions without guidance, or taking IT remediation steps that destroy evidence — can complicate your coverage. Preserve all logs and affected systems, don’t delete anything, and let your carrier’s team guide the response. Call us too — we’ll help you engage the right resources quickly.
How much does cyber coverage cost for a small business?
For most small businesses — under 50 employees with moderate payment data — cyber coverage often starts at a few hundred dollars per year as a BOP endorsement, or $500–$1,500 per year as a standalone policy with $1M in coverage. That’s a fraction of the estimated $150 per-record cost of responding to a breach. A business with 500 customer records and no cyber coverage faces $75,000 in notification and response costs from a single incident. We assess your actual exposure and find coverage at a price that makes sense for your operation.

Get Started

Don’t wait until a breach to find out you weren’t covered.

Call us or request a quote. We’ll assess your actual cyber exposure, review the coverage terms that matter, and find the right policy for your business size and the data you hold.

McKnight Insurance Services  ·  Mansfield, TX  ·  Weekdays 8:30am–5pm