Cyber Insurance Calculator
Should you buy cyber insurance, or carry the risk yourself? Enter your annual premium, your expected breach loss, the policy deductible and its limit. The calculator shows the expected cost with insurance (premium plus the risk you retain) against the cost without insurance (the whole expected loss), plus how much the policy actually covers and how much risk stays on your books. Numbers update as you type. This is an educational comparison, not a quote — real premiums depend on underwriting. Benchmarks as of Jun 25, 2026.
| Figure | Amount | What it is |
|---|---|---|
| Expected loss | $200,000 | What a breach is expected to cost before any insurance. |
| Covered by policy | $175,000 | Loss above the deductible, up to the limit, that the insurer pays. |
| Retained risk | $25,000 | Deductible plus any loss above the limit — the part you keep. |
| Premium | $15,000 | What you pay the insurer each year. |
| Cost with insurance | $40,000 | Premium + retained risk. |
| Cost without insurance | $200,000 | The full expected loss, carried yourself. |
Covered = max(0, min(Expected loss, Limit) − Deductible)
Retained risk = Expected loss − Covered (= Deductible + any excess over the Limit)
Cost with insurance = Premium + Retained risk
Cost without insurance = Expected loss
How it works
Cyber insurance is a trade: you hand the insurer a known, modest payment — the premium — and in return they take on most of an unknown, potentially ruinous loss. This calculator strips that trade down to its economic core so you can see what you are actually paying for and what you are keeping. It needs four numbers: the premium, your expected breach loss, the deductible and the policy limit. Everything else follows by arithmetic.
Start with what the policy covers. Insurance does not pay from the first dollar, and it does not pay without end. It pays the loss that sits above your deductible and below the limit. So the covered amount is the expected loss capped at the limit, then reduced by the deductible — and never less than zero, because a loss smaller than the deductible is entirely yours. In symbols, covered equals the larger of zero and the smaller of the expected loss or the limit, minus the deductible.
Whatever the policy does not cover, you retain. Retained risk is the expected loss minus the covered amount, and it has two natural parts: the deductible you always pay on a claim, and any portion of the loss that pokes above the policy limit, which the insurer will not touch. For a loss that fits comfortably under the limit, the retained risk is simply the deductible. For a loss that blows through the limit, the excess is added on top — which is exactly why the limit matters as much as the premium.
Now the comparison. With insurance, your expected cost is the premium you pay regardless plus the retained risk you keep: premium + retained. Without insurance, you self-insure, carrying the whole expected loss on your own balance sheet. Put the two side by side. If insurance is lower, it reduces both your expected cost and your worst case — an easy yes. If insurance is higher, you are paying the insurer a margin to take volatility off your hands; that can still be the right call, because a single catastrophic breach can end a small business, and trading a small certain cost for protection against ruin is the whole reason insurance exists.
Two honest caveats. First, this is an expected-value comparison; it cannot price your risk tolerance or the shape of the tail. A policy that looks slightly expensive on average can be the obvious choice if the loss it caps would otherwise be fatal. Second, and importantly, the numbers here are illustrative — this is not a quote. Real premiums are set by underwriting against your revenue, sector, data, controls and claims history, and they move with the insurance market. Use a figure from an actual quote in the premium field, and use this tool to understand the structure of the decision rather than to price the policy.
A worked example
Take the default scenario, pre-filled above. A business has used the breach cost estimator to put its expected breach loss at $200,000. It has a quote for a policy with a $15,000 annual premium, a $25,000 deductible and a $1M limit. Should it buy?
- The expected loss of $200,000 is well below the $1M limit, so the whole loss is in scope — nothing pokes above the cap.
- Covered = min($200,000, $1M) − $25,000 = $175,000 the insurer would pay.
- Retained risk = $200,000 − $175,000 = $25,000 — just the deductible, since the loss fits under the limit.
- Cost with insurance = $15,000 premium + $25,000 retained = $40,000.
- Cost without insurance = $200,000, the full loss carried alone.
Here insurance comes out $160,000 cheaper on the expected value — it lowers both the average cost and the worst case, an easy decision. Now change an input and watch the logic shift. Push the expected loss to $1.5M — above the $1M limit — and the excess over the cap is suddenly added to your retained risk, exposing a coverage gap that argues for a higher limit. Or raise the deductible to lower the premium and see how much more risk you take back in exchange. That is the real value of the tool: it lets you tune premium, deductible and limit against your own expected loss before you sign.
Insurance is one lever among several. Before transferring risk, it is usually cheaper to reduce it: the security control ROI calculator shows which controls pay for themselves, and lowering your expected loss with controls often lowers your premium too. And to make sure the expected-loss figure you fed in is realistic, rebuild it as a probability-weighted annual number with the annual loss expectancy calculator. Reduce, retain, transfer — in that order — and insurance becomes the considered last step rather than the first reflex.
Frequently asked questions
Is this a cyber-insurance quote?
No. This is an educational comparison, not a quote. It shows whether carrying a policy is expected to cost you less than self-insuring, given numbers you supply. Actual premiums are set by underwriting and depend on your revenue, industry, the data you hold, your security controls, your claims history and current market conditions — none of which this tool sees. Treat the premium field as a figure from a real quote (or a placeholder), and use the result to reason about the structure of the decision, not to price a policy.
What is "retained risk"?
Retained risk is the part of a loss the policy does not pay, which you keep on your own books. It has two pieces: the deductible (the first slice of every claim, which you always pay) and any excess over the policy limit (loss above the maximum the insurer will pay). In the default scenario here, with a $200,000 expected loss, a $25,000 deductible and a $1M limit, the whole loss fits under the limit, so the retained risk is just the deductible: $25,000. If your expected loss exceeded the limit, the part above it would be added to the retained risk.
How do I read the with-vs-without comparison?
With insurance, your expected cost is the premium you pay plus the retained risk you keep — here $15,000 + $25,000 = $40,000. Without insurance, you carry the whole expected loss yourself: $200,000. If the with-insurance figure is lower, the policy reduces your expected cost as well as your worst case; if it is higher, you are paying the insurer a margin to remove volatility — which is often still worth it for a loss large enough to threaten the business.
Why might insurance cost more on average yet still be worth buying?
Insurers add a margin for their costs, capital and profit, so on the average the premium plus deductible can exceed the expected loss. You buy insurance anyway to convert an uncertain, possibly catastrophic loss into a small, predictable payment. A single major breach can be an extinction-level event for a small business; transferring that tail risk to an insurer can be rational even when the expected cost rises slightly. The comparison here shows the expected-value side of the trade; your risk tolerance and the size of the worst case decide the rest.
What expected-loss figure should I use?
Use a realistic estimate of what a breach would actually cost you, not a headline average. Build one with the data breach cost estimator for your industry, records and security posture, or with the annual loss expectancy calculator if you want a probability-weighted yearly figure. Whichever you choose, keep premium and expected loss on the same basis — a per-incident premium against a per-incident loss, or an annualized premium against an annual loss — so the comparison is apples to apples.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.