Q: Do I need cyber insurance for my business?

A: You must be asking because you think your business is too small to attract criminals. In fact, when it comes to cyber theft, size doesn’t matter, according to Christine Marciano, president of insurance brokerage Cyber Data Risk Managers in Princeton, N.J. She says hackers are looking for businesses of any size with valuable customer data they can steal and sell on the black market.

Hence the need for cyber insurance—coverage that can include data theft or loss, network intrusions, information-security breaches and lost income due to system downtime. It’s available for first- and third-party losses, which means that if your business has customer or vendor relationships and processes customer-sensitive (nonpublic) information, you need it.

We asked Marciano to give us the lowdown.

Doesn’t my current insurance cover cyber breaches?

Review your policies—especially the exclusions—and you’ll likely find that your traditional commercial general liability won’t respond to a cyber or data breach claim. And the last thing you want to do is handle a cyber attack or data breach alone. Cyber insurance can provide coverage for regulatory defense, penalties and fines.

Penalties? Fines? How does that happen?

Most states have laws requiring companies to notify individuals of security breaches involving their personally identifiable information. Regulators such as the FCC and FTC can assess fines and penalties against a company for a data-security breach that affects consumers’ sensitive, personal information.

An example from April: The FCC handed AT&T a $25 million fine for a data breach that affected 280,000 customers.

Gulp. how much does cyber insurance cost?

Like any insurance, premiums vary by insurer and type of coverage selected. They can start at $850 a year for a $1 million aggregate policy for a small, sole-proprietor business and climb to seven figures for midsize to large companies that require coverage limits of $300 million or more.

Anything I can do to whittle down those premiums?

The Internet Security Alliance, in coordination with insurer AIG, has a helpful guide to best practices that need to become part of a company’s culture. Such practices can help reduce the cost of purchasing a cyber insurance policy. Go to AIG.com and download their whitepapers on managing cyber risk and maintaining “good cyber hygiene.”

Among the tips: eliminate unnecessary data, regularly change passwords, avoid sharing logins and passwords, update software immediately and audit user accounts on a regular basis. If you can document that these policies are in place and followed consistently, you may see a break on your premiums—it all depends on the value of the data your business holds.