89% of Spanish SMEs operate with a “protection gap”: underinsurance putting tech companies (and their clients) at risk

Cloud
Share on Pinterest Share on LinkedIn

Only 11% of SMEs in Spain have a comprehensive insurance protection against their actual risks. This data, from the Hiscox Gap Report 2025, should set off alarms across the digital ecosystem: if a tech SME experiences an incident—from a massive SaaS outage to a data exfiltration cyberattack—the protection gap (the difference between the insurance purchased and what is truly needed) can turn an operational problem into a liquidity, customer, and compliance crisis.

The study—conducted by Wakefield Research— highlights a structural deficiency:

  • 38% of SMEs lack General Liability (GL) coverage even though their activity requires it.
  • 7% have no insurance at all.
  • Policy reviews take forever: 10% haven’t updated their General Liability in over 3 years, and 33% haven’t reviewed their Professional Liability during the same period.
  • Short limits for a digital economy: only 43% exceed a €1,000,000 limit in Professional Liability and 44% in General Liability; 3% declare limits well below their annual income.

Why this gap is critical for tech companies

Tech SMEs thrive on APIs, data, and availability. Their risks combine professional failure (Tech E&O / Professional Liability), third-party damages (General Liability / Products), and cyber threats (breaches, ransomware, disruption). Three vectors make it worse:

  1. Regulation and auditing. GDPR, NIS2, DORA, SLA clauses, and client due diligence require minimum coverage and certificates with concrete limits. An insufficient policy blocks sales or causes contractual breaches.
  2. Damage escalations. A bug that takes down a multi-tenant service or an intrusion with lateral movement can cause cumulative damages (affecting multiple clients) and chain claims. Without appropriate sub-limits (e.g., business interruption, data restoration), the loss exceeds the policy.
  3. Legal and technical inflation. Forensic costs, notifications, identity monitoring, legal and regulatory fees, negotiations, and recovery expenses increase year after year. A limit that “was enough” in 2022 may be insufficient in 2025.

The risk landscape (with numbers) that keeps owners awake at night

95% of owners admit concerns that keep them awake, many of which are insurable: thefts/damages (39%), cyberattacks/data breaches and inflation (34%), economic downturn (33%), workplace injuries (32%), lawsuits (31%), natural disasters (30%), or talent shortage (29%). Only a 5% say they have no worries.

For tech sectors, cyber and E&O are the leverage points with the highest returns: they mitigate the financial impact of ransomware, supply chain attacks, critical bugs, or SLA breaches.

What policies does a tech SME really need in 2025

  • Professional Liability / Tech E&O: errors and omissions in development, integration, support, platform operation, contractual compliance failures (e.g., SLA).
    • Key points: include intentional acts of employees (when insurable), subcontractors, “as-a-service” work, and territorial coverage aligned with clients.
  • Cyber risk: incident response, forensic, notification, extortion, business interruption, system/data restoration, legal and regulatory fees.
    • Key points: specific sub-limits for ransomware, BEC/phishing, social engineering fraud, and critical suppliers (coverage for contingent business interruption).
  • General Liability / Products: personal/material damages to third parties (facilities, supplied hardware, testing equipment).
  • Physical damages and business interruption: offices, own data centers, hardware labs, machinery, with coverage for lost income due to covered physical damages.
  • Directors & Officers (D&O): management decisions, funding rounds, claims from partners/minorities, employment practices.

Recommended limits: for growing revenue companies with B2B contracts, ≥ €1,000,000 tends to be the starting point—not the end. If the average ticket per client is high or there are critical dependencies (e.g., health/financial sectors), consider 2–5 M€ aggregates and loose sub-limits for interruption.

Signs of underinsurance in your stack (90-second checklist)

  • You’ve grown > 30% in revenue/users over 12–18 months and your limits haven’t changed.
  • You operate multi-region or in regulated sectors and haven’t expanded territorial coverage/exclusions.
  • Your cyber policy does not include third-party business interruption(SaaS/IaaS) or social engineering fraud.
  • You have SLA agreements with penalties but your E&O policy doesn’t cover them or has minimal sub-limits.
  • It’s been over 3 years since you reviewed policies (33% in Professional Liability and 10% in General Liability, per the report).

How to align security and insurance (so one boosts the other)

  • MFA everywhere (including email), EDR/XDR, and patch management with KPIs.
  • Encryption at rest and in transit, environment segregation, and least privilege principle.
  • Backups 3-2-1 tested for restore and immutability.
  • Centralized logging and detection (SIEM) with response playbooks.
  • Tabletop exercises (crisis simulations) and legal/communications runbooks.
  • Vendor risk: DPIA/DUE diligence, clauses for insurance requirements to third parties.

Impact on premiums and conditions: a mature security posture improves subscription terms, reduces deductibles, and streamlines claims processes.

Smart review (frictionless)

  • Cadence: every 12–18 months, or earlier if you grow revenue, expand region, or change architecture (e.g., move to multi-cloud).
  • Business metrics: ARR, MRR, customer concentration, critical third-party reliance.
  • Technical metrics: average restore time (MTTR), disaster recovery exercises, incidents, lessons learned.
  • Contracts: map insurance clauses and minimum limits per client/sector; avoid accepting penalties that are not insurable.

FAQs (tech-focused)

Don’t Professional Liability (Tech E&O) and Cyber Risk cover the same?
No. Tech E&O covers professional/contractual failures (e.g., a bug that takes down your SaaS). Cyber covers security incidents (e.g., ransomware, exfiltration) and their collateral costs (disruption, forensics, notification). They are complementary.

What’s a good starting limit for a B2B SaaS SME?
It depends on income, SLAs, and sector, but an annual ≥ €1 million aggregate usually represents a reasonable minimum. For enterprise contracts or sensitive sectors, increase to 2–5 M€ and watch out for sublimits (disruption, data restoration).

How often should I review policies if I’m in hypergrowth?
Typically annually, and after key milestones (new region/vertical, major client, architecture change, M&A). The report indicates that reviewing less than every 3 years is a high risk.

Does improving my security posture lower premiums?
Often yes: MFA, EDR, immutable backups, tabletop exercises, and response evidence can lead to better terms (premium, deductible, conditions).

via: hiscox

Share on Pinterest Share on LinkedIn
Scroll to Top