SaaS Agreements – Data Protection – Cyber Insurance

Currently most SaaS suppliers and SaaS customers do not take out specific cyber insurance and rely upon the provisions of a general insurance policy to cover liabilities in the event of a claim for a cyber incident or a data breach. This is partly due to the fact that few insurers offer adequate cyber insurance policies and SaaS customers and SaaS suppliers often fail to consider the need for a specialist policy of insurance to ensure that they are covered in the event of a claim being denied under a general insurance policy.

General Insurance

Many insurers may not have anticipated providing cover against cyber risks under their general insurance policies and it is likely that disputes will arise as to whether or not a cyber claim is covered when a SaaS supplier or SaaS customer makes a claim. Taking out cyber insurance could reduce this risk.

Professional Indemnity Insurance

Commonly PI insurance covers directors insurance, property risk and some limited cyber cover. However as cyber risks are becoming more common for SaaS suppliers and SaaS customers there is an increasing need to specifically protect against cyber risks i.e. hacking, DNS attacks, phishing etc.

Future Need for Cyber Insurance

Cyber insurance is often seen as too expensive by SaaS suppliers and SaaS customers and they actively chose not to purchase such additional insurance cover.

From the 25th of May 2018, when the new Data Protection Regulation (GDPR) comes into effect there will be a substantial increase in the risk of a cyber claim for a data breach. It is important to be aware that the GDPR applies to all SaaS customers and SaaS suppliers in the EU and any non-EU located SaaS customers and SaaS suppliers offering goods or services in the EU or who monitor the behaviour of EU data subjects. Accordingly the GDPR will apply to UK SaaS customers and SaaS suppliers regardless of if, and when, there is a “Brexit”.

GDPR Fines

The GDPR imposes more onerous obligations on both data processors and data controllers. In particular, the fines which can be applied by any EU data protection authority for breach of the GDPR will increase substantially. Fines of up to €20 million or 4% of global annual turnover for the preceding financial year can be imposed.


SaaS suppliers and SaaS customers need to consider now the need to increase existing insurance cover to encompass the above changes to data protection law, and when doing so, it could be prudent to consider taking out specialist cyber insurance.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: