BBVA cyberinsurance for SMEs and Self-employed workers

BBVA cyberinsurance for SMEs and Self-employed workers

Insurance intended for SMEs and self-employed workers, designed to provide a quick response and cover damage caused by a cyber attack or breach of personal or confidential data, either personal damage or damage caused to third parties.

  • Highly specialized team (CyberSOC Deloitte) to provide cover in the event of a data breach, systems failure, security failure due to a cyber attack or a suspected cyber attack or threat of extortion.

  • Cover for personal damages includes the loss of profits.

  • Free access to the training programme CyberAcademy (up to 10 employees).

  • Alerts service, for notification of cyber attacks and vulnerabilities.

What kind of risks could you be up against?

  • Receiving emails with viruses that block IT equipment, paralyze the business and steal client data.
  • Suffering cyber attacks that block your website and paralyze your online business.
  • Social media attacks and defamation to your company or your competitors.
  • Theft of data and confidential information and exposure, causing damage to your image.
  • GDPR sanctions that can reach €20,000,000 or 4% of your business turnover.

Who is it intended for

This product is intended for SMEs and self-employed workers from all sectors of the economy with a turnover not in excess of €7,500,000 (except for companies dedicated to financial services, gambling activities, pornography and organizations regulated by public law).

Cover against cyber attacks

  • Security incident response and additional services

Assistance in the event of data breach, systems failure, security failure due to a cyber attack or a suspected cyber attack or threat of extortion, which includes

  • 365 day a year Telephone service with professions to stop, identify the cause of the incident and provide a legal advice and external communication service.

In addition, with prior approval from the insurance company:

  • Costs of notification of the data breach to the affected parties and/or the Regulatory Entity.
  • Costs of the external telephone service for queries from affected parties.
  • Monitoring of compromised information.
  • Losses for the policyholder

This cover is intended to get your business going again, and includes:

  • Cost of recovering data from IT systems.
  • Cyber extortion-data theft: If the customer is the victim of extortion or data or equipment theft, the insurance company will pay the fees and other costs incurred by a specialized consultant to help the policyholder to manage the situation.
  • Loss of profits due to the partial or total interruption of the IT system causing the incident.
  • Loss of profits if, as a consequence of a cyber attack against a supplier from the policyholder's supply chain, their business is interrupted.
  • Public Liability due to a Data Security Failure

If the policyholder receives a claim or is subject to a data inspection, the insurance covers: economic compensation, including for data loss/theft, the economic cost of data protection sanctions, sanctions arising from non-compliance with the PCI regulations. 

  • Claims for Digital Content

Claims (Public Liability) filed against the customer arising from a cyber attack on the website or social networks due to non-compliance with intellectual property or defamation rights regarding a product.

Optional coverages

  • Online store insurance

Cover for stores with online sales. It covers economic losses of the customer due to the difference between the official prices authorized by the company on its websites and the prices intentionally modified downwards by an unauthorized third party.

  • Electronic theft of money and securities

It covers economic losses caused by the issue of transfers as a result of non-authorized access to the client's computer systems (Cyber Theft). Transfers of funds as a result of identity theft or social engineering are not covered.

Compensation limit

The product offers a choice of different compensation limits, depending on whether you are self-employed or a company, the number of employees and the turnover. The compensation limits available are:

  • For self-employed workers: €150,000, €300,000, €600,000 and, depending on the turnover, €900,000 and €1,200,000.
  • In the case of companies: €300,000, €600,000, €900,000 and €1,200,000.


To calculate the amount of insurance needed, here you will find the sublimits, that is, cover that includes lower compensation limits (or sublimits), regardless of the amount or compensation limits agreed in the policy.

Cyber extortion
  • Maximum policy compensation limit.
  • If a claim shows the non-existence of active antivirus or back up copies, at least 30 days prior, a sublimit of 25% of the compensation limit up to a maximum of €75,000.
Loss of profit due to interruption of the company's IT systems
  • 50% compensation limit up to a maximum of €250,000.
  • If a claim shows the non-existence of active antivirus or back up copies, at least 30 days prior, a sublimit of 25% of the compensation limit up to a maximum of €75,000 (max. period 60 days).
Loss of profits due to supplier responsibility
€50,000 (max. term 60 days)
Sanctions by payment card industry companies
Online store insurance
€25,000 (max. term 60 days)
Electronic theft of store electronic store theft


For self-employed workers with up to 4 employees:

  • Insured Capital: up to €600,000.
  • Deductible: €300 / €600.

For SMEs with CIF and self-employed workers with more than 4 employees and a turnover of more than €500,000:

  • Insured Capital: up to €1,200,000.
  • Deductible: €500 / €750.

IT incident management is exempt from excess (1) except additional services such as notification costs, creation of a telephone helpline, monitoring of compromised information, which will receive the general excess applicable to the policy.

Waiting periods

A waiting period will be applied(2) to coverage for:

  • Loss of profits due to interruption of business as a result of data infringement, systems failure, security failure consisting of a cyber attack or suspected cyber attack or threat of extortion: 12 hours.
  • Loss of profits due to interruption of business as a result of a cyber attack against an external supplier of the policyholder: 24 hours.


  • Pre-existing problems that the policyholder is aware of before taking out the policy.
  • Intentional or dishonest acts.
  • Voluntary breaches of the applicable regulations.
  • Guarantees, promises or obligations agreed under contract.
  • Receipt and non-authorized use of data.
  • Costs of repair, update, correction, removal, replacement or erasure.
  • Territorial scope: worldwide cover except USA and Canada.
  • Property damages: loss or damage to property as a result of a cyber attack.
  • Personal damage: death, illness or physical harm to a person.

Additional info

  • To notify an incident such as a cyber attack or a security breach, the policyholder should call the CiberSOC Deloitte platform, which will provide an immediate response to the incident.
  • The policyholder must provide the following information when notifying the incident: policyholder name (legal entity / individual), policy number, contact data (individual), brief description of the incident.
  • The corresponding cover will be activated and, where applicable, the processing of personal damages or Public Liability (damage to third parties), the amounts of which must be paid to the policyholder.

  • Install and activate an antivirus within 30 days from the effective date of the contract and make monthly backup copies.
  • For comply with the requirements and not see reduced the coverages of this Cyberinsurance, the insurance offers free an Antiviral license Norton valued in 69.99€ during all the period of validity of the policy.
  • If, at the time of the incident, the insurer verifies the non-existence of an activated antivirus or backup copies within the term of 30 days, the retroactive date will be limited to the date of the effect of the policy and a sublimit of 25% of the insured amount for cover will be applied. Losses for the Policyholder, Loss of Profit and Cyber Extortion.

See legal notice