Most insurance content written for SaaS founders comes from brokers trying to sell you a policy. This post comes from the other side: what matters when you’re actually managing risk across a portfolio of B2B software companies, evaluating coverage, and seeing how policies perform when something goes wrong.
If you’re building a B2B SaaS company, cyber insurance and technology errors and omissions (Tech E&O) coverage aren’t optional. They protect your business in the event of an incident, and they grease the sales process with enterprise customers who expect to see proof of coverage before approving you as a vendor.
Cyber vs. Tech E&O: They’re Not the Same Thing
The most common mistake founders make with insurance is buying a standalone cyber policy and assuming they’re covered. They’re not. Cyber insurance and Tech E&O are separate coverages that protect against different categories of risk, and B2B SaaS companies need both.
Cyber insurance covers losses arising from cyber incidents: data breaches, ransomware attacks, network security failures, and the costs associated with responding to them. That includes forensic investigation, legal fees, notification expenses, credit monitoring for affected individuals, regulatory fines, and business interruption losses.
Technology errors and omissions (Tech E&O) covers losses arising from failures in the professional services or technology you provide. If your software malfunctions and causes your customer financial harm, if your platform experiences extended downtime that disrupts their operations, or if your product fails to perform as described in your documentation or contracts, Tech E&O is the coverage that responds. Cyber insurance typically won’t cover these scenarios because they’re not cyber incidents. They’re professional service failures.
For B2B SaaS companies, the distinction is critical. Your customers depend on your software to run their operations. If your product goes down for an extended period, or if a bug causes data corruption, or if your service fails to meet the commitments in your SLA, the resulting claim is a Tech E&O claim, not a cyber claim. A standalone cyber policy would leave you exposed.
The right approach: buy a combined cyber and Tech E&O policy. Most major insurers offer these as bundled products for technology companies. A combined policy eliminates the coverage gap between the two and simplifies the claims process.
When to Get Coverage
Get coverage early. Don’t wait for a specific revenue threshold or customer count.
There are two reasons. First, enterprise procurement teams increasingly require proof of insurance as part of vendor approval. Having coverage in place before your first enterprise deal means you’re not scrambling to bind a policy under deal pressure. Second, and more importantly, insurance protects your business. A cyber incident or a significant service failure at any stage can generate costs that exceed your annual revenue.
The earlier you purchase coverage, the more straightforward the underwriting process tends to be. Insurers assess risk based on your current operations, and a smaller, simpler business with fewer customers and less data is generally easier and cheaper to insure.
What Underwriters Look At in Your Legal Stack
Your insurance application isn’t just about your security controls. Underwriters evaluate your contractual commitments because those commitments define your potential exposure.
Liability caps. Your limitation of liability clause determines the maximum contractual exposure from any single customer relationship. Underwriters want to see that your liability is bounded. Uncapped liability in your customer agreements is a red flag in underwriting because it means your potential exposure from a single incident is theoretically unlimited.
Indemnification structure. The scope and limits of your indemnification obligations affect your risk profile. Broad, uncapped indemnification for data breaches or service failures increases your potential claims exposure, which underwriters factor into their assessment.
Breach notification timelines. Your DPA’s breach notification commitments create specific obligations that your incident response must meet. Aggressive timelines (24 hours, for example) increase the operational complexity of a response and the risk of a contractual breach on top of the underlying incident.
Security controls and certifications. Underwriters also look hard at your actual security posture. Multi-factor authentication, endpoint detection, encryption practices, access controls, incident response plans. A SOC 2 Type 2 report signals to underwriters that your controls have been independently verified — and can directly reduce your insurance costs.
The through-line: your legal documents, your security posture, and your insurance coverage are all connected. If your contracts create more exposure than your policy can absorb, or your security posture doesn’t support the commitments you’ve made, you have a gap.
Watch Your Sublimits
A policy with a $2 million aggregate limit doesn’t necessarily mean you have $2 million available for every category of loss. Most policies include sublimits that cap coverage for specific categories: ransomware payments, forensic investigation, regulatory proceedings, notification costs, and business interruption.
In a ransomware event, your investigation costs alone can consume a significant portion of the sublimit before you’ve addressed the ransom itself, legal fees, or your customers’ notification costs. Make sure your broker is negotiating sublimits hard on your behalf, and get multiple quotes to compare.
Watch for AI Exclusions
Some insurers are writing AI exclusions into cyber and Tech E&O policies, then offering separate standalone AI liability policies to fill the gap. If your SaaS product uses AI or machine learning in any capacity, check your policy language carefully.
A well-drafted combined cyber and Tech E&O policy should not exclude AI-related claims. If your product uses AI to process customer data, generate outputs, or make recommendations, and your policy excludes losses arising from AI functionality, you have a coverage gap for one of the core features of your product.
As of now, I have yet to see enterprise customers ask for or require separate AI coverage. The risks associated with AI functionality in a B2B SaaS product should fall within the scope of a properly structured cyber and Tech E&O policy. If your insurer is trying to carve out AI and sell you a separate policy, push back or find a carrier that covers your product as it actually operates.
The Liability Cap Trap: Don’t Tie Your Cap to Your Insurance
This is one of the most important and least discussed points in SaaS contracting.
Enterprise procurement teams will sometimes push for your limitation of liability to be set at the amount of your available insurance coverage. Do not agree to this.
Your insurance limit is a shared resource. In the event of a breach or incident that impacts multiple customers simultaneously, your policy limit needs to cover claims from all affected customers. If you’ve agreed to cap your liability at your full policy limit with each customer, a single large customer could consume the entire limit, leaving nothing for other affected customers.
Keep your liability cap at some function of revenue from that specific customer relationship — typically twelve months of fees with a supercap of two to three times that amount for elevated-risk obligations. Your insurance is a backstop for your business, not a contractual commitment to any individual customer.
Blanket Additional Insured
Enterprise customers will often request to be named as an additional insured on your policy. Getting blanket additional insured endorsement on your policy is worth doing proactively. It’s a common enterprise procurement requirement, and having it in place eliminates another round trip in the vendor approval process.
No Boiler provides self-service legal document generation and educational content. This material is general in nature and is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them.