A SaaS company can sign its first enterprise contract, close a seed round and onboard a dozen employees before anyone asks whether the insurance program actually matches the exposure.
A Business Owner’s Policy covers a slip-and-fall here, a damaged server there. It does not cover a client lawsuit when your software miscalculates their payroll, a data breach that exposes thousands of customer records, or an investor claim that your board misrepresented the company’s financial position. Those are the risks that define liability for software businesses, and they require purpose-built coverage.
This guide explains the three policies at the center of a SaaS insurance program: Technology Errors & Omissions (E&O), cyber liability and directors and officers insurance. We’ll talk about what each covers, where they interact, and what gaps founders most often discover too late.
Key Takeaways: Technology Company Insurance
A BOP is a starting point, not a program. General liability and commercial property insurance do not cover professional errors, data breaches or investor claims.
Technology E&O is not the same as standard professional liability. SaaS companies need a policy form designed for software products and service failures, not advice-based professional services.
Cyber liability requires a standalone policy. Endorsements added to a BOP are not designed for the complexity of an actual breach response.
VC and PE investors typically require D&O coverage as a condition of funding. Board formation is the right time to put this coverage in place.
All three policies are written on a claims-made basis. When you change carriers or are acquired, tail coverage becomes a critical decision.
What a Standard Business Owner’s Policy Leaves Exposed
Most early-stage SaaS companies start with a Business Owner’s Policy (BOP). A BOP bundles general liability and commercial property coverage, and it addresses the basics: third-party bodily injury, business property damage and interruption of business operations tied to a covered physical loss.
That’s a reasonable foundation for a business with a physical location and foot traffic. For a company delivering software to enterprise clients, processing payment data and operating under a board that answers to investors, it leaves three significant gaps uncovered.
Professional liability. When your product fails and a client loses money, general liability insurance doesn’t respond.
Cyber liability. A BOP endorsement for data breach is not the same as a standalone cyber policy, and the difference becomes apparent at the moment a claim occurs.
Management liability. Once investors are involved, the personal assets of your executives and board members are exposed in ways that no property or liability policy addresses.
Each of these unique risks has a specific solution. Understanding how they work and interact is what separates a functional insurance program from a patchwork of minimums.
Technology E&O Insurance for SaaS Companies
What Tech E&O Insurance Covers
Technology E&O insurance covers claims that arise when your software, platform or technology services cause a client to suffer financial losses. This is distinct from standard professional liability, which is a type of insurance designed for advice-based services like accounting or consulting. Tech E&O is built for products and deliverables that can fail mechanically, not just through bad counsel.
Here are just a few examples of what that can look like in practice:
A workflow automation bug delays a client’s product launch, leading them to sue for lost revenue
A calculation error in your financial reporting software produces incorrect numbers, which a client then relies on for a board presentation
A scheduled software update causes an unplanned outage during a client’s peak transaction window
What Tech E&O Doesn’t Cover
Standard Tech E&O forms exclude bodily injury and property damage (those stay under general liability), intentional acts or patent infringement. Some carriers will add limited intellectual property (IP) infringement coverage by endorsement, but it isn’t standard.
IP disputes can include situations like patent claims from competitors, trade secret allegations from former employees or open-source licensing disputes. These aren’t uncommon exposures for SaaS companies, and general liability’s IP exclusion leaves them entirely uncovered.
Confirm the specific exclusion language and available endorsements with your insurance advisor before assuming any IP protection exists in your policy. A standalone Intellectual Property policy may be another insurance product to consider or it may be covered under a well-designed Director & Officers policy.
The Claims-Made Trigger for Tech E&O Policies
Nearly all Tech E&O policies are written on a claims-made basis. That means the policy in force when the claim is filed is what responds to the loss, not the policy that was in force when the error occurred.
This creates a practical problem when a company changes carriers or is acquired: coverage can disappear for past work if an extended reporting period (tail coverage) isn’t purchased. A software bug introduced in Year 1 that doesn’t produce a client claim until Year 3 will fall under your Year 3 policy, or fall outside coverage entirely if you’ve changed carriers without securing tail coverage (aka extended reporting coverage).
Cyber Liability Insurance for Tech Companies
Cyber Liability Exposures Explained
SaaS companies are a specific kind of breach target. Unlike a retailer that holds only its own customer data, a SaaS platform often holds data from dozens or hundreds of clients simultaneously. A single breach can trigger notification obligations, regulatory inquiries and litigation across every client relationship at once.
According to
IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.4 million. For tech companies, the cost structure includes breach investigation, client notification, regulatory defense, legal fees and business interruption, none of which a BOP is designed to absorb.
First-Party vs. Third-Party Coverage
A standalone cyber liability policy covers two distinct categories of loss, and a SaaS company needs both.
First-party coverage addresses the company’s own costs: forensic investigation to identify the source and scope of the breach, notification to affected individuals, public relations and crisis communications, regulatory fines and ransomware response costs.
Third-party coverage addresses claims from clients, partners or individuals whose data was compromised. When a breach exposes client data and that client sues, third-party coverage pays defense costs, settlements and judgments.
A BOP endorsement for data breach typically provides only a sublimated version of first-party coverage. It isn’t structured to handle the complexity of a multi-client breach response, and it almost never includes meaningful third-party coverage.
Sublimits and Coinsurance in Cyber Insurance
A $5 million cyber policy can leave a company partially self-insuring a $3 million ransomware demand. That's not a hypothetical edge case. It's the practical result of how carriers have restructured ransomware exposure through sublimits.
The increase in ransomware claims has prompted insurance companies to cap their exposure to these cyber risks within an otherwise larger policy. If your policy carries a $1 million ransomware sublimit and the demand exceeds it, you have to cover the costs, regardless of what the headline limit says.
Some carriers have also introduced coinsurance provisions on ransomware claims, requiring the insured to absorb a specified percentage of the loss while the insurer covers the rest. The total policy limit doesn't change—but your share of a large claim does.
This is why policy comparison requires more than reviewing headline limits. An independent agency can evaluate sublimit structures and coinsurance provisions across multiple carriers and policy forms. Two policies with identical limits can produce very different outcomes when a claim actually occurs.
Directors and Officers Startup Business Insurance
What D&O Insurance Covers
Directors and officers insurance protects the personal assets of a company’s executives and board members against claims that they mismanaged the company, breached fiduciary duties or made decisions that harmed investors.
When an investor sues alleging that the board misrepresented the company’s financial position during a fundraising round, or that leadership’s decisions destroyed shareholder value, D&O coverage covers legal fees, settlements and judgments.
For privately held SaaS companies, the relevant form is typically a private company management liability policy. This bundles D&O coverage and, often, employment practices liability insurance into one policy. It’s structured differently than public company D&O, which includes securities coverage that a private company doesn’t need yet.
The two components that matter most for a VC-backed startup are:
Side A coverage: Protects individual directors and officers when the company cannot or will not indemnify them
Side B coverage: Reimburses the company for indemnifying its leadership
Both matter when investor relationships are involved.
Who Needs Directors and Officers Insurance?
Institutional investors commonly require D&O coverage as a condition of funding. The National Venture Capital Association’s Model Investors’ Rights Agreement includes standard insurance covenants, and D&O coverage appears in that framework as a board-level governance requirement.
Coverage should be in place at or before board formation. Waiting until a term sheet requires it puts a company in the position of purchasing coverage reactively, under a timeline set by someone else, which affects both terms and limits.
Tail Coverage on Acquisition
When a SaaS company is acquired, D&O coverage does not automatically extend to claims arising from acts before the acquisition date. The acquiring company’s policy covers its own directors and officers going forward; it does not pick up liability from the target company’s prior management decisions.
A run-off policy (tail coverage) is required to cover pre-acquisition conduct. This is a negotiated term in most M&A transactions, and failing to address it leaves the acquired company’s former leadership personally exposed to claims that surface after the deal closes.
How the Three Policies Work Together to Protect Your Business
Tech E&O, cyber and D&O cover three distinct exposure categories and don’t overlap in ways that create redundancy. They interact when a single event triggers multiple claims.
For example, a data breach at a SaaS company can simultaneously trigger:
A cyber liability claim (breach response costs and client data exposure)
A Tech E&O claim (if the breach resulted from a software security failure that the company was contractually obligated to prevent)
A D&O claim (if investors allege that leadership failed to implement adequate security protocols, harming company value)
All three policies respond to different aspects of that same event. A commercial umbrella policy sits above the underlying limits of each, triggering when a primary policy’s limit is fully exhausted.
For a SaaS company managing enterprise contracts and investor relationships simultaneously, umbrella coverage adds protection across the entire program without requiring a dramatic limit increase on every individual policy.
Common Coverage Gaps in Tech Company Insurance Programs
Buying Only What a Contract Requires
The most common gap in SaaS insurance programs is reactive purchasing. A company that purchases Tech E&O to satisfy a single contract will likely set limits based on that contract’s requirements, not on the realistic cost of a multi-client failure. The result is a program structured around minimum thresholds rather than actual risk, and insufficient limits that can’t be changed when a larger claim arrives.
Assuming a BOP Endorsement is Enough for Cyber
A cyber endorsement on a BOP gets a company to a policy number quickly. It doesn’t provide the coverage structure that a real breach response requires. First-party sublimits cap notification and response costs at levels that don’t reflect what a multi-client breach actually costs. Third-party coverage is often absent or severely restricted.
The distinction between an endorsement and a standalone cyber policy matters most when a claim occurs, which is the worst time to discover it.
Waiting on D&O Until There’s a Problem
D&O claims don’t always arrive quickly. An investor allegation about misrepresentation during a fundraising process may surface a year or more after the round closed. Because D&O is a claims-made policy, coverage in force at the time the claim is filed is what matters. A company that lets D&O lapse or never purchased it in the first place has no coverage for those prior acts.
Working with an Independent Insurance Agency
SaaS companies don’t fit standard small business insurance templates. The liability exposures are different, the policy forms are more specialized and the stakes of a coverage gap are higher when enterprise contracts and investor relationships are involved.
Pepper, Johnstone & Company works with specialty carriers that build programs for technology companies and venture-backed startups. That means access to Tech E&O forms with the right coverage triggers, cyber policies with sublimit structures that reflect what a breach actually costs, and D&O programs structured for private company governance rather than public market requirements.
If you’re building a SaaS company and want to understand where your current program leaves you exposed, request a quote online or call 866-381-5821 to speak with an advisor.
For a broader look at how insurance needs evolve from pre-seed through Series A and beyond, see our
Complete Guide to Startup Insurance.