Insurance

What Insurance Policies Does a B2B SaaS Company Actually Need Beyond the Basics?

By Tim Salikhov, CFA · May 14, 2026 · 10 min read

KEY TAKEAWAYS

Tech E&O is required before your first MSA — enterprise customers almost always ask for it, and a platform outage causing client revenue loss is not covered by any other policy.
Cyber covers what Tech E&O explicitly excludes — a data breach triggers Cyber; a product failure triggers Tech E&O. You often need both because one incident can trigger both claims.
EPLI becomes critical once you have managers who didn't hire the people they're managing — wrongful termination and discrimination claims spike during reorgs and executive transitions.
Crime/Fidelity covers wire fraud and internal theft — early-stage companies moving capital fast are the most frequent targets, and Cyber insurance does not cover your financial loss from a social engineering attack.
Fiduciary Liability is not optional once you launch a 401(k) — even if a third party administers the plan, company decision-makers remain personally exposed to claims of mismanagement.

What to look for before adding any policy

Before agreeing to a broker's add-on recommendation, ask one question: what specific event would trigger this policy, and has that event happened to a company like mine? If your broker can't answer that with a concrete scenario, you don't have enough information to buy.

The second question is about sequencing. Insurance is a stack — some policies are foundational, others are contextual. Adding Crime/Fidelity before you have a 401(k) and EPLI before you have employees is not wrong, but buying Fiduciary Liability before you offer benefits is writing a check for nothing. Sequence matters.

1. Tech E&O — if customers depend on your product for financial outcomes, this is not optional

What it covers: claims that your software, platform, or services caused a customer financial loss. A 48-hour outage that costs your largest client $200K in lost revenue. An analytics error that causes a retail customer to over-order $500K in inventory. A buggy integration that corrupts three months of a client's financial records. That's all Tech E&O territory.

Best for: any B2B SaaS company — especially vertical SaaS platforms where customers run operations, process transactions, or make financial decisions based on your product.

Watch out for: Tech E&O is claims-made, not occurrence-based. The claim must be made during the policy period and the wrongful act must post-date the retroactive date. When you switch carriers, retroactive date coordination is not optional — don't let it slip. Standard limits at Seed/Series A: $1M per claim / $2M aggregate, with a $10,000 self-insured retention per claim.

2. Cyber Liability — covers what Tech E&O explicitly excludes

What it covers: third-party claims arising from network security failures or unauthorized data disclosure. A hacker exfiltrates 50,000 customer records and affected individuals file a class action. An enterprise client sues because their customers' data was compromised in a breach of your infrastructure.

Best for: any startup handling customer data, credentials, payments, or regulated data — which covers nearly every B2B SaaS company.

Watch out for: the base Cyber policy (Coverage A) is third-party liability only. Your own breach response costs — forensic investigation, notification, credit monitoring, business interruption — require separate endorsements. This is what most founders mean when they say "cyber insurance," but it's not what the standard policy includes. Confirm exactly which endorsements are in your policy before you assume you're covered for first-party costs.

One event can trigger both Cyber and Tech E&O. A vulnerability in your product leads to a breach — the client sues because their data was exposed (Cyber) and because your platform failed to perform as contracted (Tech E&O). That's why enterprise customers require both.

3. EPLI — the one most Series A founders skip until a VP threatens a claim

What it covers: employment-related claims — discrimination, harassment, retaliation, wrongful termination. Both the company and individual managers are protected.

Best for: any startup with employees. The risk profile increases sharply once you have managers who didn't hire the people they're now managing — which describes almost every Series A company that grew fast in 2022–2024 and is now right-sizing.

Watch out for: wage and hour claims are often excluded or only partially covered, sometimes limited to defense costs with a specific endorsement. Read this section carefully before assuming you're protected against a California wage claim. EPLI is not workers' compensation — workers' comp covers workplace injuries; EPLI covers conduct and decision-making claims.

4. Crime / Fidelity — covers internal fraud, not just external attacks

What it covers: direct financial losses from fraud, employee theft, and wire transfer fraud. If a social engineering attack causes your team to wire funds to an unauthorized recipient, Crime is what responds — not Cyber. Cyber covers third-party liability after a breach. Crime covers your own financial loss.

Best for: every funded startup moving capital. Early-stage companies are frequent targets because they're moving money fast and haven't yet built the internal controls that would flag an anomalous wire.

Watch out for: institutional investors are increasingly asking for Crime/Fidelity alongside D&O at close. If it's not in your renewal stack and you're heading into a Seed or Series A process, add it before you start diligence conversations. One successful wire fraud attack at a runway-constrained stage can be unrecoverable.

5. Fiduciary Liability — required once you offer a 401(k)

What it covers: claims tied to managing employee benefit plans — most commonly allegations of mismanagement, improper vendor selection, or breach of fiduciary duty as a plan administrator.

Best for: any startup that has launched a 401(k) or other benefit plan. If you've made decisions about plan design, vendor selection, or fee structure, you have fiduciary exposure — even if a third-party administrator runs the day-to-day.

Watch out for: outsourcing administration does not eliminate your exposure. The company and its decision-makers can still face claims alleging poor choices — failing to review excessive fees, mismanaging benefit plan vendor selection. The policy protects against those claims.

How to sequence: what to add at Seed, Series A, and Series B

Policy	Seed	Series A	Series B
CGL	✓ Required	✓ Required	✓ Required
D&O	✓ Required (investor ask)	✓ Required	✓ Required
Tech E&O	✓ Before first MSA	✓ Required	✓ Required
Cyber	✓ If handling customer data	✓ Required	✓ Required
Crime / Fidelity	Add at close	✓ Required	✓ Required
EPLI	Add when hiring managers	✓ Required	✓ Required
Fiduciary Liability	—	Add when launching 401(k)	✓ Required
Media Liability	—	If running paid content at scale	✓ Consider

The first-time question isn't which policy you should add. It's which gap in your current stack would cost you a deal, delay a contract, or leave you personally exposed if something went wrong this quarter.

Sources

YCombinator Library: Thoughts on Insurance — YC's framework for what early-stage founders actually need vs. what brokers push.
Founder Shield: Cyber Liability Insurance — Coverage breakdown for tech companies, including first-party vs. third-party distinctions.
The Hartford: Startup Safeguards — Stage-based framing for what startups need at each funding milestone.

FREQUENTLY ASKED QUESTIONS

What insurance does a B2B SaaS company need at Seed?

At minimum: CGL, D&O (investor requirement), Tech E&O (before your first MSA), and Cyber (if you handle customer data). Add Crime/Fidelity at close. Total annual premiums typically run $2,000–$4,000 at $1M limits.

What is the difference between Tech E&O and Cyber insurance?

Tech E&O covers financial loss a customer suffers because your product failed. Cyber covers claims from people whose data was exposed in a breach of your systems. One incident can trigger both — enterprise customers often require both policies.

When do startups need EPLI insurance?

When you have employees and managers making termination or performance decisions. Risk rises sharply after reorgs, executive hires, or rapid headcount growth where managers didn't hire the people they're now managing.

Does Cyber insurance cover wire fraud losses?

No. Standard Cyber covers third-party liability from data breaches. Wire fraud and social engineering losses that result in direct financial loss to your company require a Crime/Fidelity policy or a specific Funds Transfer Fraud endorsement.

Tim Salikhov, CFA

CEO @ Bridges | Strategic Finance for B2B Payments

← Back to Insights