Cyber Liability vs Tech E&O vs EPLI: What Each One Actually Covers
Cyber Liability covers third-party claims when your data or network security fails. Tech E&O covers claims that your software or services caused a customer financial loss. EPLI covers employment-related claims — discrimination, harassment, wrongful termination. Each policy responds to a different triggering event, and none of them overlaps cleanly with the others. The broker who pitched all three in one conversation wasn't wrong that you need all of them — they just didn't explain that a data breach, a product failure, and a termination dispute are three entirely different claims, handled by three entirely different policies.
Key Takeaways
- Tech E&O and Cyber are both claims-made — the claim must be filed during the policy period, not just when the incident occurred. Switching carriers without protecting your retroactive date creates a coverage gap that can leave prior incidents uninsured.
- A single incident can trigger both Tech E&O and Cyber — a product vulnerability that leads to a breach exposes you to a client suing for both product failure (Tech E&O) and data exposure (Cyber). Enterprise customers often require both for exactly this reason.
- Standard Cyber only covers third-party liability — your own breach response costs (forensic investigation, notification, credit monitoring) require a first-party endorsement. Most founders don't know this until they're writing checks.
- EPLI risk spikes at Series A — when managers who didn't hire the people they're now managing start running performance reviews and terminations. The policy becomes necessary before the claim, not after.
- A typical Series A SaaS company pays $3,000–$8,000/year for Cyber, $4,000–$12,000/year for Tech E&O, and $2,000–$5,000/year for EPLI — three separate policies, three separate premiums, three separate claims processes.
How Cyber Liability Works
Cyber Liability covers third-party claims that arise when your network security fails or private data is exposed. A hacker exfiltrates 50,000 customer records and affected customers file a class action. Your cloud infrastructure is compromised and an enterprise client sues because their customers' data was disclosed. These are Cyber claims.
The part most founders miss: the standard Cyber policy (Coverage A) is third-party liability only. It covers lawsuits and claims brought against you by others. It does not cover your own costs to respond to a breach. If you need the insurer to pay for forensic investigation, breach notification letters, credit monitoring, or call center services — that's what most people picture when they imagine "cyber insurance" — you need a Breach Response / Event Management endorsement. Without it, you're paying those costs yourself while also funding the litigation response.
Tech E&O policies commonly exclude data breaches and unauthorized access — that's explicitly Cyber territory. Cyber policies exclude professional errors and product failures — that's explicitly Tech E&O territory. The boundary is designed, not accidental.
For vertical SaaS companies in fintech, healthtech, or any regulated vertical: standard Cyber pricing is higher because of payment data, PHI, and regulatory exposure. SOC 2 Type II certification can meaningfully reduce your premium by demonstrating to the underwriter that your controls are audited rather than self-reported. HITRUST certification reduces Cyber premiums by 10–20% for healthtech specifically.
At At-Bay and similar platforms, Cyber policies often bundle active monitoring with coverage — worth evaluating alongside pure coverage comparisons.
How Tech E&O Works
Tech E&O covers claims that your software, product, or professional services caused a customer financial loss. Your platform goes down for 48 hours and a client sues for lost revenue. Your analytics produce a bad output and a customer over-orders $500K in inventory they can't sell. A bug corrupts three months of a client's financial records during a custom integration. These are Tech E&O claims.
The trigger is professional failure — a wrongful act in the delivery of technology services. It's not about physical damage. It's about financial harm caused by what your technology did or didn't do.
Tech E&O is claims-made. The claim must be made during the policy period, and the triggering wrongful act must have occurred after the retroactive date. Standard limits for a Seed or Series A SaaS company run $1M per claim / $2M aggregate, with a self-insured retention of typically $10,000 per claim.
One gap many founders don't know about: breach of contract alone is not covered. If your SLA says 99.9% uptime and you miss it, that contractual miss isn't a Tech E&O claim by itself. The negligent act that caused the miss needs to be independently covered as a wrongful act for coverage to respond. Some policies offer a Breach of Contract / SLA Carveback Endorsement that broadens this — worth asking about before you sign your first enterprise MSA.
If you're building with AI, ask your broker specifically about an AI and Algorithmic Liability Endorsement. Standard Tech E&O language was written before hallucination, algorithmic bias, and adversarial attacks were routine failure modes. The standard form may not affirmatively cover them. Resources like Founder Shield's cyber liability coverage outline how these endorsements work.
How EPLI Works
Employment Practices Liability covers employment-related claims — discrimination, harassment, retaliation, wrongful termination. Both the company and its managers are protected. Claims are filed by current employees, former employees, and in some cases candidates who weren't hired.
EPLI is often bundled with D&O (Directors & Officers) in a combined management liability policy, which is how it appeared in your broker's pitch. They're separate coverage lines that respond to separate claim types, even if they share a policy form.
What triggers an EPLI claim: a terminated employee alleges their termination was discriminatory. A manager is accused of harassment by a direct report. A candidate claims they weren't hired because of age or disability. A performance improvement plan is characterized as retaliation for raising a complaint. These scenarios are not hypothetical at Series A — they're routine in CFO communities and almost always expensive to defend even when the company prevails.
The Hartford's EPLI coverage and similar platforms typically offer defense costs within the policy limit, with retentions that vary based on headcount and claims history.
The pricing driver isn't your legal risk posture — it's headcount, growth rate, and multi-state presence. Multi-state operations meaningfully increase EPLI exposure because employment law varies by jurisdiction. What's legally permissible in one state can be a violation in another. Documented HR practices — written offer letters, employee handbooks, structured performance management — signal to the underwriter that employment decisions are defensible.
Cyber vs Tech E&O vs EPLI: Side by Side
| Cyber Liability | Tech E&O | EPLI | |
|---|---|---|---|
| What triggers it | Data breach or network security failure | Software/service failure causing customer financial loss | Employment claim — discrimination, harassment, wrongful termination |
| Who sues you | Customers, affected individuals, regulators | Customers, enterprise clients | Employees, former employees, candidates |
| Type of harm | Data exposure, privacy violation | Financial loss from product or service failure | Employment-related damages |
| Common scenario | Hacker exfiltrates 50K customer records; class action follows | 48-hour outage; client sues for lost revenue | Terminated employee alleges discrimination |
| Policy structure | Claims-made; standard is third-party only | Claims-made | Claims-made |
| Typical Seed limits | $1M/$2M | $1M/$2M | $1M/$2M |
| Typical Seed cost | $1,500–$3,000/yr | $2,000–$5,000/yr | Not typically needed yet |
| Typical Series A cost | $3,000–$8,000/yr | $4,000–$12,000/yr | $2,000–$5,000/yr |
Which Scenario Triggers Which Policy — and Where the Gaps Are
A product vulnerability in your platform gets exploited. An attacker accesses your database and exfiltrates customer records. The enterprise client whose data was exposed sues for both the data breach and for your platform's failure to perform as contracted. Cyber responds to the data breach claim. Tech E&O responds to the product failure claim. This is the most common scenario where both policies are triggered by the same underlying incident — and why enterprise customers require both.
A pure product outage with no data breach triggers only Tech E&O. A pure data breach with no product performance failure triggers only Cyber. The distinction is conceptually clean; the claims rarely are.
A manager terminates an underperforming employee. The employee files a discrimination claim. D&O covers the board-level governance decisions; EPLI covers the employment claim. These are separate policies and often separate legal proceedings. Neither Tech E&O nor Cyber has anything to do with it.
The gaps worth knowing: Standard Cyber does not cover your own breach response costs — that requires a Breach Response endorsement. Tech E&O does not cover SLA penalties or liquidated damages unless specifically endorsed. EPLI does not cover wage and hour claims in most standard forms — that's a separate endorsement that's worth asking about if you have hourly employees or California operations.
Social engineering fraud — a wire transfer sent to the wrong account because of a phishing attack — falls outside all three policies. That's Crime Insurance, specifically a Funds Transfer Fraud endorsement.
Which to Buy First at Your Stage
At Seed: Tech E&O and Cyber come first, before you sign your first B2B contract. Enterprise procurement will require both. Budget $3,500–$8,000/year combined at this stage. EPLI is not typically needed until you have managers running performance reviews and terminations — which at Seed usually means it waits.
At Series A: EPLI becomes necessary. Headcount has grown, managers who didn't hire the people they're managing are now running reviews, and employment claims spike when organizations formalize. Add it concurrent with your growth hiring, not after the first claim. Higher limits on Cyber and Tech E&O ($2M+ aggregate) become standard enterprise contract requirements at this stage.
At Series B: All three are standard and the question is limits and endorsements, not whether to buy. Review limits annually before significant contract renewals — a $1M per claim limit that worked at Seed becomes a negotiating friction point with enterprise customers at scale.
One thing that applies across all three at every stage: these are claims-made policies. Report anything that looks like a claim immediately and in writing, the same day you receive it. A demand letter, a regulatory inquiry, an email threatening legal action — all of these are claims under the policy definition. Delay long enough and you lose coverage, regardless of which policy should have responded.
Sources: At-Bay Tech E&O and Cyber coverage overview; Founder Shield Cyber Liability Insurance; The Hartford Employment Practices Insurance
