Insurance for SaaS Founders Scaling from $3M to $30M+ in ARR
What insurance coverage to buy from $3M to $30M+ in ARR — based on a survey of 176 founders, COOs, and CFOs, research by NAIC, CIAB, and select broker analyses.
- D&O, Cyber, Tech E&O, and CGL are the core stack — these four policies cover governance claims, data breaches, product failures, and physical liability, and are required by enterprise customers, investors, or landlords before you can operate and sell.
- Extra coverage activates on triggers, not on day one — EPLI once managers are running performance reviews and terminations; HNOA the moment anyone drives for work, even in a personal car; Fiduciary Liability once you launch a 401(k); Media Liability once you publish at scale or run a platform with user content.
- Customers, investors, and landlords are the three forcing functions — enterprise procurement requires Cyber, Tech E&O, and CGL with specific limits; institutional investors and outside directors require D&O; office leases and vendor onboarding require general liability proof before you can proceed.
- Broker choice should match your revenue stage — new-generation platforms (Vouch, Embroker, Corgi) outperform on speed and startup-native language below $5M ARR; independent specialist brokers (Newfront, Woodruff Sawyer, Marsh McLennan) provide better market access and claims advocacy above $15M ARR.
- Regulated verticals — healthcare, fintech, and AI — carry a different risk profile, with higher baseline premiums, additional underwriting scrutiny, and coverage gaps in standard policies that require purpose-built endorsements most generalist brokers won't flag.
- The startup insurance stack, in plain English
- What to buy at each stage
- What affects your price
- When something goes wrong: how claims actually work
- How to choose a broker
- When to review your coverage
- If you're building with AI: what changes
- Industry verticals: what changes when you're in a regulated space
- Choosing brokers and carriers: an honest comparison
- FAQ
- Sources
The startup insurance stack, in plain English
Insurance is a stack of policies, not one policy. Most founders learn this the hard way — they buy what a customer or investor asked for and assume they're covered, then find a gap when something goes wrong.
Here's what actually exists, what each policy does, and where the boundaries are.
Directors and Officers (D&O)
What it covers: claims alleging wrongdoing in how your company was run — management decisions, governance, disclosures, fundraising. The key thing to understand is that D&O protects people, not the company's products. If a co-founder sues your board alleging improper dilution, or an investor claims management misrepresented projections to secure a higher valuation, D&O is what responds.
Who needs it: any company with institutional investors, a formal board, or a priced round on the horizon. The moment you have outside directors, you need this. They won't join a board without it, and you shouldn't expect them to.
When it shows up: term sheets, board formation, director recruitment. Later-stage diligence will always ask for it.
Inside a D&O policy
D&O is structured in three "sides":
- Side A covers individual directors and officers directly — when the company can't or won't indemnify them. No retention applies to Side A.
- Side B reimburses the company when it does indemnify its directors and officers.
- Side C covers the company entity itself, and also applies a retention.
Defense costs are within the policy limit — every dollar spent on lawyers reduces the amount available for settlements and judgments. The insurer selects defense counsel.
Standard limits for a Seed/Series A company: $1M per claim / $2M aggregate.
Real scenarios and how D&O responds
Your Series B investors sue the board, alleging management provided inflated revenue projections during the fundraise. Side A and Side B both respond. Side A covers individual directors when the company can't indemnify them. Side B covers costs and damages when it can.
A former co-founder alleges the board improperly diluted their equity through a new funding round structured to benefit current management. Claims of breach of fiduciary duty — self-dealing, improper dilution, failure to act in shareholders' best interests — are core D&O territory.
The SEC sends your CFO a Wells Notice related to statements made in connection with your most recent private placement. Side A and Side B respond for the individual. Entity-level regulatory investigations are not covered under the standard policy.
What D&O does not cover: professional services errors (Tech E&O), employment claims (EPLI), ERISA fiduciary breaches (Fiduciary Liability), bodily injury or property damage (CGL), fraud and intentional misconduct.
Available add-ons:
- Outside Directorship Endorsement — extends coverage when your directors serve on outside boards at the company's request
- Crisis Event Expense Endorsement — covers PR and reputation management costs when a covered event generates significant negative publicity
- Investigative Costs Endorsement — provides broader coverage for regulatory investigations and document requests that fall short of a formal claim
Technology Errors and Omissions (Tech E&O)
What it covers: claims that your software, product, or services caused a customer financial loss. If your platform goes down for 48 hours and a client sues for lost revenue, or your analytics produce a bad output and a customer over-orders $500K in inventory they can't sell — that's Tech E&O territory. It's not about physical damage. It's about financial harm caused by what your technology did or didn't do.
Who needs it: any SaaS company, AI product, developer tool, fintech platform, or marketplace. If you have paying customers who depend on your product for outcomes that have financial consequences, you need Tech E&O before you sign your first MSA.
When it shows up: enterprise procurement, MSAs, SLAs, professional services contracts. It's one of the two policies (alongside Cyber) that enterprise customers almost always require.
Inside a Tech E&O policy
Tech E&O is claims-made, not occurrence-based. This matters: the claim must be made during the policy period, and the wrongful act must have occurred after the policy's retroactive date. When you switch carriers, retroactive dates need careful coordination.
Defense costs are within the policy limit — the same dynamic as D&O. Standard limits: $1M per claim / $2M aggregate. Self-insured retention is typically $10,000 per claim.
Real scenarios
Your analytics platform has a calculation error. A retail client relies on your demand forecasts and over-orders $500K in inventory they can't sell. Covered as a Wrongful Act: Negligent Error.
A routine code update causes a 48-hour outage on your SaaS platform. Your largest client sues for the business revenue they lost during the downtime. Covered as a Wrongful Act: Negligent Act in Performing Technology Services.
You build a custom integration between your client's ERP and their payment processor. A bug corrupts three months of their financial records. Covered as Wrongful Act: Negligent Systems Integration.
What Tech E&O does not cover: breach of contract alone (narrow carveout if your negligent act also independently caused the contractual failure), SLA penalties, liquidated damages, data breaches or unauthorized access (that's Cyber), employment disputes (EPLI), bodily injury or property damage (CGL).
Available add-ons:
- AI and Algorithmic Liability Endorsement — modular coverage for algorithmic bias, hallucination/defamation, data poisoning, adversarial attacks, AI intellectual property
- Copyright and Trademark Infringement Endorsement — extends coverage to IP infringement claims, including trade secret misappropriation
- Breach of Contract / SLA Carveback Endorsement — broadens coverage to include certain contractual failures that also result from a covered wrongful act
- Subcontracted Technology Services Endorsement — extends coverage to work performed by subcontractors and outsourced development teams
Tech E&O vs. Cyber: where one ends and the other begins
These two policies are often bought together, and founders frequently confuse them. The boundary is this: Tech E&O covers the financial harm your technology caused to a client through professional failure. Cyber covers the liability that arises when your systems are breached and someone else's data is exposed.
| Tech E&O | Cyber | |
|---|---|---|
| What triggers it | A professional mistake or failure in your technology | A data breach or network security failure |
| Type of harm | Client's financial loss from your product or services | Third-party claims from those whose data was exposed |
| Common scenario | Your code update causes 48 hours of downtime; client sues for lost revenue | Hackers steal 50K customer records; affected individuals file a class action |
| Key question | Did your technology fail to perform correctly? | Was data accessed or disclosed without authorization? |
One gap can trigger both. A vulnerability in your product leads to a breach — and the client sues both because their data was exposed (Cyber) and because your platform failed to perform as contracted (Tech E&O). That's why enterprise customers often require both.
Cyber Liability
What it covers: third-party claims that arise when your network security fails or private data is exposed. A hacker exfiltrates 50,000 customer records and affected customers file a class action. Your cloud infrastructure is compromised and an enterprise client sues because their customers' data was disclosed.
The standard policy (Coverage A) is third-party liability only — it covers lawsuits and claims brought against you by others. It does not cover your own costs to respond to a breach. First-party costs — forensic investigations, breach notification, credit monitoring, business interruption losses — require endorsements.
Who needs it: any startup handling customer data, credentials, payments, regulated data, or critical infrastructure. That covers almost every B2B SaaS company.
When it shows up: security questionnaires, enterprise onboarding, vendor risk reviews, SOC 2 compliance processes.
Inside a Cyber policy
Cyber is claims-made with defense costs within the policy limit. The underlying breach must have occurred after the retroactive date, and the claim must be made during the policy period. Standard limits: $1M per claim / $2M aggregate. Self-insured retention: typically $10,000 per event.
What the standard policy does not cover: your own breach response costs (first-party), ransomware payments, social engineering fraud, bodily injury, property damage, professional errors (Tech E&O), employment disputes. These require endorsements.
Available add-ons:
- Breach Response / Event Management Endorsement — first-party costs: forensic investigation, legal counsel, breach notification, credit monitoring, call center (what people usually mean when they say "cyber insurance")
- Ransomware / Cyber Extortion Endorsement — covers ransom payments and related response expenses
- Business Interruption Endorsement — covers lost income and extra expense when a covered event takes your systems offline
- Funds Transfer Fraud Endorsement — covers direct financial loss from a social engineering attack causing unauthorized wire transfers
- Employee Privacy Endorsement — extends third-party liability to claims brought by your own employees when their personal data is compromised
- PCI Liability Endorsement — covers contractual fines and assessments from payment card brands following a breach
Commercial General Liability (CGL)
What it covers: third-party bodily injury and property damage claims, plus certain advertising injury claims. If a visitor trips in your office and breaks their wrist, CGL responds. If a demo prototype falls off a table and damages a visitor's laptop, CGL responds.
The critical boundary: CGL covers the physical world. If no one was physically hurt and no tangible property was damaged, CGL doesn't apply. Product performance claims that cause financial loss — those are Tech E&O.
Who needs it: most startups, even pure software companies, because office leases, vendor onboarding, and events commonly require a certificate of insurance (COI) before you can proceed.
Employment Practices Liability (EPLI)
What it covers: employment-related claims — discrimination, harassment, retaliation, wrongful termination. The company and its managers are both protected.
Who needs it: any startup hiring employees. This becomes critical once managers are running performance conversations and terminations become routine.
When it shows up: growth hiring, reorganizations, executive hiring, multi-state teams. The risk profile increases sharply once you have managers who didn't hire the people they're now managing.
Hired and Non-Owned Auto (HNOA)
What it covers: company liability when employees drive for work in personal cars or rented vehicles. Most founders miss this because they think "we don't own any cars." That's exactly the point — HNOA covers you when someone uses their own car or rents one for company business.
Who needs it: companies with sales teams, travel, fieldwork, hardware demos, or any regular work-related driving.
Fiduciary Liability
What it covers: claims tied to managing employee benefit plans — typically 401(k) and other benefit plan administration. If someone alleges mismanagement of a benefit plan, improper vendor selection, or breach of fiduciary duty as a plan administrator, this is what responds.
When it shows up: launching a 401(k), scaling benefits programs, later-stage HR maturity.
Media Liability
What it covers: claims tied to content and advertising risk — defamation, certain copyright or trademark allegations, invasion of privacy arising from published or distributed content.
Who needs it: companies running paid marketing at scale, publishing content frequently, or operating platforms with user-generated content or significant content exposure.
Crime / Fidelity Insurance
What it covers: direct financial losses from fraud, employee theft, and wire transfer fraud. If a social engineering attack causes your team to wire funds to an unauthorized recipient, or an employee steals from the company, Crime Insurance is what responds. This is distinct from Cyber, which covers third-party liability after a breach — Crime covers your actual financial loss.
Who needs it: any company moving capital regularly, which is every funded startup. Early-stage companies are frequent targets precisely because they're moving money fast and often haven't built the internal controls that larger organizations have.
When it shows up: Seed rounds. Institutional investors increasingly ask for Crime / Fidelity alongside D&O at close. Wire fraud is the top financial crime targeting early-stage companies — one successful attack can be unrecoverable at runway-constrained stages.
Workers' Compensation
What it covers: medical expenses, lost wages, and rehabilitation costs for employees injured or ill as a result of their work.
Who needs it: almost every company with employees. Workers' Comp is legally required in nearly every state the moment you make your first hire. This isn't discretionary.
What to buy at each stage
Insurance needs evolve with your company. The pressure to add coverage comes from three directions: customers asking for proof of coverage before signing contracts, investors requiring it as a governance condition, and the operational reality that you can't walk back a claim that happened before you were insured.
| Policy | Pre-Seed / Seed | Series A | Series B+ |
|---|---|---|---|
| CGL | ✓ If you have a lease, office, or vendor onboarding | ✓ | ✓ |
| Tech E&O | ✓ If you sell B2B, sign MSAs, or do implementation work | ✓ | ✓ Higher limits |
| Cyber | ✓ If you handle customer data or ship software | ✓ | ✓ Higher limits |
| HNOA | ✓ If anyone drives for work or rents cars for business travel | ✓ | ✓ |
| D&O | Add with institutional investors or a priced round | ✓ Hard to avoid | ✓ |
| Crime / Fidelity | ✓ Add at Seed close — often required alongside D&O | ✓ | ✓ |
| Workers' Comp | ✓ Required by law once you have employees | ✓ | ✓ |
| EPLI | Add once hiring and terminations are routine | ✓ | ✓ |
| Media | — | Add if marketing footprint is growing | ✓ |
| Fiduciary | — | Add when launching 401(k) or scaling benefits | ✓ |
Seed
At Seed, you're building the foundational layer — the policies that unlock your ability to operate and sell.
Cyber is the first one most Seed-stage founders actually need, even if they don't know it yet. If you handle customer data or ship software, every enterprise procurement conversation will eventually ask for it. Tech E&O is the second. If you sell B2B, sign MSAs, or do any implementation work, a customer can claim your product or service caused them financial loss. CGL is straightforward — if you have a lease, an office, or any vendor who requires a certificate of insurance, you need it.
HNOA is the one Seed founders miss most consistently. If anyone drives for work, add HNOA. D&O becomes important at Seed if you're closing a priced round with institutional investors or adding a formal board.
The Seed package: Cyber + Tech E&O + CGL + Crime / Fidelity, with HNOA if you have any work-related driving and D&O if you have or are raising a priced round. Workers' Comp the moment you make your first hire.
Series A
By Series A, two things have changed: governance has formalized and headcount has grown. Both create new exposure.
D&O becomes hard to avoid. You have institutional investors, a formal board, and outside directors. EPLI becomes important as headcount increases and managers start running performance reviews, promotions, and terminations. Higher limits on Cyber and Tech E&O — enterprise procurement requirements at Series A are stricter; customers commonly ask for $2M+ aggregate limits.
One thing founders consistently get wrong: investors and enterprise customers may require that they be named as additional insureds on specific policies. This means they have direct rights under your policy, not just proof that you have one.
The Series A package: CGL + D&O + Tech E&O + Cyber (higher limits) + EPLI, with Media if the content risk warrants it.
Series B+
At Series B and beyond, the stack is mature. The question is less "what do we need" and more "what limits and endorsements fit the actual exposure."
Fiduciary Liability becomes necessary once 401(k) participation grows. Media Liability is standard at this stage if you're running significant marketing operations. Ongoing limit increases are driven by larger customers, larger contracts, and higher scrutiny from investors and partners.
The Series B+ package: CGL + D&O + Tech E&O (higher limits) + Cyber (higher limits) + EPLI + Media + Fiduciary, with specialized endorsements based on your industry — AI liability, PCI, business interruption, ransomware.
What affects your price
Insurance pricing depends on risk profile. The underwriter is trying to estimate how likely you are to make a claim and how large that claim would be. Understanding what drives that estimate tells you what you can influence — and what you can't.
Stage, revenue, and growth rate
Across almost every policy, these are the baseline inputs. A $500K ARR company and a $15M ARR company buy fundamentally different coverage because the potential claim size is different. Growth rate matters too — a company growing 3x year-over-year is adding customers, headcount, and complexity faster than a stable business.
Customer profile and contract terms
The terms you sign with customers directly affect your Cyber and Tech E&O pricing. If your contracts include broad indemnification obligations, unlimited liability caps, or aggressive SLAs, you've taken on more risk than the policy's standard assumptions. Specific flags: unlimited liability language, consequential damages exposure, acceptance of liquidated damages clauses, and primary and non-contributory wording on your indemnification.
Data sensitivity and security controls (Cyber)
Cyber pricing is more sensitive to your data profile than almost any other factor. What you can influence: documented security controls. SOC 2 certification meaningfully reduces your premium because it demonstrates audited controls. MFA, encryption at rest and in transit, vendor access controls, and incident response procedures all factor in. Misrepresentation in the application is a coverage defense for the insurer.
Claims history and continuity on claims-made policies
For Tech E&O, D&O, and Cyber — all claims-made policies — your claims history is a primary pricing input. The less-obvious issue is continuity: when you switch carriers, the new carrier may not honor your prior retroactive date, creating a gap in coverage for events that happened before the switch but that you haven't been notified of yet. This is called a "tail" or "prior acts" exposure. When you switch carriers, verify retroactive date continuity explicitly.
Headcount and HR practices (EPLI)
EPLI pricing follows headcount and organizational complexity. Multi-state operations increase exposure because employment law varies significantly by state. Documented HR practices — written offer letters, employee handbooks, performance management processes, termination procedures — all signal to the underwriter that your employment decisions are structured and defensible.
Board structure and fundraising history (D&O)
D&O underwriters look at your cap table, your board composition, and your fundraising history. Key risk factors: concentration of power on the board, related-party transactions, complex equity structures, investor disputes in your history, and regulatory interactions. Outside directors are generally a positive signal.
Industry and use case
Industry is a pricing multiplier. Fintech companies pay more for Cyber because they handle payment data. Healthcare companies pay more because PHI is high-value and HIPAA violations carry regulatory exposure. AI companies face higher Tech E&O scrutiny because the failure modes of AI systems are less predictable than traditional software.
Ballpark costs by stage
| Policy | Seed | Series A | Series B+ |
|---|---|---|---|
| CGL | $400–$750/yr | $750–$1,500/yr | $1,500+/yr |
| Cyber | $1,500–$3,000/yr | $3,000–$8,000/yr | $8,000+/yr |
| Tech E&O | $2,000–$5,000/yr | $4,000–$12,000/yr | $12,000+/yr |
| D&O | $3,000–$8,000/yr | $8,000–$20,000/yr | $20,000+/yr |
| Crime / Fidelity | $1,000–$2,500/yr | $1,000–$2,500/yr | $2,500+/yr |
| EPLI | Not yet needed | $2,000–$5,000/yr | $5,000+/yr |
| Workers' Comp | Varies by state | Varies | Varies |
A typical Seed-stage SaaS company with 10 employees should expect to spend $12,000–$20,000 per year for a core stack: CGL, D&O, Cyber, and Crime. Add Tech E&O and you're looking at $15,000–$25,000.
When something goes wrong: how claims actually work
Most founders have never made an insurance claim. They find out how the process works at the worst possible moment — under deadline pressure, with a lawyer on the other side already moving. Here's what you need to know before that happens.
Claims-made vs. occurrence: the timing question that decides everything
The policies you actually rely on — Tech E&O, D&O, Cyber, EPLI — are almost all written on a claims-made basis. General liability (CGL) is the main exception; it's occurrence-based.
An occurrence policy responds based on when the underlying event happened. A bug causes customer damage in 2024 — your 2024 CGL policy responds, even if the lawsuit arrives in 2026.
A claims-made policy responds based on when the claim is made against you and reported to your insurer — not when the underlying act occurred. The act just has to have happened after your retroactive date.
Report immediately. The moment you receive anything alleging wrongdoing — a demand letter, regulatory inquiry, email threatening legal action, even a counterclaim — that is a claim. Report it in writing the same day. Protect your retroactive date. Every time you renew or change carriers, confirm continuity explicitly. Don't assume it transfers.
What happens when a policy lapses
When a claims-made policy ends without renewal, the reporting window closes. Any incident that occurred during the policy period but hasn't yet generated a formal claim becomes uninsured the moment coverage lapses — unless you buy tail coverage (Extended Reporting Period). Tail coverage keeps the reporting window open, typically for one, three, or six years. Six years is standard in M&A. Cost is usually 100–300% of the annual premium.
The step-by-step claims process
- Trigger. A written allegation, demand for money or relief, regulatory notice, arbitration demand, or any formal complaint qualifies as a claim. When in doubt, report it.
- Notice. Report to your insurer immediately, in writing, using the exact contact method specified in your policy. If you have facts that may give rise to a claim but no formal claim yet, file a notice of circumstances — this locks coverage into the current policy year.
- Adjuster assignment. The insurer assigns a claims adjuster, who reviews the allegations against your policy's trigger, exclusions, and conditions.
- Coverage position. The insurer either accepts, denies, or — most commonly in gray areas — defends you under a reservation of rights.
- Defense counsel. For duty-to-defend policies, the insurer appoints defense counsel from its approved panel. In some states (California, Massachusetts), a reservation-of-rights situation gives you the right to independent counsel paid by the insurer.
- Defense and cooperation. You must cooperate fully. Resistance creates coverage disputes.
- Settlement. You must get the insurer's consent before settling. Settling without consent can forfeit coverage entirely.
The hammer clause: read this before you negotiate any policy
The hammer clause is the mechanic that punishes you for refusing a settlement the insurer recommends. Example: the claimant offers to settle for $400K. The insurer recommends you accept. You refuse and go to trial. The jury awards $900K. Under a full hard hammer, the insurer pays $400K — and you personally absorb the remaining $500K.
- Hard hammer — worst case; insurer's exposure capped at the recommended settlement
- Soft hammer — you and the insurer split costs above the rejected settlement; 80/20 (insurer pays 80%) is the most founder-friendly version widely available
- No hammer — best; insurer stays on the hook to policy limits regardless
This is a negotiable term. Push for 80/20 or no hammer at your next renewal.
Reservation of rights: what it means
A reservation of rights (ROR) letter means the insurer will defend you but reserves the right to later deny coverage. It's not a denial — but it's a warning that your interests and the insurer's may diverge. Read it carefully, respond in writing disputing any reservations you contest, watch for language reserving the right to claw back defense costs, and get coverage counsel involved early.
The do's and don'ts
Do: report immediately and in writing; preserve all documents and the original policy; loop in your broker; cooperate fully with the investigation; get coverage counsel involved on any ROR or complex claim.
Don't: settle, admit liability, propose mediation, or hire defense counsel without written insurer consent; assume a demand letter or regulatory inquiry isn't a claim; let coverage lapse or switch carriers without confirming retro dates and tail.
How to choose a broker
Your broker is the most important insurance decision you make. More important than any single policy. A good one gets you better terms, better coverage, and fights for you when you have a claim. A bad one emails you a renewal increase once a year and disappears when you need them.
Who's who
Carrier: the insurer — the balance sheet that actually pays claims. Retail broker: your advisor. They represent you, not the carrier. Wholesale broker / MGA: sits between your retail broker and specialty carriers, used to access hard-to-place markets. An MGA (Managing General Agent) has actual underwriting authority delegated by the carrier.
What a good SaaS broker actually does
- Multi-carrier market access. They show you all quotes side by side — including ones they didn't recommend. If they can only quote one or two carriers, you're not getting a real market.
- Manuscript endorsements. Custom policy language negotiated specifically for your situation — not off a standard form. A better definition of "claim," a softer hammer clause, an explicit AI coverage affirmation, favorable retroactive date treatment.
- Benchmarking. They tell you whether your limits, retentions, and pricing are competitive for a company at your stage.
- Claims advocacy. When something goes wrong, they help you determine whether it's a covered claim, place notice correctly, and push for reimbursement.
- Proactive renewal strategy. They start 90–120 days out, build a submission that tells your company's story to underwriters, and introduce competitive tension when it's in your interest.
How broker compensation creates conflicts
Brokers are paid by commission (a percentage of your premium, paid by the carrier), by fee (paid by you), or a hybrid. The structural issue: commission rises with your premium. A broker paid purely on commission has a weak incentive to drive your costs down. Ask directly. A broker who's evasive about compensation is a red flag.
Seven questions to ask any broker — including your current one
- How many SaaS or venture-backed companies at my stage do you serve? Can you give me comparable examples?
- Which carriers and markets do you place with — including specialty and surplus-lines markets?
- How are you compensated? What's the percentage, from whom, and does any single carrier represent more than half your book?
- When I have a claim, who picks up the phone? Do you have in-house claims expertise or do I contact the carrier directly?
- Will you negotiate manuscript endorsements and benchmark my limits and retentions against peers?
- How and when do you run renewals, and what does your submission include?
- Who is actually on my service team day-to-day?
Ask: "What changes about our insurance program if we close a Series B next quarter and sign a $2M enterprise contract with a new customer?" A strong broker answers immediately and specifically — limits that need to go up, D&O triggers, what the enterprise contract's insurance requirements likely look like, what the timeline is. A weak broker looks at you blankly.
When to review your coverage
The worst time to find out your coverage is wrong is during a claim. The second worst is during a fundraise, when the investor's counsel is asking for your D&O declarations page and your policy lapsed six months ago.
The annual review
Full review at least once a year, tied to renewal. Start 90–120 days before expiration — not 30.
What to bring: current policies and all endorsements with declarations pages (retro dates matter), five years of loss runs across all lines, updated headcount and revenue, your largest customer contracts and their insurance requirements, cap table and funding history for D&O, and product roadmap — especially anything involving AI or new lines.
What to ask: Are my limits and retentions still adequate, benchmarked against comparable companies? Are my retro dates intact across every claims-made line? What exclusions were added or changed since last year — specifically AI, war, infrastructure? Where are my coverage gaps? What does my hammer clause actually say, and can we improve it?
Mid-year triggers: don't wait for renewal
Fundraise or new round. D&O needs to be bound before close — typically $3M–$5M minimum limits at Series A.
New board member or outside director. Outside directors will ask for D&O before joining. Make sure your policy's insured-vs.-insured exclusion has appropriate carve-backs.
New product line, especially AI. Underwriters are adding AI-specific exclusions and sublimits. Confirm your coverage hasn't been silently eroded.
Large enterprise contract. A single MSA with broad indemnification and high minimum limits can render your current program inadequate overnight.
Significant headcount changes. EPLI becomes critical around 15–30 employees. Layoffs spike EPLI risk even more than hiring.
International expansion. New jurisdictions bring new data-privacy obligations (GDPR), potentially local admitted-coverage requirements, and D&O exposure.
M&A. Tail coverage decisions need to be resolved before the old policy lapses. Buyers routinely require a six-year tail on the seller's D&O.
The annual review checklist
- Confirm retro dates intact on every claims-made line — Tech E&O, D&O, Cyber, EPLI
- Benchmark limits and retentions against comparable companies at your stage
- Review exclusions added or changed since last renewal — AI, war, infrastructure, prior-acts
- Check contractual insurance requirements from your largest customers — minimum limits, COI requirements, endorsement obligations
- Verify D&O adequacy against funding stage and board composition
- Soften the hammer clause if you haven't already — push for 80/20 or no hammer
- Pull five years of loss runs and build a top-of-the-stack submission
- Confirm tail or prior-acts plan for any anticipated M&A, carrier switch, or wind-down
- Get written broker compensation disclosure and a written renewal strategy
- Ask your broker what changed in the market since last year and whether you should shop the program
What the market looks like right now (2025–2026)
This is a soft, buyer-friendly market — the softest conditions since 2017 across most lines. D&O rates have fallen for eight consecutive quarters. Cyber rates dropped 5–7% per quarter through 2025. Tech E&O is roughly flat. For founders, this is a good time to push for better terms, broader coverage, and softer hammers.
Two caveats: tech and VC-backed companies are consistently called out as a pricing exception — fintech and crypto companies sometimes pay two to three times mainstream rates. And even with rates falling, your premium can rise if your revenue, headcount, or data footprint grew. The soft market in cyber and D&O appears to be nearing the bottom.
If you're building with AI: what changes
Standard startup insurance advice assumes your product behaves predictably. AI products don't, and that changes the risk picture in ways that the existing stack — Tech E&O, Cyber, D&O — only partially addresses. The gap between "we have Tech E&O" and "we have Tech E&O that affirmatively covers our AI system's outputs" is where the real exposure lives.
1. Cyber and privacy risk — amplified
AI amplifies cyber risk in two ways: volume and complexity. Training datasets are large, often contain sensitive or regulated data, and are high-value targets. GDPR and CCPA give individuals the right to erasure — but if someone's personal data was used to train your model, deleting it from your database doesn't delete its influence on the model's weights.
What responds: Cyber Liability (third-party breach claims), with first-party endorsements for breach response and business interruption. Employee Privacy Endorsement if your model processes employee data.
What to do: Encrypt training data, document your data lineage, maintain records of what data was used to train which model versions. If you collect biometric data — facial recognition, voice, fingerprints — BIPA in Illinois imposes per-violation damages that compound fast.
2. Intellectual property risk
IP is at the center of most AI litigation today. Your training data may include material you didn't have rights to use. Your model's outputs may reproduce copyrighted content. If you built on a foundational model (GPT, Claude, Llama), you may be downstream of IP disputes you didn't initiate.
What responds: Tech E&O with a Copyright and Trademark Infringement Endorsement. Note that standard Tech E&O policies often exclude IP claims — verify affirmative coverage explicitly.
3. Bias and discrimination risk
The EEOC, DOJ, FTC, and CFPB have jointly declared their intent to enforce penalties where AI contributes to unlawful discrimination. NYC Local Law 144 requires bias audits for AI hiring tools. The EU AI Act classifies systems used in employment, credit, and access to services as high-risk.
What responds: EPLI covers employment-related discrimination claims. D&O covers governance failures around AI deployment decisions. Tech E&O with an AI and Algorithmic Liability Endorsement covers bias claims arising from your product.
What to do: Test your models for demographic bias before deployment, document the testing, maintain records. Create a clear protocol for reviewing and appealing AI-driven decisions.
4. Model errors and performance risk
AI systems fail differently than traditional software. A hallucinating LLM produces confident, plausible, and wrong outputs. AI systems are often held to higher standards than humans — customers who would accept human error may not accept algorithmic error.
What responds: Tech E&O — specifically covering the financial harm your AI's output caused to a client. Whether your policy language covers AI-generated outputs as a covered wrongful act is a coverage question, not a given.
5. Regulatory risk
The EU AI Act is the most concrete near-term framework. In the US, the picture is patchwork: state-level laws (NYC Local Law 144, California AB 2930, Illinois BIPA) are ahead of federal regulation. The FTC, EEOC, and CFPB are all actively applying existing law to AI use cases.
What responds: Cyber Liability covers certain regulatory defense costs. The Investigative Costs Endorsement on D&O covers regulatory investigations targeting leadership. Tech E&O with an AI endorsement covers regulatory claims arising from product performance.
The policy language trap
The single most important thing an AI company can do in an insurance review is verify affirmative coverage — not assume it. Before you sign any renewal or new policy, ask your broker:
- Does this policy affirmatively cover losses arising from AI-generated outputs, including hallucinations and model errors?
- Are there any exclusions that apply specifically to machine learning, algorithms, or automated decision-making?
- Does the IP coverage extend to claims arising from training data?
- If a regulator investigates our use of AI, which policy covers defense costs and under what conditions?
If your broker can't answer these questions or doesn't know what a hallucination is, find a broker who works with AI companies.
The 2026 AI exclusion wave
Verisk/ISO introduced endorsement forms (CG 40 47, CG 40 48, CG 35 08) effective January 2026 that let GL carriers exclude bodily injury, property damage, and personal/advertising injury "arising out of generative artificial intelligence." With ISO forms underpinning roughly 82% of US P&C policies, these exclusions will appear at renewals without announcement. Parallel "absolute AI" exclusions are emerging in D&O, E&O, and fiduciary forms.
You may renew a policy that looks identical to last year's and find that an AI exclusion has been quietly added. Ask your broker at every renewal: did any exclusions change, specifically around AI or algorithmic decision-making?
Affirmative AI products do exist but are niche. Armilla (a Lloyd's-backed MGA launched April 2025) offers standalone AI liability cover. Coalition has added affirmative AI endorsements to certain cyber policies. These are real but not yet mainstream.
Industry verticals: what changes when you're in a regulated space
The core insurance stack — Tech E&O, Cyber, D&O, CGL — applies to every B2B SaaS company. But selling into regulated industries changes three things simultaneously: the limits customers require (often $5M–$10M vs. $1M–$2M), the endorsements your standard policy is missing, and the exclusions that are most likely to produce a denied claim exactly when you need coverage most.
The practical rule: upgrade your insurance program before signing your first regulated-industry contract, not after.
Financial services
Fintech sits at the intersection of two of the most targeted industries for cybercriminals: finance and technology. Financial data carries higher per-record breach costs and notification obligations. Cyber premiums run 20–40% higher for companies handling financial data. Over 60% of fintech companies have been hit with compliance fines exceeding $250,000.
What changes about your stack:
- Crime / Fidelity is essential, not optional. Standard Cyber covers data breaches — not stolen funds. If you move or manage money, Crime belongs in your stack from Seed.
- Tech E&O needs financial services endorsements for payment-routing errors, incorrect transactions, investment advice claims, and lenders liability.
- Cyber needs PCI-DSS alignment and regulatory defense. Tokenizing payments through Stripe or Adyen can move you from SAQ D to SAQ A and save $25,000–$75,000+ per year in compliance costs.
- Limits must match bank and partner requirements. Sponsor banks and payment processors commonly require $2M–$5M in Cyber and Tech E&O before go-live, with you named as a specific endorsee.
- Surety bonds are not insurance. State money transmitter licenses require surety bonds in each state ($10K–$500K+; Colorado requires $1M). Bonds protect the regulator, not you.
Coverage traps: Regulatory fines are often uninsurable (punitive fines in most US states); PCI assessments frequently get denied under contractual liability exclusions; standard Cyber won't cover stolen funds — only Crime with Social Engineering and Electronic Funds Transfer endorsements will.
Healthcare
Healthcare is the most-targeted industry for cyberattacks and carries among the highest per-record breach costs of any sector. Hospital and payer partners commonly require $5M–$10M in Tech E&O and Cyber. The regulatory framework, HIPAA, creates detailed breach obligations but pays none of the cost.
If you create, receive, maintain, or transmit Protected Health Information on behalf of a covered entity, you are a HIPAA Business Associate. A 4,200-patient record breach can generate $1M–$2M+ in exposure. Anthem paid $16M in the largest HIPAA settlement in US history plus a separate $115M class action over a breach affecting nearly 79 million people.
What changes about your stack:
- Cyber needs HIPAA-specific endorsements: PHI breach notification, OCR investigation defense as a covered cost, regulatory fine coverage where insurable, HITECH penalty sub-limits of $1M+.
- Business Associate Agreements don't provide financial protection. A BAA transfers contractual obligations. Your Cyber policy is what pays.
- Third-party and sub-processor coverage is essential. Many healthtech breaches originate in a vendor's systems. Add this coverage back explicitly.
- SaMD requires specific Tech E&O wording. If your software informs clinical decisions, the policy needs to specifically include software-as-a-medical-device in its professional services definition.
- HITRUST certification can reduce Cyber premiums by 10–20%.
Coverage traps: Generic Cyber without BAA-aligned wording leaves OCR defense uncovered; assuming the covered entity's insurance covers you (it doesn't — their insurer's first call is subrogation against you); SaMD misclassification creates uninsured product liability.
Legal technology
Legaltech has a risk profile that doesn't map cleanly onto standard SaaS. The data is uniquely sensitive — attorney-client privileged communications, M&A details, litigation strategy. The Unauthorized Practice of Law (UPL) doctrine creates liability exposure no SaaS company in any other vertical faces. AI-assisted features introduce a failure mode — fabricated citations, hallucinated case law — that standard Tech E&O language wasn't written to address.
The specific risks:
- Unauthorized Practice of Law (UPL). Every US state prohibits non-lawyers from practicing law. LegalZoom was sued in California on UPL grounds. The line between information and advice is genuinely unclear and shifts as AI generates outputs that look like legal analysis.
- Privileged communications as a breach target. Law firms hold some of the most sensitive and commercially valuable data in existence.
- AI hallucination in legal outputs. When an AI system fabricates a case citation that a lawyer includes in a brief, the downstream harm — sanctions, malpractice claims — is real.
What changes about your stack: Tech E&O's "professional services" definition needs to cover what you actually do — legal research, contract analysis, drafting assistance, AI-generated legal outputs. Get the answer in writing or as a policy endorsement. UPL exposure needs careful policy mapping — UPL claims might be excluded as regulatory actions or professional services outside coverage scope. Cyber needs confidentiality and privilege-breach coverage, not just regulated personal data. Claims-made timing matters more in legaltech because legal disputes are slow-moving — protect retroactive date continuity obsessively.
Choosing brokers and carriers: an honest comparison
Every broker will tell you they're different. Some are. The question is whether the difference matters for where you are right now — and whether it will still matter in two years. The most useful frame isn't "traditional vs. digital" or "big vs. small." It's: who bears the risk behind the policy, what happens when you have a claim, and does this provider have the appetite and capacity to serve you as you scale?
Who's in the market
Traditional carriers (Chubb, Travelers, Beazley, Markel, AIG, CNA, The Hartford) have been writing tech risk for decades. Policy forms refined over years. AM Best ratings of A or A++. Deep capacity for large towers. Beazley pioneered cyber insurance in 1997. Travelers acquired Corvus in 2024. Weaknesses: slower quoting (days to weeks), paperwork-heavy, generalist language that may need manuscript endorsements, tendency to decline or overprice fast-growing pre-profit startups.
New-generation platforms — Embroker, Vouch, Coalition, At-Bay, Cowbell, Founder Shield, and Corgi — were built to fix exactly those problems. Faster quoting, cleaner UX, startup-native policy language, and in some cases genuinely better affirmative coverage for software-specific risks.
- Coalition built its own carrier, Coalition Insurance Company, which earned an AM Best A- (Excellent) rating in 2023. Bundles active cyber monitoring with coverage.
- At-Bay evolved from an MGA to owning its own Delaware carrier (AM Best A-, reaffirmed through 2025).
- Vouch was acquired by Hiscox in 2025 — a real-world illustration of how quickly the insurtech landscape consolidates.
- Corgi is a newer entrant, purpose-built for venture-backed startups. Founder feedback has been positive on speed and pricing; one CFO reported ~40% cost reduction with more coverage year-over-year.
- Embroker is a digital brokerage placing policies underwritten by third-party carriers.
- Founder Shield focuses on high-growth, VC-backed companies; underwritten by carriers rather than its own balance sheet.
Independent specialist brokers — Newfront (acquired by Willis Towers Watson), Woodruff Sawyer, Lockton, Marsh McLennan, Hub International — offer market access across both traditional and insurtech carriers, with dedicated account teams and genuine advocacy at claims time.
The MGA vs. carrier question
Several insurtech platforms are Managing General Agents — they underwrite under delegated authority from a carrier, but the balance-sheet risk sits with a fronting carrier and reinsurers. Others have built or bought their own rated carrier. This matters at two moments: when you have a claim, and when the market hardens. An MGA depends on its capacity provider. If that relationship changes, your policy may be affected even if you've done nothing wrong.
Always ask who is the actual risk-bearer behind your policy, and what is its AM Best rating. "Vouch" or "At-Bay" on your declarations page may mean the carrier, or it may mean an MGA backed by a fronting carrier you've never heard of.
What CFOs and operators actually say
On Newfront (formerly ABD): The most frequently mentioned broker in CFO circles. Recurring themes: consultative approach, strong at negotiating customer contract insurance requirements. Also the most frequently mentioned for variability — quality is highly dependent on which specific team and broker you get.
On Vouch: Consistently positive feedback at early stage — Series A and below. Fast quoting, startup-native service. Occasional complaints at later stage: premium competitiveness declined as companies grew. The Hiscox acquisition adds a question mark on culture and focus going forward.
On Embroker: Consistently mentioned alongside Vouch as the other major early-stage option. Positive on speed and UX. One documented complaint: a combined D&O/EPLI policy that allegedly didn't honor EPLI coverage at claims time, plus a renewal quote that more than doubled.
On Marsh McLennan: The most common recommendation for later-stage companies ($15M+ ARR, complex programs, pre-IPO positioning). Praise is almost uniformly directed at specific individuals rather than the firm.
On Woodruff Sawyer and Lockton: Recurring as reliable mid-to-large stage alternatives. Strong on cyber specifically.
On Corgi: Beginning to appear in conversations, with early feedback focused on price competitiveness and clean digital experience. Newer, so less established on claims handling.
The clearest pattern: quality varies enormously within firms, not just between them. The firm gives you baseline access to markets; the individual broker gives you actual service. Ask for references from current clients at your stage before committing.
What matters at each stage
Seed — speed and coverage basics. A customer needs a COI before close; an investor needs D&O before the wire. The new-generation platforms (Vouch, Embroker, Corgi) genuinely outperform traditional brokers. You need Tech E&O + Cyber at $1M–$2M limits and D&O once you close your round. Still verify: who is the actual risk-bearer, what's the AM Best rating.
Series A — coverage quality and contract fit. Enterprise customers are reviewing your COI line-by-line, requiring additional insured status, demanding specific limits and endorsements. A broker who can read your MSA and tell you whether your limits and endorsements are aligned is worth considerably more than one who clicks through a portal.
Series B and beyond — claims track record and capacity. The soft market makes this an excellent time to lock in broad terms. But it also means the cycle is likely nearing its bottom. The emphasis now: established carriers with proven claims operations, a specialist independent broker running a genuine competitive marketing process, and a program built for your actual exposure.
An honest assessment of new-gen vs. traditional
The real question: who bears the risk and how does the policy perform under a contested claim? For fast, clean, startup-appropriate coverage at Seed and early Series A, the new-generation platforms are genuinely better. For complex, large, or litigated claims — a contested D&O claim with investors, a major Cyber loss, an EPLI dispute — the track record and financial strength of traditional carriers, combined with an independent specialist broker who advocates for you, is meaningfully better.
The practical answer: use a new-generation platform at Seed and early Series A for speed and simplicity. Run a genuine competitive process at Series B, including traditional carriers, with a specialist independent broker. Don't stay at your early-stage provider out of inertia.
The one thing that is not negotiable regardless of who you use: understand who actually bears the risk behind your policy, protect your retroactive dates obsessively, and never let a claims-made policy lapse without confirming tail coverage.
FAQ
The core Seed package is Cyber + Tech E&O + CGL + Crime / Fidelity, with HNOA if anyone drives for work and D&O once you close a priced round with institutional investors. Workers' Comp is required by law from your first hire. Expect to spend $12,000–$25,000 per year for the full core stack at 10 employees.
Tech E&O covers financial harm your technology caused to a client through a professional failure (a bug, an outage, a bad output). Cyber covers third-party liability when your systems are breached and someone else's data is exposed. They're often bought together because one incident — a vulnerability that causes both downtime and a data breach — can trigger both.
Claims-made policies (Tech E&O, D&O, Cyber, EPLI) only cover wrongful acts that happened after your retroactive date. When you switch carriers, the new carrier may reset that date — creating a gap where prior acts are suddenly uninsured. Verify retroactive date continuity in writing at every renewal and every carrier change. It is the single most common and expensive mistake founders make with insurance.
The moment you close a priced round with institutional investors or add outside directors to your board. Outside directors won't join without it, and lead investors will require it at term-sheet stage. Standard Seed/Series A limits are $1M per claim / $2M aggregate; Series A and later often need $3M–$5M.
No. Standard Cyber covers third-party liability after a data breach. It does not cover your own direct loss when a social engineering attack causes your team to wire funds to a fraudulent account. That's Crime / Fidelity with Social Engineering and Electronic Funds Transfer endorsements. This is the most consistent coverage misconception in fintech.
Maybe — but don't assume. Standard Tech E&O language was written for deterministic software. Before signing any renewal, verify in writing that the policy affirmatively covers AI-generated outputs, hallucinations, and algorithmic failures. The AI and Algorithmic Liability Endorsement exists for this gap. If your broker can't answer the question, find one who works with AI companies.
It's the mechanic that punishes you for refusing a settlement the insurer recommends. Under a hard hammer, if you reject a $400K settlement and lose at trial for $900K, the insurer pays only $400K and you absorb the rest. Push your broker for a soft 80/20 hammer or no hammer at every renewal — it is negotiable.