An enterprise contract insurance requirement usually shows up as a single paragraph buried in the MSA redline: proof of cyber liability, tech E&O, and general liability, often $1M to $5M each, with your buyer named as an additional insured. Most founders see it for the first time days before signature and assume it means the deal is stuck. It rarely is, but only if you move on it immediately.
Why enterprise buyers ask for this now
Vendor security teams have standardized insurance riders the same way they standardized SOC 2 questionnaires. A procurement or legal reviewer runs a checklist against every vendor over a certain contract value, and "insurance minimums" is one line on it, not a judgment call about your specific product.
The ask is rarely personal. It is usually copy-pasted from the buyer's own vendor risk template, which is why the limits often look oversized for a 10-person startup. A $5M cyber liability requirement on a $30,000 annual contract is common, and it is not a sign the deal is falling apart.
What an enterprise contract insurance requirement actually asks for
Enterprise MSAs asking for insurance tend to request the same handful of things, in this order:
- Cyber liability: covers data breaches, ransomware, and notification costs. Typical minimum: $1M to $5M.
- Tech E&O: covers claims that your software failed to perform as promised. Typical minimum: $1M to $5M.
- General liability: covers bodily injury or property damage claims. Typical minimum: $1M to $2M.
- Additional insured status: names the buyer on your policy so they're covered for claims tied to your work. No dollar figure, just an endorsement.
- Waiver of subrogation: blocks your insurer from suing the buyer to recover a payout. No dollar figure, just an endorsement.
Tech E&O and cyber liability are frequently bundled into one policy, sometimes still described separately in the contract because the buyer's template was written before that bundling became common. Confirm with your broker before assuming you need two separate policies.
The checklist to run before you reply
Do these in order, ideally within 48 hours of receiving the redline:
- Pull your current policy's declarations page. It lists your existing limits in under a minute, and you need this before you can tell whether you're short.
- Compare limits line by line against the contract's insurance exhibit. Don't eyeball it. A $2M ask against a $1M policy is a real gap, not a rounding error.
- Call your broker same day, not "this week." Certificate of insurance turnaround is usually 1 to 2 business days once your broker has the exact endorsement language the buyer wants. Waiting three days to make the call adds three days to your close.
- Send the buyer's exact insurance exhibit to your broker, not a summary. Brokers bind additional insured endorsements to specific contract language. A paraphrase from your legal team costs you a second round trip.
- Ask your broker whether raising the limit is a policy change or a rider. A rider is usually faster and cheaper than restructuring the whole policy, and most brokers default to quoting the more expensive option unless you ask.
What to say when the ask is bigger than your policy
You don't have to accept every number in the exhibit as fixed. Two responses work more often than founders expect:
"We currently carry $1M in cyber liability. We can bind up to $2M same week through our current broker. $5M would require a new carrier and a longer underwriting cycle, can we proceed at $2M for this contract with a review at renewal?"
This works because it gives the buyer's legal team a concrete number to approve instead of an open-ended objection, and most vendor risk minimums have some flexibility built in that the procurement rep can't tell you about upfront.
If the ask includes a waiver of subrogation or additional insured status you don't currently have, say so directly rather than guessing: "We don't currently have that endorsement. Our broker can add it, expect a certificate within 2 business days of your confirmation." Buyers have seen this exact sentence from other vendors. It reads as competent, not evasive.
What this actually costs you
Raising cyber and tech E&O limits from $1M to $2M typically adds a few hundred dollars a year in premium for an early-stage SaaS company, not a multiple of your existing cost. The endorsements (additional insured, waiver of subrogation) are frequently free or a flat one-time fee, since they don't change your coverage, just who else can claim against it.
The real cost isn't the premium. It's the days lost when a founder discovers the requirement, assumes it needs a lawyer, and sits on the redline for a week deciding what to do. Enterprise deals stall on ambiguity, not on insurance limits.
Frequently asked questions
Do I need a lawyer to respond to an insurance requirement in a contract?
Usually not. Your broker can tell you within one call whether your current policy meets the ask or needs an endorsement. Bring in legal only if the contract's indemnification language conflicts with what your policy actually covers.
How fast can I actually get a compliant certificate of insurance?
Most brokers issue a certificate of insurance within 1 to 2 business days once they have the buyer's exact endorsement language. Same-day is possible if your broker already has a relationship with the buyer's insurer.
What if I don't have cyber insurance at all yet?
Binding a first policy typically takes 3 to 5 business days for a straightforward SaaS risk profile. Start the application the same day you see the requirement, not after the contract is otherwise finalized.
Can I negotiate the insurance minimums down?
Often, yes. Procurement teams frequently have discretion to accept a lower limit with a documented exception, especially for smaller contract values. Ask before assuming the number in the exhibit is final.
Does additional insured status cost extra?
Usually it's a flat endorsement fee of $0 to a few hundred dollars, not a percentage of premium. It doesn't expand your coverage limits, it just adds the buyer as a party who can claim against your existing policy.
Will this insurance requirement show up again with my next enterprise customer?
Yes. Once you've built the limits and endorsements for one enterprise buyer, later requests are usually a faster version of the same conversation, not a new negotiation from scratch.
The next time an insurance exhibit shows up in a redline, treat it as a same-week broker call, not a legal escalation. The founders who lose days on this aren't the ones with thin coverage, they're the ones who don't call their broker until the deadline is already close.