Fundraising6

Tech E&O vs cyber insurance: which one does your SaaS startup actually need?

Most SaaS founders buy one of these and assume it covers both risks. Here's the 3-question test for which policy your MSA actually requires, and when you need both.

We had our tech E&O policy for eight months before I found out it wouldn't have covered the incident I was actually worried about. A prospect's security team asked for proof of cyber coverage during a $140k deal, and I had to explain, on that call, why the policy I'd already bought didn't count. That's the version of this mistake most SaaS founders make: buying one policy, assuming it covers both risks, and finding out the gap exists exactly when an enterprise buyer is checking.

Tech E&O and cyber insurance cover two different failures, and most seed-stage SaaS companies eventually need both, not either.

Tech E&O and cyber insurance cover two different failures

Tech errors and omissions insurance responds when your product fails to perform and a customer loses money because of it. A missed deadline, a bug that breaks their workflow, an integration that silently drops data. It's a professional liability policy: someone claims your software cost them money, and E&O is what pays your legal defense and any settlement.

Cyber insurance responds when your systems get attacked or data gets exposed. Ransomware, a breach of customer records, a business email compromise that drains a vendor payment. It covers your own incident response costs (forensics, legal, breach notification) and your liability to the people whose data was exposed.

The overlap that confuses everyone: a single incident can trigger both. If a bug in your access controls lets an attacker pull customer data, that's a cyber event caused by a product defect, and it can trip both policies at once, which is exactly why insurers sell them as separate line items instead of bundling them by default.

Why founders buy the wrong one first

Most founders buy cyber first, because "cyber insurance" is the term that shows up when you search for startup insurance in general. It feels like the comprehensive option. It isn't. Cyber insurance has nothing to say about a customer suing you because your API returned wrong data and cost them a failed reconciliation. That's a straight E&O claim, and a pure cyber policy will deny it.

The reverse mistake is buying only E&O because a lawyer or advisor told you it's "basically required for SaaS contracts," then skipping cyber because a breach feels like someone else's problem until your first real security review.

The 3-question test

Before you call a broker, answer these three questions honestly:

  1. Do you store or process customer data that would be expensive to notify people about if it leaked (emails, payment details, health data, anything regulated)? If yes, you need cyber.
  2. Could a bug, outage, or missed SLA in your product cause a customer measurable financial loss they could point to in a demand letter? If yes, you need E&O.
  3. Has an enterprise prospect's security or legal team ever asked you for a certificate of insurance, or do you expect one to in the next two quarters? If yes, you need both, now, because a stalled enterprise deal costs more than either premium.

Most SaaS companies answer yes to all three by the time they've signed a handful of $50k+ contracts. If you answered yes to just one or two, you can sequence the purchase instead of buying both at once.

What it actually costs

For an early-stage SaaS company with under $5M in revenue, tech E&O typically runs $1,500 to $4,000 a year as a standalone policy, and cyber runs a similar range, $1,000 to $3,500, depending on how much customer data you hold. Bundled tech E&O and cyber packages (often sold as "Tech Package" or "MPL" policies by carriers like Vouch, Coalition, or Chubb's tech division) frequently cost less combined than buying each separately, because the underwriting overlaps.

The number that actually matters isn't the premium, it's the retroactive date and the coverage limit relative to your largest contract. A $1M limit is common at seed stage. If you're signing a $500k enterprise contract with an indemnification clause, that limit is the first thing their legal team will check against the contract value, not the premium you paid.

The MSA moment that forces the decision

This is the part generic insurance guides skip: the decision usually isn't made proactively. It's made the week a prospect's procurement team sends back a vendor security questionnaire asking for a certificate of insurance naming specific coverage types and minimum limits. If you don't have the right policy in place, you're now negotiating insurance under deal pressure, which is the worst possible time to shop for it, because you'll take whatever the broker can bind fastest instead of what actually fits your risk.

The fix is buying before you need to produce the certificate, not after. If you've closed even one contract over $100k, assume the next one will ask.

What to do this week

Pull your three largest active contracts and check the indemnification and liability sections for any insurance requirement language. Then call one broker who specifically works with early-stage SaaS companies (not a generalist small business broker) and ask for a quote on both tech E&O and cyber as a bundled tech package, with the limit set to match your largest contract, not a generic default.

Frequently asked questions

Do I need cyber insurance if I don't store payment data?

Yes, if you store any customer PII, including emails, names, or usage data. Breach notification laws apply per record exposed, not just to payment data, and notification costs alone can run $150-$300 per affected record.

Can I just get a general liability policy instead?

No. General liability covers bodily injury and property damage. It explicitly excludes technology-related financial loss and data breaches, which is exactly what E&O and cyber are built to cover.

When do most SaaS startups actually buy their first policy?

Most buy tech E&O around their first $250k-$500k enterprise contract, when an MSA insurance requirement first appears, and add cyber within the next year as they cross a few thousand customer records.

Does D&O insurance cover any of this?

No. D&O protects your directors and officers from lawsuits over governance decisions. It doesn't respond to a product failure or a data breach claim, those need E&O and cyber specifically.

What limit should a seed-stage startup start with?

$1M per occurrence is the common starting point, matched up to your largest active contract value. Raise it before signing anything larger.

Buy the policy that matches the risk you actually have, not the one with the more familiar name. If you've closed a six-figure contract, get both quoted this month, before the next one asks you to prove it.

Read enough.
Ready to grow?

19 spots in the cohort. Applications open now.