Tech & SaaS Insurance

Tech & SaaS Insurance Claims Guide:
How Cyber, Tech E&O, and D&O Claims Actually Get Handled

When a technology company has a claim, the response that protects it is counterintuitive: the first call is to your broker or the carrier's breach hotline — not your IT vendor, and not the customer. Technology and software-as-a-service (SaaS) companies face three claim types that behave very differently — cyber and data-breach claims, technology errors and omissions (tech E&O) claims, and directors and officers (D&O) claims — and each runs on a claims-made policy, a tight reporting clock, and rules about who you can talk to first. The 2025 U.S. average data breach cost a record $10.22 million (IBM), and the median securities class-action settlement ran $14 million in 2024 (Cornerstone Research), so getting the first 48 hours right matters. This guide walks the response for each, drawn from current claims data and Anvo's technology book.

By Edward Hsyeh, Managing Partner, Anvo Insurance · Published June 2026 · Last reviewed June 2026
Informational only — not legal advice or a coverage determination. Claims handling depends on your specific policy language and facts. In an active incident, follow your carrier's instructions and engage your broker and breach counsel. This guide describes general processes, not the terms of any particular policy.
Software engineer responding to a security incident, representing tech and SaaS insurance claims response Photo by Tyler on Unsplash
Key Takeaways
  • The first call is to your broker or the carrier's 24/7 breach hotline — not your IT team and not the customer. Engaging breach counsel first preserves legal privilege over the forensic investigation. Self-investigating can forfeit that privilege and complicate the claim.
  • Cyber claims run on a clock. Twenty states set numeric breach-notification deadlines of 30–60 days, and the strictest — California, Colorado, Florida, New York, and Washington — require notice within 30 days. Multistate companies must meet the shortest applicable deadline.
  • Don't pay a ransom — or rebuild systems — before the insurer signs off. Most cyber policies require carrier consent and sanctions screening; paying on your own can void coverage. A record 86% of ransomware-hit businesses refused to pay in 2025 (Coalition), helped by tested backups and insurer-led negotiation.
  • Tech E&O and D&O are claims-made policies. Coverage depends on reporting the claim — or even a notice of circumstance — during the policy period. Late notice is the single most common reason a technology claim is denied.
  • A claim affects your renewal. Cyber, tech E&O, and D&O all reprice on loss history; how cleanly a claim is handled and documented directly shapes the next renewal. Your broker's job is to manage the claim and then re-market the program.
Claims Overview

The three claim types that drive technology and SaaS losses

Technology companies face three fundamentally different claim types: cyber and data-breach claims, technology errors and omissions (tech E&O) claims, and directors and officers (D&O) claims. Each runs on a claims-made policy with strict notice rules, and each rewards a fast, broker-led response. Knowing which one you have — and who to call first — usually determines the outcome.

The instinct after an incident — call the IT vendor, reassure the customer, start fixing things — is the wrong sequence for an insured claim. The right first move is to notify your broker or the carrier's breach hotline, because technology policies come with panels of pre-approved breach counsel, forensics firms, and ransom negotiators, and because engaging counsel first preserves legal privilege over the investigation. For the full inventory of which coverages a software company carries and why, see our complete tech and SaaS insurance guide; the state-by-state notification deadlines that start the clock are mapped in our tech and SaaS insurance requirements guide.

Technology claims are neither rare nor cheap. Across cyber insurer Coalition's claims book, the average cyber claim cost roughly $116,000 in 2025, and even the smallest companies averaged about $77,000 per claim. Breaches also take time to surface and resolve — IBM put the 2025 mean breach lifecycle at 241 days (158 days to identify, 83 days to contain) — which is exactly why the reporting clock and the response sequence carry so much weight.

$116K
Average cyber claim cost in 2025; ~$77K for the smallest companies (Source: Coalition)
241 days
Mean time to identify and contain a data breach in 2025 (IBM)

The three claim types do not stay in their lanes. A faulty deployment that also exposes customer data can be both a tech E&O claim (the service failed) and a cyber claim (data was breached); an investor dispute after a security incident can pull in D&O. Because each policy is claims-made and each has its own notice rules, the practical task in the first hours is to report broadly and let your broker and counsel sort out which towers respond. The sections below walk each claim type in the order you are most likely to face it.

Cyber & Data Breach Claims

Cyber breach claims: the response timeline that protects coverage

A cyber claim begins the moment you suspect unauthorized access — not when you confirm it. The protective sequence is: notify your broker or the carrier's 24/7 breach hotline, engage breach counsel under privilege, let the panel forensics firm investigate, contain and eradicate, then notify affected individuals within the legal deadline. Acting out of order is what damages most cyber claims.

Cyber is the most operationally complex technology claim because it runs three tracks at once: a technical investigation, a legal-and-regulatory notification process, and a first-party cost-recovery process (forensics, legal, call center, credit monitoring, business interruption). The reason the carrier's breach hotline exists is that the insurer has done this hundreds of times and you have not. Use the panel. For exactly what first-party and third-party cyber coverage pays for, see our cyber liability coverage page; for a deeper walk-through of how a breach unfolds, our cyber insurance breakdown for guest-data breaches follows the same response arc in detail.

The cyber incident response timeline

Phase What Happens Who Leads Timing
1. Detect & triage Identify suspected unauthorized access, isolate affected systems, and preserve logs — do not wipe anything Internal IT / security lead Hour 0
2. Notify broker / breach hotline Place the claim and trigger the policy's incident-response panel You + your broker Within hours — before self-investigating
3. Engage breach counsel A privileged attorney ("breach coach") directs the investigation, shielding forensic findings under attorney-client privilege Breach counsel (panel) Day 0–1
4. Forensic investigation Panel forensics firm scopes the intrusion: entry point, systems touched, data accessed, and root cause Forensics firm Day 1–14
5. Contain & eradicate Remove attacker access, patch the entry point, and rebuild from clean, verified backups IT + forensics Concurrent with phase 4
6. Notify Notify affected individuals, regulators, and (per contract) enterprise customers within statutory deadlines Breach counsel Within 30–60 days of determination
7. Recover Stand up credit monitoring and a response line; account for first-party loss and business interruption Counsel + carrier Weeks to months

The notification phase is where the clock bites. Twenty states set numeric breach-notification deadlines between 30 and 60 days, and the five strictest — California, Colorado, Florida, New York, and Washington — require notice within 30 days of determining a breach occurred. A company with users in several states must comply with the shortest applicable deadline, so a single incident can put you on a 30-day clock nationwide. The U.S. Federal Trade Commission's Data Breach Response guide for business is the baseline reference, but the binding deadlines are set state by state.

Ransomware: do not pay — or rebuild — before the carrier consents

Cyber policies almost universally require the insurer's prior consent before any ransom is paid, and they expect you to involve their negotiation and sanctions-screening vendors. Paying on your own — or wiping and rebuilding systems before the carrier engages — can reduce or void the claim. The data shows why holding off works: in 2025 a record 86% of ransomware-targeted businesses refused to pay (Coalition), and recovery kept getting faster — 53% of victims were back within a week (Sophos). When companies do recover without paying, the lever is almost always tested, immutable backups.

$1.53M
Average ransomware recovery cost in 2025, excluding any ransom — down from $2.73M in 2024 (Sophos)
$269K
Average ransomware claim — Coalition's most expensive claim type in 2025 (Coalition)

Not every cyber claim is a breach: business email compromise and wire fraud

The most common cyber claim is not a dramatic data breach — it is money walking out the door. Business email compromise (BEC) and funds transfer fraud (FTF) together accounted for 58% of cyber incidents in 2025 (Coalition), with the average BEC loss around $27,000. These are reported under the cyber or crime side of the program, and the clock is even tighter than a breach: recovering misdirected funds often depends on notifying your bank and your carrier within 24–72 hours, while a recall of the wire is still possible. The same first move applies — call your broker before you do anything else.

Technology E&O Claims

Technology errors and omissions (tech E&O) claims: claims-made mechanics

A technology errors and omissions (tech E&O) claim arises when a customer alleges your software or service failed to perform and cost them money — an outage, a defect, a missed service level, or a security failure under your contract. Tech E&O is written claims-made, so coverage hinges on reporting the claim, or a notice of circumstance, while the policy is in force.

"Claims-made" is the single most important mechanic to understand. Unlike a general liability policy, which responds to incidents that occur during the policy period regardless of when the claim is filed, a claims-made policy responds only to claims first made and reported during the policy period (back to a retroactive date). The practical consequence: if a customer sends a demand letter and you sit on it past renewal, the new policy can deny it as a known prior circumstance and the old policy can deny it as reported late. A general liability policy explicitly excludes the professional and technology services at the heart of a software business — which is why tech E&O exists as a separate line and why this is the policy that answers a customer-performance dispute. Our professional liability and tech E&O coverage page covers what the line includes and excludes.

How a tech E&O claim actually moves

  • Trigger: A customer demand letter, a withheld payment tied to a service failure, a formal dispute notice, or a lawsuit. Even a serious complaint that could become a claim is a reportable circumstance.
  • Notice: Report to the carrier immediately. On a claims-made policy, prompt notice is not a courtesy — it is a coverage condition.
  • Defense: The carrier assigns or approves defense counsel. On most technology forms, defense costs erode the limit ("defense within limits"), so early, efficient handling preserves more of the limit for any settlement.
  • Consent to settle: Tech E&O policies contain a consent-to-settle clause and a no-voluntary-payment provision. Settling with the customer, or admitting fault, without the carrier's consent can forfeit reimbursement.
  • Retention: You fund the retention (commonly $2,500 for small firms, scaling to $10,000–$25,000+ at higher limits) before the carrier pays; the retention is not a threshold to "exceed" before reporting.

The limit your contract demands is usually $1M–$5M of tech E&O, named in the customer master service agreement (MSA) — and that contractual limit, more than your company size, is what a covered claim is measured against. A blended event matters here too: when a deployment failure also exposes data, the matter can trigger both the tech E&O and cyber sides of the program, which is one reason the two are increasingly written together on a single technology tower.

D&O & Management Liability Claims

Directors and officers (D&O) claims: investor suits, regulators, and Side A

A directors and officers (D&O) claim targets the people who run the company — founders, directors, and officers — alleging mismanagement, misrepresentation to investors, breach of fiduciary duty, or regulatory violations. For venture-backed companies the common triggers are down-round and wind-down disputes, fundraising-misrepresentation claims, and regulatory investigations. D&O is claims-made, and defense costs typically erode the limit.

The headline severity comes from securities litigation: in 2024 there were 88 securities class-action settlements, with a median settlement of $14 million and an average of $42.4 million (Cornerstone Research). Most early-stage technology companies will never face a securities class action — those land on public and pre-IPO companies — but the figures explain why investors require D&O before they wire the round, and why pre-IPO D&O is a specialized, expensive tower. What a Series A or B company is far more likely to see is an investor dispute, a co-founder or board conflict, an employment-adjacent management claim, or a regulatory inquiry — all of which D&O is built to defend.

$14M
Median securities class-action settlement in 2024 ($42.4M average) (Cornerstone Research)
$3M–$5M
D&O limit venture investors typically require in force within 60–90 days of a Series A close

Why Side A and notice timing matter

D&O is structured in sides. Side B reimburses the company when it indemnifies its executives; Side C covers the entity itself for securities claims; Side A protects individual directors and officers directly when the company cannot indemnify them — most importantly in insolvency, which is precisely when a failed startup's investors or creditors come after its founders personally. That is why even a wind-down should not casually drop D&O. As with tech E&O, the policy is claims-made: a threatened suit, a demand letter, a books-and-records demand, or a regulator's inquiry should be reported as a notice of circumstance immediately, even before a complaint is filed, to lock coverage into the current policy period.

Common Mistakes

Seven mistakes that sink technology insurance claims

The same mistakes recur across technology claims, and most are procedural rather than technical. Reporting late on a claims-made policy, investigating a breach before counsel is engaged, paying a ransom without carrier consent, and admitting fault to a customer are the errors that most often turn a covered claim into a denied or reduced one.

  • Late notice on a claims-made policy. Cyber, tech E&O, and D&O all require reporting during the policy period. Waiting to "see if it blows over" is the most common reason a technology claim is denied — the matter becomes a known circumstance the next policy excludes and the prior policy rejects as reported late.
  • Self-investigating a breach before engaging counsel. Running your own forensics — or letting your IT vendor do it — before breach counsel is retained can forfeit attorney-client privilege over the findings, which then become discoverable in litigation.
  • Paying a ransom or rebuilding before the carrier consents. Most cyber policies require insurer approval and sanctions screening before any payment; unilateral action can void the claim. Wiping systems destroys forensic evidence the carrier needs to scope the loss.
  • Notifying customers or the public before counsel signs off. Premature or inaccurate notification creates fresh legal exposure, can breach the policy's cooperation clause, and is hard to walk back once sent.
  • Settling a dispute or admitting fault without consent. Tech E&O and D&O policies contain consent-to-settle and no-voluntary-payment provisions. An unauthorized settlement, or an email admitting the product was at fault, may not be reimbursed.
  • Missing the notice-of-circumstance window. A demand letter, threatened suit, or regulator inquiry should be reported as a circumstance even if no lawsuit exists yet. Reporting it locks coverage into the current policy before renewal can exclude it.
  • Treating the retention as a threshold instead of a deductible. Defense costs usually erode the limit and run inside the retention. Waiting until losses "exceed" the retention to report wastes the policy's most valuable feature — early, carrier-funded defense and panel resources.
Your Broker's Role

What a technology broker should do during and after a claim

During a claim, your broker is your advocate against the carrier's interests — placing the claim correctly, invoking the right policy, connecting you to panel breach counsel and forensics, and pushing back when an adjuster reserves rights or disputes coverage. After the claim, the broker's job shifts to protecting your renewal by documenting remediation and re-marketing the program.

The value shows up in three phases. Before an incident, a good broker makes sure you know the breach hotline number, have read the incident-response plan, and understand who is on the carrier's panel — so the first hour is muscle memory, not improvisation. During a claim, the broker interprets coverage, makes sure a blended cyber/tech E&O event is reported to both towers, and challenges an adjuster who tries to narrow the grant. After, the broker assembles the loss-run narrative that the next underwriter will read.

A claim does not have to spike your renewal. Cyber, tech E&O, and D&O all reprice on loss history, but underwriters reward a documented, well-handled incident with a clear remediation story — the controls you added, the gaps you closed, the contract terms you tightened. For how loss history and security controls move pricing at the next renewal, see our tech and SaaS insurance cost guide. The worst outcome is a poorly handled claim followed by an auto-renewal into a surcharge no one negotiated.

From Our Book

When calling the broker before the IT vendor saved the claim

A roughly 40-person Series B SaaS company called us early on a Saturday: an engineer had found a ransomware note on a build server, and the internal team's instinct was to wipe and rebuild over the weekend and email enterprise customers an apology before Monday. The on-call founder paused and phoned us first. We triggered the carrier's 24/7 breach hotline within the hour; by midday breach counsel was engaged under privilege and a panel forensics firm was scoping the intrusion before anything had been wiped.

Because the company had tested, immutable backups, counsel and the carrier's negotiator advised against engaging on the roughly $400,000 demand. Systems were restored from backup over the weekend, and forensics — preserved rather than destroyed — confirmed the access was limited and scoped quickly. Counsel handled notification to the handful of states with 30-day clocks well inside the deadline, and the cyber policy funded counsel, forensics, notification, and credit monitoring. The single best decision the company made was the order of its first three phone calls — broker, not vendor; counsel, not customer; carrier, not keyboard.

Details anonymized and generalized to protect client confidentiality.

Common Questions

Frequently asked questions about technology and SaaS insurance claims

Call your broker or the carrier's 24/7 breach hotline before investigating, wiping anything, or notifying anyone. Engaging breach counsel first preserves attorney-client privilege over the forensic findings and connects you to the carrier's panel of forensics and negotiation vendors.

Isolate affected systems and preserve logs, but do not run your own investigation or send customer notifications until counsel directs it — both can damage the claim and create legal exposure.

Many cyber policies include ransom or cyber-extortion coverage, but nearly all require the insurer's prior consent and sanctions screening before any payment is made. Paying on your own can void coverage.

Increasingly companies do not pay at all: a record 86% of ransomware-targeted businesses refused to pay in 2025 (Coalition), typically restoring from tested, immutable backups instead. The carrier's negotiator and counsel will advise whether paying is even necessary.

It depends on the states involved. Twenty states set numeric deadlines of 30–60 days, and the strictest — California, Colorado, Florida, New York, and Washington — require notice within 30 days of determining a breach occurred. The remaining states require notice "without unreasonable delay."

If you have users in multiple states, you must meet the shortest applicable deadline, so a single incident can put you on a 30-day clock nationwide. Breach counsel manages the multistate notification process.

Usually technology errors and omissions (tech E&O), which covers financial loss a customer suffers because your software or service failed to perform — including outages and missed service levels. If the same event also exposed data, it can trigger both cyber and tech E&O.

That overlap is why the two lines are often written together on a single technology tower. When in doubt, report the matter under both and let your broker and counsel determine which responds.

Most early-stage directors and officers (D&O) claims are not securities class actions — those hit public and pre-IPO companies. At a venture-backed startup the common triggers are investor disputes (down rounds, alleged fundraising misrepresentation), co-founder or board conflicts, regulatory inquiries, and management or employment-adjacent suits.

D&O is claims-made, so a demand letter, a books-and-records demand, or a regulator's inquiry should be reported as a notice of circumstance immediately — even before any lawsuit is filed.

It can. Cyber, tech E&O, and D&O all reprice on loss history. But a well-documented claim with a clear remediation narrative — the controls you added and the gaps you closed — materially limits the renewal impact.

Your broker should manage the claim and then re-market the program rather than auto-renewing into a surcharge. Underwriters reward a company that demonstrably fixed what went wrong.

Ask AI

In the middle of a technology claim — or want to be ready before one?

Ask our AI assistant how cyber, tech E&O, and D&O claims are handled, what your reporting deadlines are, and what to do first.

Talk through a current claim or coverage concern

Whether you are in the first hour of an incident or want to pressure-test your program before one happens, we help technology and SaaS companies report claims correctly, use their carrier's panel resources, and protect the renewal afterward. Start with a conversation — there is no faster way to know whether your coverage will actually respond.

Talk to a Broker About a Claim → Call Us Directly
Edward Hsyeh Managing Partner, Anvo Insurance · Licensed in KS, MO, PA, NY, CA · Specializing in technology, SaaS, and startup insurance programs
Last reviewed: June 2026. Reviewed against the IBM Cost of a Data Breach 2025 report, the Sophos State of Ransomware 2025 report, Coalition cyber claims data, Cornerstone Research securities-settlement data, and current state breach-notification statutes.