Is insurance legally required for a SaaS or software company?

Mostly no. There is almost no statute that requires a software company to buy cyber, tech E&O, or general liability insurance. The main legal mandate is workers' compensation, and its threshold is set by state, not industry: Kansas above roughly $20,000 in annual payroll, Missouri at five or more employees, and Pennsylvania, New York, and California at one or more employees. Everything else is driven by customer master service agreements and investor term sheets.

What insurance do enterprise customers require in their contracts?

Enterprise master service agreements (MSAs) typically require $1M to $5M in technology errors and omissions (tech E&O), $1M to $5M in cyber liability, $1M in general liability, and a SOC 2 Type II report. Larger customers often add a named additional insured, a waiver of subrogation, and a retroactive date reaching back to the start of the relationship. The required limit, not your headcount, frequently sets your price.

Do data-breach notification laws apply to my software company?

Yes. Every U.S. state, plus Washington D.C., Puerto Rico, the U.S. Virgin Islands, and Guam, has a data-breach notification law requiring notice to affected residents, according to the National Conference of State Legislatures. Deadlines generally run 30 to 90 days from discovery, and the strictest states, including California, Colorado, Florida, New York, and Washington, impose a 30-day clock. One breach can trigger dozens of overlapping obligations at once.

When do investors require directors and officers (D&O) insurance?

Directors and officers (D&O) insurance effectively becomes mandatory at Series A. Venture term sheets routinely require $3M to $5M in D&O coverage in force within 60 to 90 days of the financing close, because new investors taking board seats want their personal exposure covered. Before raising institutional capital, most software companies carry no D&O, which is usually fine until a term sheet is signed.

How much should a SaaS company expect to pay for insurance overall?

Total annual technology insurance cost ranges from about $5,000 for an early-stage startup buying a basic cyber-plus-GL package to $250,000 or more for a scaled, data-heavy platform with high cyber, tech E&O, and D&O limits. For most mid-market SaaS companies, the all-in program runs roughly 0.5% to 3% of annual revenue. Funding stage matters more than almost anything else.

How much is cyber liability insurance for a SaaS company?

SaaS companies pay roughly $1,837 per year on average for cyber liability coverage, according to Insureon, about 40% to 88% above the small-business average, because software platforms concentrate sensitive customer data. Pricing scales with the records you hold, the limit your customers require, and the security controls you can document. IBM put the 2025 U.S. average data-breach cost at a record $10.22 million.

How much does technology errors and omissions (tech E&O) cost?

Smaller software firms pay roughly $807 to $1,094 per year for technology errors and omissions (tech E&O) coverage, per Insureon, but the required limit, set by customer MSAs and commonly $1M to $5M, is what actually drives the price rather than company size. A tiny company landing its first enterprise customer can see tech E&O cost jump because the contract dictates the limit.

How much does startup D&O insurance cost?

Startup directors and officers (D&O) insurance commonly runs $4,000 to $7,000 per year, scaling with the amount of funding raised, according to Vouch. Venture investors typically require $3M to $5M in force within 60 to 90 days of a financing close. Price rises with each round because more capital raised means more money at stake and more parties who could bring a claim against leadership.

Why is tech E&O written on a claims-made basis, and why does that matter?

Technology errors and omissions (tech E&O), cyber, and D&O are almost always claims-made policies: the policy must be in force when the claim is made, not when the mistake happened, and the incident must fall after the policy's retroactive date. You must maintain continuous coverage and preserve your retroactive date. Letting a claims-made policy lapse, or switching carriers and resetting the retroactive date, can leave past work permanently uninsured.

Do I still need a general liability policy or BOP if we are fully remote and cloud-based?

Usually yes. Even a fully remote, cloud-hosted company is routinely required to carry general liability, because customer MSAs commonly mandate $1M GL and coworking spaces and office leases require it. The efficient way to buy it is a business owners policy (BOP), which bundles general liability with commercial property coverage for laptops and equipment. A BOP does not cover data breaches or software errors, which still require cyber and tech E&O.

Does a software company need employment practices liability insurance (EPLI)?

As you hire, yes. Employment practices liability insurance (EPLI) covers claims by employees alleging wrongful termination, discrimination, harassment, or retaliation, among the most common claims any growing company faces. EPLI exposure is driven by headcount, so it grows with every hire. Because employment claims are frequent and expensive to defend regardless of merit, it is worth pricing EPLI as soon as you have employees, often alongside D&O.

What should I do first if we discover a data breach?

Call your broker or the carrier's cyber breach hotline first, before you call your IT vendor and before you notify the affected customer. Engaging breach counsel through the carrier first puts the forensic investigation under legal privilege and preserves coverage by using the carrier's approved panel of vendors. Calling IT first to clean it up, or notifying the customer before counsel is engaged, are the moves that most often complicate a claim.

Will cyber insurance pay a ransomware demand?

Cyber insurance can fund ransomware response, including in some cases a negotiated payment, but only with the carrier's consent, and you must not pay or rebuild before the carrier approves. Most insured companies do not pay: Coalition's 2025 Cyber Claims Report found 86% of ransomware victims refused to pay, with the average ransomware claim around $269,000. Sophos put the 2025 average recovery cost, excluding ransom, at $1.53 million, with 53% recovering within a week.

What does a typical cyber claim actually cost a software company?

The average cyber claim runs around $116,000, and roughly $77,000 for the smallest firms, according to Coalition's 2025 Cyber Claims Report. The most frequent driver is not ransomware but business email compromise (BEC) and funds-transfer fraud, which together made up 58% of incidents, with an average BEC loss around $27,000. The gap between a fraudulent wire and a six- or seven-figure breach is why both the policy limit and individual sublimits matter.

Can I just buy tech insurance online without a broker?

For a very early-stage company buying a basic cyber-plus-GL package, an online quote-and-bind policy can be a reasonable starting point. Complications begin when a customer MSA or investor term sheet adds requirements such as named additional insureds, waivers of subrogation, retroactive dates, exact limits, and SOC 2 evidence that a checkbox policy often will not satisfy. A broker reads the contract against the policy forms before you bind.

How does a broker help with a SaaS insurance program?

An independent broker maps your customer MSA and investor term-sheet requirements to the right coverages and limits, markets your profile to the carriers most likely to write it well, and negotiates limits, retentions, and terms. The broker also preserves continuity on claims-made policies, protecting retroactive dates as you change carriers and arranging tail coverage when you wind down or are acquired. As your required limits jump at each round, the broker keeps coverage in step with your contracts.

Tech & SaaS Insurance FAQ: 21 Common Questions Answered

Key Takeaways

Very little insurance is required by statute for software companies specifically — workers' compensation is the main legal mandate, and it is triggered by headcount, not by what you build. The real drivers are customer contracts and investor requirements.
Enterprise MSAs commonly require $1M–$5M technology errors and omissions (tech E&O), $1M–$5M cyber liability, $1M general liability (GL), and a SOC 2 Type II report. The required limit — not your company size — often sets the price.
A full technology insurance program runs roughly $5,000 to $250,000+ per year; for mid-market SaaS it typically lands around 0.5%–3% of annual revenue.
Directors and officers (D&O) insurance effectively becomes mandatory at Series A — venture term sheets routinely require $3M–$5M in force within 60–90 days of close.
Every U.S. state has a data-breach notification law, with deadlines generally between 30 and 90 days (the strictest set a hard 30-day clock), so claim response and notice timing are not optional.

Get a response in 48 hours

Tell us about your company and we'll build a program that fits your stage.

Your Name *

Company *

Email *

Phone

State *

Annual Revenue

Funding Stage

Insurance Trigger

New York residents: By submitting this form, you acknowledge our Producer Compensation Disclosure in our Terms of Service.

Requirements & Compliance

What insurance does a software company actually have to carry?

For software companies, almost nothing is mandated by statute specifically because you write code. The obligations that matter come from three places: state law (primarily workers' compensation and data-breach notification), customer master service agreements (MSAs), and investor term sheets. The contractual layer is usually far more demanding than anything the law requires.

Mostly no — there is almost no statute that requires a software company to buy cyber, tech E&O, or general liability insurance. The main legal mandate is workers' compensation, and its threshold is set by state, not by your industry: Kansas requires it above roughly $20,000 in annual payroll, Missouri at five or more employees, and Pennsylvania, New York, and California at one or more employees.

Everything else is driven by contract. Your customers' MSAs and your investors' term sheets will require specific coverages and limits long before any regulator does. See our tech and SaaS insurance requirements guide for the full breakdown by state and by contract layer, and our overview of workers' compensation coverage.

Enterprise MSAs typically require $1M–$5M in technology errors and omissions (tech E&O), $1M–$5M in cyber liability, $1M in general liability (GL), and a SOC 2 (System and Organization Controls 2) Type II report. Larger customers often add specific contract mechanics: naming the customer as an additional insured, a waiver of subrogation, and a retroactive date that reaches back to the start of the relationship.

The required limit — not your headcount or revenue — frequently sets your price, because a five-person startup signing a Fortune 500 customer may need the same $5M tech E&O limit as a company ten times its size. We cover the mechanics in the requirements guide; the underlying lines are technology errors & omissions (professional liability) and cyber liability.

Yes. Every U.S. state, plus Washington D.C., Puerto Rico, the U.S. Virgin Islands, and Guam, has a data-breach notification law requiring you to notify affected residents after a breach of personal information, according to the National Conference of State Legislatures (NCSL). Deadlines generally run 30–90 days from discovery, and the strictest states (including California, Colorado, Florida, New York, and Washington) impose a hard 30-day clock.

Because you likely hold data on residents of many states, a single breach can trigger dozens of overlapping notification obligations at once. That is exactly what cyber liability insurance is built to manage — breach counsel, forensics, and the notification process. See the requirements guide for the state-by-state deadline map.

Directors and officers (D&O) insurance — which protects the personal assets of your board members and executives against claims arising from how they run the company — effectively becomes mandatory at Series A. Venture term sheets routinely require $3M–$5M in D&O coverage in force within 60–90 days of the financing close, because the new investors are taking board seats and want their own exposure covered.

Before raising institutional capital, most software companies carry no D&O at all, which is usually fine. The moment a term sheet is signed, it moves onto the critical path for closing. Our tech and SaaS insurance cost guide covers typical D&O pricing at each stage.

Cost & Pricing

How much does tech and SaaS insurance cost?

A complete technology insurance program runs roughly $5,000 to $250,000+ per year, depending on company stage, revenue, headcount, data sensitivity, and the limits your customers and investors require. For mid-market SaaS companies, the program typically lands around 0.5%–3% of annual revenue, with cyber liability and tech E&O the two biggest swing lines.

Total annual technology insurance cost ranges from about $5,000 for an early-stage startup buying a basic cyber-plus-GL package to $250,000+ for a scaled, data-heavy platform carrying high cyber, tech E&O, and D&O limits. For most mid-market SaaS companies, the all-in program runs roughly 0.5%–3% of annual revenue.

Stage matters more than almost anything else: a pre-revenue startup and a Series C company at the same headcount can pay an order of magnitude apart because the later-stage company carries far higher contractual and investor-required limits. Our tech and SaaS insurance cost guide breaks pricing down line by line and by funding stage.

SaaS companies pay roughly $1,837 per year on average for cyber liability coverage, according to Insureon — about 40–88% above the small-business average — because software platforms concentrate large volumes of sensitive customer data. Pricing scales sharply with the records you hold, the limit your customers require, and the security controls you can document.

The reason cyber is the single biggest swing line is the size of the loss it covers: IBM put the 2025 U.S. average data-breach cost at a record $10.22 million. Strong controls move the price materially in your favor. More detail on cyber liability coverage and the 2026 cost picture in our cost guide.

Smaller software firms pay roughly $807–$1,094 per year for technology errors and omissions (tech E&O) coverage, per Insureon — but the required limit, set by your customer MSAs and commonly $1M–$5M, is what actually drives the price, not your company size.

This is why a tiny company landing its first enterprise customer can see tech E&O cost jump: the contract dictates a $3M or $5M limit regardless of headcount. Technology errors & omissions (professional liability) is contract-critical for any company that builds or hosts software others rely on.

Startup directors and officers (D&O) insurance commonly runs $4,000–$7,000 per year, scaling with the amount of funding raised, according to Vouch. Venture investors typically require $3M–$5M in force within 60–90 days of a financing close.

Price rises with each round because more capital raised means more money at stake and more parties (investors, future acquirers, regulators) who could bring a claim against your leadership. Budget for D&O as a recurring, growing line from Series A onward. Stage-by-stage figures are in the cost guide.

Security controls and contract terms are the most controllable price levers. Documented multi-factor authentication (MFA), endpoint detection and response (EDR), tested backups, and a written incident-response (IR) plan lower cyber and tech E&O pricing materially, and negotiated liability caps in your MSAs reduce the limit you are forced to buy.

Note which lines headcount drives rather than revenue: employment practices liability insurance (EPLI) and workers' compensation both scale with the number of employees, so they grow as you hire even if revenue is flat. The full list of controllable levers is in the cost guide.

Coverage Types & Gaps

Coverage types, overlaps, and the gaps software companies miss

The core technology stack is cyber liability, technology errors and omissions (tech E&O), and directors and officers (D&O), sitting on a foundation of general liability (GL) and, as you hire, employment practices liability insurance (EPLI) and workers' compensation. The most expensive mistakes come from assuming a generic business policy covers data-breach or software-failure losses it specifically excludes.

Cyber liability responds to data breaches, privacy violations, network-security failures, and extortion — the costs of an event affecting data and systems. Technology errors and omissions (tech E&O) responds to financial harm a customer suffers because your product or service failed to perform as promised — essentially professional negligence for a technology company. They cover different triggers.

Many real SaaS losses blend both: an outage that breaches a service-level agreement and exposes data implicates tech E&O and cyber at the same time, which is why carriers increasingly write them together. Compare cyber liability and technology errors & omissions (professional liability) side by side, and see how blended events are handled in our claims guide.

Technology errors and omissions (tech E&O), cyber, and D&O are almost always claims-made policies, meaning the policy must be in force when the claim is made — not when the underlying mistake happened — and the incident must fall after the policy's retroactive date. This is fundamentally different from the occurrence-based general liability policy most owners are used to.

The practical consequence: you must maintain continuous coverage and preserve your retroactive date. Letting a claims-made policy lapse, or switching carriers and resetting the retroactive date, can leave past work permanently uninsured. When you wind a company down or change carriers, ask about extended reporting (tail) coverage. Details are in the professional liability overview.

Usually yes. Even a fully remote, cloud-hosted company is routinely required to carry general liability (GL) — customer MSAs commonly mandate $1M GL, and coworking spaces and office leases require it as a condition of the agreement. GL covers ordinary third-party bodily injury and property damage, such as a visitor injured at an offsite event.

The efficient way to buy it is a business owners policy (BOP), which bundles GL with commercial property coverage for your laptops and equipment at a lower combined cost than buying them separately. A BOP does not cover data breaches or software errors — those still require cyber and tech E&O. See our business owners policy (BOP) overview.

The most common gap is relying on a generic business owners policy or general liability policy to cover a data breach or a software-failure claim — losses that GL specifically excludes. Companies discover the gap only after an incident, when the GL carrier declines and there is no cyber or tech E&O policy behind it. Buying D&O late, after a term sheet is already signed, is a close second.

A related trap is a cyber policy with a low sublimit on the exact exposure you face — social engineering and funds-transfer fraud are frequently capped far below the headline policy limit. The fix is to read the actual policy forms, not just the certificate of insurance. Our complete tech and SaaS insurance guide walks through the full coverage stack and where the gaps hide.

As you hire, yes. Employment practices liability insurance (EPLI) covers claims by employees alleging wrongful termination, discrimination, harassment, or retaliation — among the most common claims any growing company faces, and ones that have nothing to do with your technology. EPLI exposure is driven by headcount, so it grows with every hire.

Many early teams skip EPLI until the first time they fire someone or scale past a dozen employees. Because employment claims are frequent and expensive to defend regardless of merit, it is worth pricing EPLI as soon as you have employees. It is often available alongside D&O in a combined management-liability package.

Claims & Incidents

What to do when an incident or claim happens

A software company faces three broad claim types — cyber/data-breach, technology errors and omissions (tech E&O), and directors and officers (D&O) — each governed by claims-made policies and strict notice rules. The single most important move in a breach is the first phone call: your broker or the carrier's breach hotline, not your IT vendor and not the affected customer.

Call your broker or the carrier's cyber breach hotline first — before you call your IT vendor, and before you notify the affected customer. Engaging breach counsel through the carrier first puts the forensic investigation under legal privilege, which protects the findings, and it preserves coverage by using the carrier's approved panel of vendors.

Calling IT first to "just clean it up," or notifying the customer before counsel is engaged, are the two moves that most often complicate a claim and waive privilege. The hotline is staffed 24/7 precisely because the first hours matter. Our tech and SaaS claims guide lays out the full incident-response timeline, and cyber liability is the policy that funds it.

Cyber insurance can fund ransomware response — including, in some cases, a negotiated payment — but only with the carrier's consent, and you must not pay or rebuild systems before the carrier approves the approach. Most insured companies do not end up paying: Coalition's 2025 Cyber Claims Report found 86% of ransomware victims refused to pay, with the average ransomware claim around $269,000.

Rebuilding from clean, immutable backups is frequently faster and cheaper than paying: Sophos put the 2025 average recovery cost (excluding any ransom) at $1.53 million, with 53% of victims recovering within a week. The carrier's incident-response team helps decide which path is cheaper. See the ransomware sub-flow in our claims guide.

Immediately, on two separate clocks. Claims-made policies (cyber, tech E&O, D&O) require prompt notice to the carrier as a condition of coverage — late notice can void an otherwise valid claim. Separately, state data-breach notification laws require notice to affected residents within deadlines that run 30–90 days, with the strictest states allowing only 30.

The two clocks are independent: you can satisfy your carrier and still miss a statutory deadline, or vice versa. This is why the broker-first call matters — breach counsel manages both timelines at once. Notice obligations are detailed in our requirements guide and the response steps in the claims guide.

The average cyber claim runs around $116,000, and roughly $77,000 for the smallest firms, according to Coalition's 2025 Cyber Claims Report. The most frequent driver is not ransomware but business email compromise (BEC) and funds-transfer fraud (FTF), which together made up 58% of incidents, with an average BEC loss around $27,000.

That gap between a ~$27,000 fraudulent wire and a six- or seven-figure breach is why both the policy limit and the individual sublimits matter — a low social-engineering sublimit can leave most of a BEC loss uncovered. Our claims guide covers the BEC and funds-transfer-fraud response in detail.

Carrier Market & Working With a Broker

Finding coverage and working with the technology insurance market

Technology and cyber insurance is a specialized market: appetite varies sharply by data sensitivity, security controls, and funding stage, and the right answer is about fit, not a single "best" carrier. An independent broker's job is to match your specific profile to the markets most likely to write it well and price it fairly.

Technology and cyber coverage is written by a mix of specialty insurtech programs (carriers such as Coalition, At-Bay, Vouch, and Embroker, among others) and the technology divisions of established commercial insurers. There is no universal "best" carrier — appetite varies by your data volume and sensitivity, the security controls you can document, your funding stage, and the limits your contracts require.

A carrier that is ideal for a seed-stage startup with light data may decline or heavily surcharge a data-rich platform handling health or financial records, and vice versa. The market shifts frequently, so the practical approach is to shop your specific profile rather than assume last year's answer still holds.

For a very early-stage company buying a basic cyber-plus-GL package, an online quote-and-bind policy can be a reasonable starting point. The complications begin the moment a customer MSA or an investor term sheet enters the picture — those add specific requirements (named additional insureds, waivers of subrogation, retroactive dates, exact limits, SOC 2 evidence) that a checkbox policy often will not satisfy.

The risk is buying a policy that looks compliant on the certificate but fails the actual contract language, or one whose sublimits leave your real exposure mostly uncovered. A broker reads the contract against the policy forms before you bind, so the coverage you buy is the coverage your customers and investors actually required.

An independent broker maps your customer MSA and investor term-sheet requirements to the right coverages and limits, markets your profile to the carriers most likely to write it well, and negotiates limits, retentions, and policy terms. Critically, the broker also preserves continuity on your claims-made policies — protecting retroactive dates as you change carriers and arranging tail coverage when you wind down or get acquired.

As you scale from seed to Series A and beyond, your required limits jump at each round and at each major customer; a broker manages those renewals so coverage keeps pace with your contracts instead of lagging behind them. That ongoing fit — not a one-time purchase — is the value of working with a broker on a technology program.

From Our Book

When the policy technically existed but the sublimit didn't

A roughly 25-person SaaS company had bought cyber coverage through an online quote-and-bind tool — mostly to check a box on a customer's vendor form. The certificate read "Cyber — $1M," and everyone assumed they were covered. Then a finance employee received a spoofed email that looked like it came from a known vendor, updated the vendor's bank details as instructed, and wired roughly $140,000 to a fraudster — a textbook business email compromise (BEC) and funds-transfer fraud.

The cyber policy did respond — but social engineering and funds-transfer fraud were capped at a $25,000 sublimit, a common default on bare-bones policies. The carrier paid the $25,000 and the company absorbed the remaining ~$115,000. We re-marketed the account at renewal to a technology-focused program with a $250,000 social-engineering sublimit, added dual-authorization controls for any banking change, and the premium difference was a few hundred dollars a year. The lesson founders take from it: the certificate said $1M, but the number that mattered was 2.5% of that.

Details anonymized and generalized to protect client confidentiality.

Ask AI

Have a question that isn't answered here?

Ask our AI assistant anything about tech and SaaS insurance requirements, cost, coverage, or claims — powered by Anvo's content library.

Not sure your coverage matches what your contracts require? Let's check.

Most technology programs we review have at least one gap — a cyber sublimit far below the real exposure, a tech E&O limit under the customer's MSA, a lapsed retroactive date, or D&O bought too late. A coverage review takes 30 minutes and costs nothing.

Request a Coverage Review → Call Us Directly

Edward Hsyeh Managing Partner, Anvo Insurance · Licensed commercial insurance broker specializing in technology, SaaS, food distribution, trucking, and related verticals

Last reviewed: June 2026. Reviewed against current state data-breach notification and privacy statutes, published cyber-claims and breach-cost data (IBM, Coalition, Sophos), technology insurance cost benchmarks (Insureon, Vouch), and carrier underwriting guidelines for technology and SaaS programs.

Tech & SaaS Insurance FAQ:21 Common Questions, Answered