Tech & SaaS Insurance Requirements by State:
Statutory, Contractual & Investor Standards
Technology and Software as a Service (SaaS) companies operate under three overlapping layers of insurance-relevant obligations: statutory (all 50 states' data-breach notification laws, a growing patchwork of state privacy statutes, and workers' compensation rules); contractual (customer master service agreements, vendor security addenda, office leases, SOC 2 commitments); and investor (venture term sheets that name directors and officers, technology errors and omissions, and cyber by limit). Almost no software-specific insurance is mandated by statute — but enterprise customers and investors require it in writing, and not carrying it forecloses revenue and capital.
- Almost nothing is mandated by statute for software companies specifically. Insurance is mostly driven by what your customers and investors require in writing.
- Every U.S. state has a data-breach notification law. All 50 states, D.C., Puerto Rico, the U.S. Virgin Islands, and Guam require notice to affected residents — usually within 30–90 days depending on the state.
- Comprehensive state privacy laws have spread fast. California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (DPSA, effective July 1, 2024) are in force; more than a dozen additional states have enacted laws taking effect through 2026.
- Enterprise MSAs typically require $1M–$5M tech E&O, $1M–$5M cyber, $1M GL, and SOC 2 Type II. Venture term sheets routinely require D&O within 60–90 days of close at $3M–$5M.
- Workers' compensation rules don't change because you write software. Threshold is set by state (KS >$20K payroll; MO ≥5 employees; PA, NY, and CA ≥1 employee).
Three overlapping sources of insurance requirements
Software and SaaS companies face three distinct sources of insurance obligations: statutory (state and federal laws that either compel an action or create the exposure that insurance backstops), contractual (customer master service agreements, vendor security addenda, office leases), and investor (venture term sheets and board resolutions). Unlike trucking or food distribution, almost no software-specific insurance line is mandated outright — it is the contracts and the underlying liability exposure that make carrying coverage non-negotiable in practice.
Tech founders sometimes assume that because the U.S. has no federal privacy statute, their compliance burden is light. The opposite is closer to true: the patchwork of 50-state breach notification laws and a dozen-plus state comprehensive privacy statutes means a single breach can trigger parallel obligations across multiple jurisdictions at once, each with its own deadline and content rules. The exposure is real; the practical question for a software company is which policy responds and at what limit. Cyber liability and technology errors and omissions (tech E&O) do most of the work.
What the law actually requires
No U.S. state requires a software company to carry technology errors and omissions, cyber liability, or D&O as a matter of statute. What the law does is create the underlying exposure — data-breach notification deadlines, consumer privacy obligations, FTC unfair-and-deceptive enforcement, and standard employer rules like workers' compensation and unemployment insurance — that those policies respond to. The compliance burden grows with where your customers and users live, not where your office is.
Data breach notification — all 50 states
Every U.S. state, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam have enacted security-breach notification laws that require companies (and in most cases their service providers) to notify residents whose personal information was acquired by an unauthorized party. State definitions of "personal information," timing requirements, and content rules vary, but most states require notice "without unreasonable delay" and many set hard deadlines of 30, 45, 60, or 90 days. Several also require parallel notice to the state attorney general and to the major consumer reporting agencies.
For a SaaS company with customers in multiple states, a single incident usually triggers obligations in all of them at once. Cyber liability policies are written to fund the breach-counsel work that maps a single incident to those parallel obligations and to fund the notification mailings themselves — typically a meaningful share of total breach response cost.
State comprehensive privacy laws
Beyond breach notification, a growing patchwork of state comprehensive privacy laws creates ongoing obligations around consumer rights (access, deletion, opt-out of sale or targeted advertising), data-processing agreements with vendors, and security safeguards. As of mid-2026, California, Virginia, Colorado, Connecticut, Utah, and Texas have laws in force, and more than a dozen additional states have enacted statutes scheduled to take effect through 2026 and 2027.
| State | Statute (short name) | Effective | What it adds for software firms |
|---|---|---|---|
| California | CCPA (2018) / CPRA (2020) | In force; CPRA fully in effect Jan 1, 2023 | Consumer access, deletion, opt-out of sale/sharing; mandatory data-processing terms with service providers; California Privacy Protection Agency (CPPA) regulator. |
| Virginia | VCDPA | Jan 1, 2023 | Consumer rights; data protection assessments for "high-risk" processing; enforcement by the Virginia AG. |
| Colorado | CPA | July 1, 2023 | Universal opt-out mechanism; sensitive-data consent; CO AG rulemaking authority. |
| Connecticut | CTDPA | July 1, 2023 | Similar to VA/CO; AG enforcement; 60-day cure period (sunset Dec 31, 2024). |
| Utah | UCPA | Dec 31, 2023 | Narrower applicability ($25M revenue + processing thresholds); AG enforcement only. |
| Texas | TDPSA | July 1, 2024 | Broad applicability (no revenue threshold for entities doing business in TX and processing personal data of TX residents); TX AG enforcement. |
| New York | SHIELD Act | March 21, 2020 (security); Oct 23, 2019 (breach) | Expanded breach notification + reasonable-security requirement for any business holding NY-resident data; NY AG enforcement. |
For underwriters, the practical implication is the same regardless of which state your customers live in: a cyber policy with proper regulatory-defense, notification-cost, and PCI-fine coverage is the only insurance vehicle that responds to this body of law in any meaningful way.
Sector-specific federal laws
Several federal regimes can apply to software firms by virtue of the data they process or the customers they serve. These do not change the policy stack but they do shape the limits and endorsements:
- HIPAA — if you handle protected health information for a covered entity, you are likely a "business associate" and must sign a Business Associate Agreement (BAA). Cyber policy must respond to HHS Office for Civil Rights enforcement and breach-notification rules under the HIPAA Breach Notification Rule.
- GLBA (Gramm-Leach-Bliley) — if you provide services to financial institutions, you are subject to the FTC Safeguards Rule's reasonable-security requirements as a service provider; expect contract terms reflecting this.
- FTC Act §5 — the Federal Trade Commission has used Section 5's prohibition on unfair or deceptive acts as the de facto national data-security enforcement tool for software firms. Cyber regulatory-defense coverage applies.
- COPPA — if any portion of your service is directed to children under 13, the Children's Online Privacy Protection Act applies with separate notice and consent requirements.
- GDPR (international) — not U.S. law, but any SaaS with EU/UK users is subject to it. Expect customers to require it in writing via DPAs.
Workers' compensation — by state
Workers' compensation rules don't change because you write software. The threshold for mandatory coverage is set by state and is the same as for any other employer. The class codes — typically NCCI 8810 (clerical), 8742 (sales/outside), and 8856/8901 (telecommunications/computer system design) — keep technology firms among the lowest-rated employers in workers' comp, but the legal requirement to carry it once you cross your state's employee threshold is absolute.
| State | Workers' comp threshold | Typical class / rate basis | Notes for tech employers |
|---|---|---|---|
| Kansas | Mandatory once gross annual payroll exceeds $20,000 | NCCI 8810 / 8742 / 8856 | One of the lowest-rated office-class states; KDOL administers. |
| Missouri | Required at 5+ employees (construction: 1+) | NCCI 8810 / 8742 / 8856 | Sole proprietors and certain LLC members may be excluded. |
| Pennsylvania | Required at 1+ employee (very narrow exemptions) | NCCI / PCRB 951 (clerical) and 953 | PA uses Pennsylvania Compensation Rating Bureau classes; rates set independently. |
| New York | Required at 1+ employee, including part-time | NYCIRB classes; clerical 8810 | NY Workers' Comp Board penalties for non-coverage are substantial; disability and PFL also required separately. |
| California | Required at 1+ employee (even part-time) | WCIRB classes; clerical 8810 | CA rates run above the national average; misclassification of contractors carries criminal exposure under AB 5 / Labor Code §2750.3. |
What your customers and vendors actually require
For most software and SaaS companies, the binding insurance requirements come from contracts, not statutes. Enterprise customer master service agreements (MSAs), data processing agreements (DPAs), security addenda, and office leases routinely name specific policies and limits — and a missing endorsement is the most common reason an MSA is held up at signature. The contractual layer is where insurance directly gates revenue.
Customer MSAs and security addenda
A typical mid-market or enterprise customer contract for a SaaS vendor will require, at minimum: a named technology errors and omissions limit ($1M–$5M per claim is the modal range; $5M–$10M for larger enterprise deals); a named cyber liability limit ($1M–$5M, sometimes $10M+); commercial general liability ($1M per occurrence / $2M aggregate is standard); and a commercial umbrella ($1M–$5M+). Many MSAs also require the customer to be named as additional insured on GL only — tech E&O and cyber are typically not endorsed for additional insured status because the policies respond to the vendor's own services and data handling.
Security addenda — often appended as Exhibit B or a separate DPA — go further. They commonly require: an annual SOC 2 Type II report from a CPA firm; maintenance of an information security program with named controls (encryption at rest, multi-factor authentication, vulnerability management, vendor risk management); breach-notification timelines that are typically shorter than statutory minimums (24–72 hours to the customer vs. 30–90 days to regulators); and audit rights for the customer or its designated auditor. None of those security commitments are insurance requirements per se, but each one represents an exposure that cyber liability is the only insurance product that responds to.
| Coverage | Typical enterprise MSA requirement | Common variations |
|---|---|---|
| Technology E&O | $1M / $2M aggregate to $5M / $5M aggregate | Combined with cyber as a "tech package"; some MSAs require $10M+ for mission-critical or regulated industries. |
| Cyber liability | $1M / $1M to $5M / $5M aggregate | Specific sublimits called out for regulatory defense, PCI fines, business interruption, social engineering. |
| Commercial general liability | $1M per occurrence / $2M aggregate | $2M / $4M for large deals; customer named as additional insured; primary and non-contributory language often required. |
| Commercial umbrella | $1M–$5M | Must "follow form" over tech E&O / cyber if those policies sit underneath the umbrella tower. |
| Workers' compensation / employer's liability | Statutory + $1M / $1M / $1M EL | Standard with waiver of subrogation in favor of customer. |
| Crime / commercial crime | $100K–$1M social engineering / funds transfer fraud | Increasingly required for vendors handling customer payment workflows. |
SOC 2 — industry standard, not legal mandate
SOC 2 (Service Organization Control 2) is an American Institute of Certified Public Accountants (AICPA) audit framework, not a statute. Yet for B2B SaaS companies selling into mid-market and enterprise accounts, a SOC 2 Type II report has become functionally mandatory — customers will not sign without it, and many require an annual refresh. SOC 2 reports do not satisfy any state or federal law, but they do create written commitments to controls (incident response procedures, vendor risk management, change management) that map directly to what a cyber underwriter wants to see at renewal. A well-run SOC 2 program typically produces 10–25% favorability in cyber pricing vs. an otherwise comparable account without one.
Office leases
If you have a physical office — even a small co-working footprint or a single dedicated suite — your lease will require commercial general liability and, in most cases, commercial property and umbrella coverage. Office leases for technology tenants typically require $1M / $2M GL, $1M–$2M umbrella, property at full replacement cost on tenant improvements and contents, additional insured status for the landlord and property manager, waiver of subrogation, and 30 days' notice of cancellation. These requirements are usually met by a business owner's policy (BOP) with an umbrella — the same package used by any office-based small business.
What venture investors and boards require
Venture-backed software companies face a third layer of insurance requirements that has nothing to do with statutes or customers: their investors. A term sheet for a priced equity round almost always includes a covenant to put directors and officers (D&O) liability in place within 30, 60, or 90 days of close, and to maintain it (with named limits) for the duration of the investment. The board itself will then routinely review the program at each subsequent round and at IPO readiness.
Directors and officers (D&O) at financing
Pre-seed and seed-stage companies often defer D&O until institutional capital comes in. Once a Series A or later round closes with venture firms, expect a D&O requirement of $3M–$5M at first (sometimes $1M for a small early round), scaling to $10M+ by Series B or C. Term sheets typically also require Side A coverage — the portion of a D&O tower that responds when the company cannot indemnify its directors, most often in derivative suits or insolvency scenarios — and EPLI as the team scales past a small handful of employees. D&O is the policy that protects founders, board members, and investors personally; it is not optional once outside capital is in.
Securities laws and the EPLI overlap
Software companies that raise capital, conduct secondary transactions, or eventually go public are exposed to securities-law liability — federal and state — that D&O is structured to address. Pre-IPO ("IPO-ready" or "S-1 ready") D&O programs are a specialized product written by a small set of carriers; expect significantly more underwriting scrutiny and a separate tower from the operating D&O policy. EPLI overlaps with D&O on certain claims (e.g., a founder dispute involving alleged discrimination) and is required by most VCs from Series A onward, with $1M–$3M typical and a separate retention.
Common investor checklists at close
- D&O — bound within 30–90 days of close; $3M–$5M for Series A; A-rated carrier; Side A included.
- EPLI — bound concurrent with D&O at most VCs from Series A on; $1M–$3M typical.
- Tech E&O / cyber — at limits that satisfy enterprise customer MSAs (typically $3M–$5M each).
- Key person life insurance — sometimes required on founders for $1M–$5M, with the company as beneficiary.
- Crime / fidelity — for companies handling payments, customer funds, or large operating accounts.
The investor layer is the single most common source of friction at close: a term sheet is signed in days, but binding D&O at an A-rated carrier takes 7–21 days from underwriting submission, and a recent breach or open security finding can extend that materially. Sequence matters — start the D&O submission as soon as the term sheet is signed, not after the wire arrives.
The seed-stage policy that held up a Series A close
A 14-person seed-stage SaaS company we placed had bought a low-cost online "business owners' policy" plus a small bundled cyber endorsement at incorporation. Eighteen months later their lead investor signed a term sheet for a Series A and the closing checklist included $5M D&O at an A-rated carrier within 60 days, $3M tech E&O at the same standard, and a $3M cyber tower with regulatory defense, PCI sublimit, and a 72-hour breach-notification clock that mirrored one of their largest customer's contracts. The existing online policy had none of those — no D&O at all, $250K of cyber on an endorsement form that didn't include regulatory defense, and tech E&O written at $1M without a follow-form umbrella.
We had three weeks before the wire date. Repositioning the account meant submitting to specialty technology markets with full SOC 2 documentation, an information-security narrative, prior-act coverage continuity language for the tech E&O, and a Side A D&O carve-out. The placement landed two days inside the deadline at a combined annual premium increase of roughly $24,000 — modest in absolute terms, immaterial against a Series A round, and the difference between closing on schedule and renegotiating the term sheet. The lesson we share with every founder we meet at pre-seed: the cheapest policy at incorporation almost never satisfies the first institutional round, and the time to find out is not in the closing data room.
Details anonymized and generalized to protect client confidentiality.
Frequently asked questions about tech and SaaS insurance requirements
Workers' compensation once you cross your state's employee threshold (1 employee in PA, NY, and CA; 5 in MO; payroll over $20,000 in KS); state unemployment insurance; and disability insurance in states that require it (NY, NJ, RI, HI, CA, and others). No state requires technology errors and omissions, cyber liability, or D&O by statute.
The "real" requirements come from customer contracts and investor term sheets — and those make tech E&O, cyber, and D&O effectively mandatory once you have enterprise customers or institutional capital.
Yes. All 50 states' breach-notification laws apply to "personal information," which in nearly every state includes names plus a Social Security number, driver's license number, financial account number, medical information, or login credentials — not just payment card data. Email addresses combined with passwords are enough to trigger notification in most states.
Cyber liability funds the breach-counsel work that maps the incident to multi-state obligations, the notification mailings themselves, and the regulatory defense if a state AG or the FTC investigates. The U.S. average cost of a data breach is $10.22M (IBM 2025) — even a small fraction of that exhausts a low-limit endorsement quickly.
State law deadlines range from "without unreasonable delay" to hard 30-, 45-, 60-, or 90-day windows for notice to affected residents, with parallel notice to state attorneys general and credit reporting agencies in many states. Most enterprise customer contracts impose much tighter timelines on you — 24 to 72 hours to the customer is now common in SaaS security addenda.
Cyber policies include breach-counsel and forensics retainers specifically to meet these deadlines without slowing down the incident response.
Most mid-market and enterprise MSAs require $1M–$5M technology E&O, $1M–$5M cyber liability (sometimes $10M+), $1M / $2M commercial general liability with the customer named as additional insured, statutory workers' comp with $1M employer's liability and waiver of subrogation, and a $1M–$5M commercial umbrella that follows form over the tech E&O and cyber towers.
Many also require an annual SOC 2 Type II report, written information security program documentation, and shorter customer-facing breach-notification timelines than state statutes set.
Almost every priced equity round from a venture investor includes a covenant to bind D&O within 30, 60, or 90 days of close, and to maintain it (with named limits) through the investment. Series A typically requires $3M–$5M with Side A coverage at an A-rated carrier; later rounds scale to $10M+.
EPLI is usually required concurrent with D&O from Series A on. Tech E&O and cyber are checked against MSA requirements rather than dictated by the VC, but they have to satisfy customer contracts that are usually already in place.
No. SOC 2 is an AICPA audit framework — it is not law in any state. But for B2B SaaS selling into mid-market and enterprise accounts, a SOC 2 Type II report is contractually required by most customers and is the de facto standard for vendor risk reviews.
A well-run SOC 2 program also produces real underwriting credit on cyber renewals — typically 10–25% favorability vs. an otherwise comparable account without one — because the controls SOC 2 documents (incident response, vendor management, change management) map directly to what cyber underwriters want to see.
They don't change which policies you need — cyber liability is still the policy that responds — but they expand the exposure and the regulatory-defense work. California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) all create state-AG enforcement risk, mandatory data-processing agreements with vendors, and consumer rights (access, deletion, opt-out) that can produce private rights of action (CA only, under the CCPA private right of action for security breaches) or AG investigations.
Confirm your cyber policy has full regulatory defense and that any sublimit applied to regulatory matters is sized for multi-state proceedings — single-state limits are not enough.
Workers' compensation is governed by the state where each employee performs the work, not where the company is headquartered. A SaaS company headquartered in Delaware with engineers in California, Pennsylvania, and New York needs workers' comp written on a multi-state policy with each of those states scheduled — and CA, PA, and NY all require coverage from the first employee.
Most carriers handle this with a single policy and per-state schedule, but monopolistic states (ND, OH, WA, WY) require a separate filing through the state fund. Misclassification of remote workers as 1099 contractors is a separate exposure — particularly under CA Labor Code §2750.3 (AB 5) — that EPLI and cyber do not address.
Not sure if your current program meets your customer and investor requirements?
Ask an AI to walk through what an enterprise MSA, a Series A term sheet, and a SOC 2 Type II report typically require — using Anvo's published guidance.
Check whether your current insurance meets your customer and investor requirements
We benchmark your program against the MSAs you've signed, the term sheets in your closing data room, and the security addenda your enterprise customers are sending you — and tell you exactly where the gaps are.