COI Requirements for Technology Vendors

Technology vendors present a fundamentally different risk profile than traditional service vendors. A janitorial company's worst-case scenario is a slip-and-fall injury. A technology vendor's worst-case scenario is a data breach affecting millions of records, a software failure that shuts down a client's operations for a week, or an intellectual property lawsuit claiming the vendor's product infringes a patent. The potential severity of technology claims — combined with the interconnected nature of modern technology infrastructure, where one vendor's failure can cascade through an entire supply chain — demands insurance requirements that go well beyond standard GL and WC.

This guide covers the specific coverages, limits, and verification considerations for technology vendors, from SaaS platforms and cloud providers to managed service providers and custom software developers.

---

Technology Errors and Omissions (E&O)

Technology E&O — also called Professional Liability or Tech E&O — is the core coverage for any technology vendor. It covers claims arising from the vendor's failure to perform their technology services as promised, including:

• Software failures and bugs that cause client financial loss
• System downtime that disrupts client operations
• Data loss or corruption resulting from the vendor's negligence
• Failure to deliver contracted technology services on time or to specification
• Misrepresentation of technology capabilities
• Intellectual property infringement claims related to the vendor's technology (in many tech E&O policies)

Standard Limits by Vendor Tier

Technology vendor insurance requirements should scale with the vendor's access level and contract value:

The tier classification should consider both the contract value and the potential impact of a failure. A $50,000/year SaaS platform that processes all of your customer transactions has higher exposure than a $500,000/year hardware vendor who ships servers.

Claims-Made Considerations

Tech E&O is almost always written on a claims-made basis. The same verification requirements apply as with any claims-made coverage:

• Verify the retroactive date covers the full period of the vendor relationship
• Ensure the retroactive date does not move forward when carriers change
• Include contract provisions requiring tail coverage (Extended Reporting Period) after the vendor relationship ends
• Recommend a minimum 3-year ERP for standard engagements, 5 years for critical infrastructure vendors

---

Cyber Liability

Cyber liability insurance covers the financial consequences of data breaches, cyberattacks, and network security failures. For technology vendors, this is not a secondary coverage — it is as essential as E&O because technology vendors are both high-value targets for attackers and potential vectors for attacks on their clients.

Standard Limits by Vendor Tier

First-Party vs. Third-Party Coverage

Cyber policies cover both first-party losses (the vendor's own costs) and third-party claims (claims from affected parties):

First-party coverages:

• Breach notification and credit monitoring costs
• Forensic investigation expenses
• Data restoration costs
• Business interruption (the vendor's lost income)
• Cyber extortion / ransomware payments
• Crisis management and public relations

Third-party coverages:

• Privacy liability (claims from individuals whose data was exposed)
• Network security liability (claims from clients whose systems were affected)
• Regulatory defense and penalties
• Media liability (in some policies — defamation, copyright infringement in digital content)
• Payment Card Industry (PCI) fines and assessments

The Technology Supply Chain Problem

Technology vendors often rely on their own vendors — sub-processors, cloud infrastructure providers, third-party APIs, open-source components. A breach at a sub-processor can cascade to the vendor and then to all of the vendor's clients. Ensure the cyber policy covers:

• Contingent business interruption — losses caused by a failure at a third-party service provider the vendor depends on
• Supply chain breach coverage — claims arising from a breach at a sub-processor that affects data the vendor is responsible for
• Cloud service provider failures — losses caused by an outage or breach at the vendor's cloud hosting provider

---

General Liability

Technology vendors still need standard CGL coverage, even though their primary risks are professional and cyber in nature. CGL covers:

• Bodily injury to third parties visiting the vendor's offices
• Property damage to client equipment during on-site installations
• Personal and advertising injury (defamation, copyright infringement in advertising)

Standard requirements: $1,000,000 per occurrence / $2,000,000 general aggregate. Additional insured status, waiver of subrogation, and primary and non-contributory language apply as with any vendor.

For technology vendors who perform on-site work (installations, hardware deployments, cabling), CGL coverage is particularly important. A technician who damages a client's server room during an installation creates a property damage claim that falls on CGL, not E&O.

---

Media Liability

Technology vendors who create, publish, or distribute digital content — marketing technology platforms, content management systems, social media tools, advertising technology — should carry media liability coverage. This covers:

• Copyright infringement in digital content
• Trademark infringement in digital advertising
• Defamation in published content
• Invasion of privacy through digital media

Media liability is sometimes included in the cyber liability policy, sometimes in the E&O policy, and sometimes written as a standalone coverage. Verify where the media liability coverage lives and confirm the limits are adequate — typically $1,000,000 to $2,000,000.

---

SaaS-Specific Considerations

Software-as-a-Service vendors present unique insurance considerations that do not apply to traditional technology vendors:

Service Level Agreements and Insurance

SaaS contracts typically include SLAs guaranteeing uptime (99.9%, 99.95%, 99.99%). When the vendor fails to meet the SLA, they owe service credits or contractual penalties. E&O coverage may or may not cover contractual SLA penalties — many E&O policies exclude contractual liability. Verify whether the vendor's E&O policy covers SLA breach claims or whether a contractual liability endorsement is needed.

Multi-Tenant Architecture Risk

SaaS platforms are multi-tenant — one instance serves many clients. A security vulnerability in the platform affects all tenants simultaneously. A data breach exposes multiple clients' data in a single event. This concentrates risk and amplifies severity. Cyber liability limits for SaaS vendors should reflect the aggregate exposure across all tenants, not just the exposure from your data alone.

Data Processing Agreements

SaaS vendors who process personal data are typically required to sign Data Processing Agreements (DPAs) under GDPR, CCPA, and other privacy regulations. The DPA imposes data protection obligations; the cyber liability insurance provides the financial backstop when those obligations are breached. As with HIPAA BAAs in healthcare, require both the DPA and the insurance — they serve complementary functions.

API and Integration Risk

SaaS platforms connect to other systems through APIs. An API vulnerability or an integration failure can expose data or disrupt operations across connected systems. E&O coverage should explicitly cover claims arising from API failures and integration errors.

---

SOC 2 as Complementary, Not Replacement

SOC 2 (System and Organization Controls 2) is an audit framework that evaluates a technology vendor's controls over security, availability, processing integrity, confidentiality, and privacy. Many organizations accept a SOC 2 Type II report as evidence of security maturity.

What SOC 2 Proves

A SOC 2 Type II report demonstrates that the vendor's controls were designed effectively and operated effectively over a defined audit period (typically 6 to 12 months). It provides assurance that the vendor has implemented specific security and operational controls.

What SOC 2 Does Not Prove

SOC 2 does not prove:

• That the vendor will not have a breach (controls reduce risk but do not eliminate it)
• That the vendor has the financial capacity to respond to a breach
• That the vendor can compensate you for losses caused by a breach or service failure
• That the vendor's controls are current (the report covers a historical period)

Why Both Are Needed

SOC 2 reduces the probability of an incident. Insurance covers the financial consequences when an incident occurs despite controls. They are fundamentally different risk management tools:

Accepting SOC 2 in lieu of insurance is like accepting a fire inspection report in lieu of property insurance. The inspection reduces fire risk; the insurance pays when a fire happens anyway.

---

Workers' Compensation and Commercial Auto

Standard requirements apply:

• Workers' Compensation: Statutory limits with waiver of subrogation. Even fully remote technology companies need WC for their employees.
• Employers' Liability: $500,000 minimum; $1,000,000 for larger vendors.
• Commercial Auto: $1,000,000 CSL if the vendor operates vehicles (on-site technicians, hardware delivery). For fully remote SaaS companies, auto coverage may not be applicable — confirm with the vendor.

---

Umbrella / Excess Liability

The umbrella should follow-form over GL, auto, and employers' liability:

---

Building a Technology Vendor COI Program

The most effective technology vendor COI programs:

Classify vendors by data access and criticality, not just contract value. A $10,000/year SaaS platform with admin access to your production database is higher risk than a $200,000/year hardware vendor with no data access.

Require both security attestation and insurance. SOC 2 (or equivalent) plus adequate E&O and cyber coverage. One without the other leaves a gap.

Specify claims-made requirements in contracts. Retroactive date, tail coverage obligations, and carrier change notification provisions should be in the vendor agreement, not discovered after the fact during COI review.

Review limits annually. Technology risk evolves rapidly. The limits that were adequate two years ago may be insufficient given the vendor's expanded role, increased data access, or changes in the threat landscape. Build annual limit reviews into your vendor management program.

Technology vendor insurance requirements are more complex than traditional vendor requirements, but the underlying principle is the same: every vendor who can cause you harm should carry insurance sufficient to make you whole when harm occurs.