Technology companies — software developers, SaaS providers, IT services firms, managed security providers, AI companies, and technology consultants — face a particular challenge when structuring their insurance programs. Two policies are most directly relevant to their risk profile: Technology Errors and Omissions insurance, commonly called Tech E&O, and cyber insurance. These policies are related but distinct, and the space between them has been the source of significant, expensive coverage disputes when companies experienced losses and discovered their insurance program was not structured to respond the way they assumed.
Understanding the difference between these two policies is not merely a matter of insurance literacy. For technology companies, the gap between Tech E&O and cyber coverage is a concrete legal and financial risk. Clients require both in contracts. Courts and insurers have disputed which policy responds when a claim could fall under either. And for AI companies in particular, the coverage landscape is still evolving in ways that create new and imperfectly addressed exposures.
This page explains what each policy covers, where they overlap and where they diverge, the classification problem that creates gaps in coverage, what enterprise clients require from each, and how combined Tech E&O plus cyber policies compare to maintaining the two separately.
What Technology E&O Insurance Covers
Technology Errors and Omissions insurance is a form of professional liability coverage designed specifically for technology companies. It covers claims arising from your professional technology products and services — specifically, claims that your technology failed to perform as expected, contained errors or defects, or caused financial harm to a client or third party through negligent professional work. The theory of coverage is that you made a mistake in your professional capacity, and the policy covers the resulting liability.
The range of scenarios Tech E&O is designed for is broad. A software developer whose code contains a vulnerability that is later exploited to steal client data faces a claim that its professional work — the software — was defective in a way that caused harm. An IT services firm that improperly configured a client’s firewall, leaving the client exposed to an attack, faces a claim that its professional services were performed negligently. A cloud platform provider whose service outage caused a client to miss critical deliverables and incur SLA penalties faces a claim that its technology failed to perform as contracted. A technology consultant who designed a system that did not meet its functional specifications faces a claim for the economic losses caused by the shortfall. In each case, the claim is that your professional technology work caused the loss.
Tech E&O also typically covers intellectual property infringement claims related to your technology products — claims that your software incorporates code, functionality, or other intellectual property that belongs to someone else without authorization. This IP infringement coverage is a significant distinguishing feature from cyber insurance, which generally does not address IP claims. Defense costs are covered from the moment a claim is made, which is significant because defending a professional liability claim through litigation is expensive regardless of whether the underlying claim ultimately succeeds.
What Cyber Insurance Covers That Tech E&O Does Not
Cyber insurance covers a different problem. Its core function is to cover losses arising from cybersecurity events — unauthorized access to systems, data breaches, ransomware attacks, business email compromise, and related incidents. The coverage has two components: first-party coverage for your own losses, and third-party liability coverage for losses you cause to others.
The first-party component is the most fundamental distinction from Tech E&O. If your company is hit with ransomware and suffers $500,000 in forensic investigation costs, breach counsel fees, system recovery expenses, and business interruption losses, those are your own losses — losses to your own business from a cybersecurity event. Tech E&O is not designed to respond to those losses. Tech E&O is a liability policy: it pays when someone else makes a claim against you for a professional error. Cyber insurance pays for your own operational and response costs as well, which is why it is considered partly a first-party coverage and partly a third-party liability coverage.
Cyber insurance’s third-party liability component covers claims made against you for cybersecurity failures that harmed others — for example, if your systems were breached and the attacker used your environment to access a client’s data, or if your company’s security failure enabled an attack on a client’s infrastructure. These claims involve liability to a third party for a cybersecurity failure, as distinct from a professional services failure, which is Tech E&O’s domain. The distinction, however, is not always clean in practice — which is what creates the classification problem discussed in the next section.
The Classification Problem — Where Claims Fall Into the Gap
The central coverage challenge for technology companies is that a single incident can give rise to claims that potentially fall under Tech E&O, under cyber, under both, or — in the worst case — under neither, because each policy’s language excludes what the other is supposed to cover. Understanding how this happens requires working through a specific example.
Suppose you develop and maintain a software application for an enterprise client. An attacker discovers a vulnerability in your code — a software defect that your development process failed to catch — and exploits it to access the client’s customer database. The client suffers a significant breach of their customers’ personal information, incurring notification costs, regulatory penalties, and class action defense costs. The client sues you. Is this a Tech E&O claim or a cyber claim?
The argument for Tech E&O: you made a professional error — you wrote defective code. The vulnerability was a software defect, and your failure to identify and remediate it was a professional services failure. The claim is that your professional work was negligent, which is exactly what Tech E&O covers. The argument for cyber: a cybersecurity event occurred — an attacker gained unauthorized access to systems and exfiltrated data — and your network security failure enabled that event, which is what cyber insurance covers under network security liability. Courts and insurers have come down on both sides of this argument in similar disputes.
The danger arises when each insurer argues the other policy should respond. If your Tech E&O policy has a broad cyber exclusion — excluding claims arising from cybersecurity events — and your cyber policy has a professional services exclusion — excluding claims arising from errors in your professional services — the claim may fall through the gap between both policies, leaving you with no coverage for a multi-million dollar loss despite having paid premiums on two separate policies. This is not a hypothetical risk. Attorneys who practice in this area have handled exactly these disputes. The coverage gap problem requires specific attention when you are structuring your insurance program, and it is one of the main reasons combined Tech E&O plus cyber policies have become popular for technology companies.
What Enterprise Contracts Require From Both Policies
The insurance structuring question is not purely academic. If you are a technology company selling to enterprise clients, your clients’ procurement and legal teams will almost certainly require both Tech E&O and cyber insurance at specified limits as a condition of the vendor contract. This requirement appears in vendor agreements, master services agreements, and SaaS subscription agreements with large organizations across virtually every industry.
The enterprise client requires Tech E&O because they are concerned about your professional services failures — the scenarios where your technology does not work as promised, your services are performed negligently, or your products cause economic harm through defects or failures. They require cyber insurance because they are concerned about data security — the scenarios where your security failure results in a breach of their data or their customers’ data. From the client’s perspective, these are two separate risk categories that require two separate insurance obligations, and they are right about that.
If you have only one of the two required policies — or if you have both but at limits lower than what the contract requires — the consequences are concrete and sequential. You may not be able to close the deal at all, because the enterprise client’s vendor onboarding process will identify the deficiency before the contract is signed. If the contract is signed and a deficiency is later discovered, you may be in breach of the insurance maintenance covenant in your agreement. And if an incident occurs that exceeds your actual coverage, you face liability in excess of your insurance that your business must bear directly. Ensuring your insurance program meets your contractual requirements is a legal compliance obligation, not an optional upgrade.
AI Companies and the Coverage Gap
The coverage classification problem that affects technology companies generally is particularly acute for companies building artificial intelligence products and services. AI systems can cause harm in ways that resist clean categorization under existing insurance policy forms — and the legal and regulatory environment for AI liability is still developing, which means the insurance market has not yet fully caught up.
Consider the range of AI-related harm scenarios: an AI system that provides incorrect medical or legal guidance on which a user relies to their detriment; an AI hiring tool that produces discriminatory recommendations in violation of employment discrimination law; an AI content generation system that produces output that defames a real person or reproduces copyrighted material; an AI fraud detection system that fails and enables financial losses; an AI system whose outputs are used to commit financial fraud. Are these professional errors by the AI company? Product defects in the AI system? Cybersecurity failures? Privacy violations? Discrimination claims? Most of these scenarios do not fit cleanly into either Tech E&O or cyber insurance as those products have been traditionally structured.
Some insurers have begun offering AI-specific endorsements or standalone AI liability policies, and some Tech E&O policies have been updated to more clearly address AI-related claims. But the AI insurance market is genuinely immature, and technology companies building AI products should not assume that their existing Tech E&O and cyber policies cover the full range of AI-related liability they may face. Legal counsel and a specialist broker with AI insurance experience can help you assess the gaps and identify the additional coverage options available in your specific situation.
Combined Tech E&O and Cyber Policies — Pros and Cons
Many major insurers now offer combined Tech E&O and cyber insurance on a single policy form. The appeal of the combined approach is that it addresses the classification problem directly: if professional services and cybersecurity are both covered under a single policy, there is no dispute between two different insurers about which policy responds to a claim that could fall under either. The insurer cannot point to the other policy — there is no other policy — and the claim must be evaluated on its merits under the single form.
The combined approach also simplifies your vendor compliance management. Rather than maintaining certificates of insurance for two separate policies and monitoring both for renewals and changes, you manage a single policy and can produce a single certificate that evidences both coverages. For technology companies with large numbers of enterprise clients who require certificates of insurance, this administrative simplification has real value.
The potential disadvantage of the combined approach is that a single aggregate limit must cover both categories of risk. A combined policy with a $5 million aggregate limit provides $5 million for all Tech E&O, cyber, and related claims combined. Two separate policies, each with a $5 million limit, provide up to $10 million in total coverage if different claims trigger each policy in the same year. For technology companies with high revenue, significant client contracts, and material exposure in both categories, separate policies at higher limits may provide more total protection than a combined form at a single aggregate limit. The right choice depends on your specific risk profile, contract requirements, and the market options available to you — analysis that a specialist broker and legal counsel can help you work through at the time of your next renewal.
