While technology has transformed rapidly - from cloud-native systems to embedded software - what hasn’t changed is the core underwriting approach for tech E&O insurers. “The technology itself changes, but the core underwriting of it really doesn't,” said Erin Eisenrich, vice president of technology E&O and international at Berkley Technology Underwriters.
Insurers remain focused on one constant: how the failure of a client’s product or service could financially harm a third party. That lens remains unchanged whether the exposure stems from a SaaS provider, an internet of things (IoT) platform, or an AI tool. “An element of that exposure has existed for a really long time,” Eisenrich said. “As far as how we really underwrite… I don't know that it has changed so much because of those three things.”
Though the exposures remain similar, the context around them has shifted - driven by the explosion of digital connectivity, mounting regulatory scrutiny, and a notable rise in cyberattacks. “The industry has seen a real increase” in ransomware and data breach events targeting tech companies, Eisenrich said. “That's really impacting some of the exposures that we look at and how we underwrite.”
Insurers are now evaluating not only the direct risk from a single error, but also the potential for cascading failures across interconnected systems. This kind of aggregation risk has become a focal point. “The downstream impact of an increasingly digitized world… that plays into embedded technologies and cloud computing,” Eisenrich added.
What has changed more fundamentally is how underwriters scrutinize tech companies’ internal risk management. “Pre-pandemic, the focus in underwriting technology was really always on that third-party exposure,” she said. Since then, there’s been a noticeable shift toward examining internal cybersecurity practices - everything from whether a firm uses multi-factor authentication (MFA) to how it handles incident response.
MFA became the baseline. “It’s been communicated well across the industry that that is now a standard requirement,” she said. Without it, carriers have adjusted pricing and appetite accordingly. Now the focus is moving toward endpoint detection and response (EDR) and managed detection and response (MDR). “That will be kind of the new MFA,” Eisenrich said.
For tech clients, E&O and cyber coverages are increasingly inseparable. “We use those very interchangeably when relating to a tech client,” Eisenrich said. “We write those coverages on really one bundled policy.”
That dual perspective means underwriters are assessing both how a company protects itself and how it might expose others. “It’s how have they protected their own house? And then how are they responsible for protecting somebody else’s house?”
This creates complex claims scenarios. Take, for example, an IT consultant who recommends a third-party security vendor. If that vendor experiences a failure - such as the CrowdStrike outage in July 2024 - the consultant could still be sued for recommending it. “Even though it's not their fault that CrowdStrike failed,” Eisenrich said, “that's part of the exposure that we're looking at.”
Among the most uncertain areas for insurers is artificial intelligence. “It’s really one of the emerging risks that exist for technology companies,” Eisenrich said. The widespread adoption of AI has outpaced both regulation and case law, making underwriting and claims forecasting more difficult.
“How is the coverage responding? How do we settle claims? How do we price for the coverage?” she asked. The answer is unclear. “It’s a really significant exposure.”
It’s also prompting new questions about which policy - D&O or E&O - should carry the risk. “My brokers are bringing up more and more: where should that coverage live?” she said. As with cybercrime coverage before it, the lines are blurring, and Eisenrich believes the industry will see the rise of blended D&O/E&O policies. “It makes it easier to put it with one carrier, and then there’s no question of where should it go.”
For all the industry buzz around AI and cyber, contracts remain the core of E&O underwriting. “A breach of contract is ultimately a tech client’s most significant exposure, in my opinion,” Eisenrich said.
Insurers’ attention to contracts varies depending on account size. For smaller businesses—where policies are more transactional - contract reviews are rare and limitations more common. For mid-market and larger clients, carriers dig into the details.
“One of the most significant red flags that I look for is, does the limitation of liability state that the insured’s liability is limited to the limit of their insurance policy?” Eisenrich said. “That is something we do not like to see.”
Other clauses that draw scrutiny include missing disclaimers of consequential damages, overreaching warranty statements, and one-sided indemnities. “We don’t want a warranty statement to promise the moon and the stars,” she said. “That will really open them up to broadened litigation.”
Recent systemic outages - like the ones involving Salesloft, Drift, Change Healthcare, CDK, and CrowdStrike - have shifted how insurers model risk. “We’ve seen a really notable uptick in widespread events last year and this year,” Eisenrich said. “And I think that we will continue to see those.”
Some incidents have involved bad actors; others stemmed from internal errors. Either way, the effect is the same: large-scale disruption and the potential for large-scale claims. “That could have a really significant impact on pricing in the market, capacity in the market, and coverage,” she said.
Unlike natural catastrophes, which insurers can model using decades of data, tech losses often emerge from unknown vectors. “The most significant threat to a technology company, in my mind, is something that we've probably never heard of yet,” Eisenrich said. “It is a vulnerability we’re not aware of yet. It is a threat actor we don’t know. It is a human error that has a huge downstream impact.”
