Underwriting Guide

What Underwriters Ask About Technology Companies

Technology companies face a distinctive combination of professional liability (for software errors and service failures), cyber liability (for data breaches), and GL exposure. Underwriters scrutinize the types of technology products or services provided, client contract terms, and any prior claims from software failures or data incidents.

Professional Liability / E&OCyber LiabilityGeneral LiabilityDirectors & OfficersWorkers' Compensation

Business & Products

What technology products or services does the company provide?
Why they ask: The specific product or service defines the professional liability risk. SaaS platforms, managed services, custom development, and hardware each carry different exposure.
Does the company handle, store, or process personal data or payment card information?
Why they ask: Data exposure is the primary cyber risk factor. The type and volume of data held determines breach cost estimates.
Does the software or service have a critical uptime requirement? Are there SLAs?
Why they ask: SLAs with financial penalties for downtime create contractual liability that may not be covered under standard E&O.
Does the company provide services to healthcare, financial services, or government clients?
Why they ask: These regulated industries create heightened liability — HIPAA for healthcare, SOX for financial, FedRAMP for government. Some carriers exclude these verticals.
Does the company develop AI or machine learning products?
Why they ask: AI liability is an emerging exposure with limited case law. Some carriers are restricting or excluding AI-related claims.

Cyber Security Practices

Does the company use multi-factor authentication (MFA) for all remote access and administrative accounts?
Why they ask: MFA is now a baseline requirement for most cyber insurers. Lack of MFA on critical systems can result in declination.
Does the company maintain encrypted, offline backups tested at least quarterly?
Why they ask: Backup integrity is the primary defense against ransomware. Insurers want confirmation backups exist and are restorable.
Has the company experienced any data breaches, ransomware attacks, or security incidents in the past 5 years?
Why they ask: Prior incidents predict future incidents. Carriers need to know what happened, what data was exposed, and what controls were put in place.
Does the company have a written incident response plan?
Why they ask: A documented IR plan reduces breach response costs and demonstrates risk management maturity.

Revenue & Contracts

What is the annual gross revenue broken down by product/service line?
Why they ask: E&O and tech liability premium is based on revenue. Different revenue streams may be priced differently.
Does the company have limitation of liability clauses in client contracts?
Why they ask: Contracts that cap liability at the contract value limit the company's exposure. Contracts with uncapped liability are a significant risk factor.
Does the company contract work out to third-party developers or vendors?
Why they ask: Third-party vendors who have access to the company's systems or client data create additional breach exposure.

Answers that raise red flags

No MFA on remote access or privileged accounts
Prior ransomware attack without significant security improvements
No limitation of liability in client contracts
Providing critical infrastructure software (utilities, hospitals, financial systems) without high limits
AI products without clear understanding of how the model makes decisions
Rapid revenue growth outpacing security infrastructure investment

Tips for presenting this risk favorably

Document cybersecurity controls in detail — MFA, EDR, backup procedures, patch management cadence
Include contract terms that show limitation of liability clauses
Break revenue out by service type — managed services, SaaS, consulting — since they may be rated differently
Explain any prior incidents clearly: what happened, scope of impact, and what changed afterward
Confirm whether D&O coverage is also needed (especially for VC-backed companies)

Collect all this information automatically

AgencyAssist sends your client a plain-English intake link and maps every answer to the correct ACORD fields — including all the questions above.

Start free trialSee live demo

Related

Commercial underwriting basicsWhat underwriters look for in submissionsCommercial underwriting red flagsACORD 125 — Commercial Insurance ApplicationHow to complete the ACORD 125 — field-by-field