Tech E&O Certificate Requirements: A Practical Guide for Agencies
A complete listicle on tech E&O certificate requirements for insurance agencies and brokers. Covers requirements, best practices, and practical steps to improve compliance.
Founder & CEO
Tech E&O certificate requirements are more specific than standard professional liability certificate requirements. Technology companies face mandatory minimum limits based on company size, separate cyber liability requirements alongside tech E&O, and contract language that often treats tech E&O and general professional liability as distinct coverage types. This guide covers what makes tech E&O certificates different, how to read them correctly, what limits technology service agreements demand, and a complete verification checklist agencies can use for every tech vendor COI review.
Key Takeaways
- Tech E&O certificate requirements differ from general professional liability requirements: 73% of enterprise technology service agreements require tech E&O and cyber liability as separate coverage lines, not a combined policy (NAIC 2025)
- Technology companies with annual revenue under $10 million typically face $1,000,000 per-claim minimum requirements; those above $50 million face $5,000,000 or higher in 68% of reviewed enterprise agreements (Applied Systems 2025)
- Cyber liability is required as a separate policy in 61% of technology vendor agreements that also require tech E&O, because tech E&O policies frequently exclude first-party data breach costs (Swiss Re 2025)
- Data breach liability coverage limits in technology contracts have increased an average of 34% over the past three years, driven by rising breach costs (IBM Security 2025)
- Tech E&O policies carry exclusions for AI-generated outputs in 42% of policies reviewed by IIABA 2025, a gap that affects technology companies using generative AI in their products
- Agencies managing technology vendor certificates report an average of 11.2 certificate holders per tech client per renewal cycle, the highest of any commercial segment (Applied Systems 2025)
Tech E&O vs. General Professional Liability
General professional liability, often called E&O, covers financial harm caused by professional errors, omissions, or negligent acts across a broad range of professional services. It applies to consultants, accountants, attorneys, engineers, and similar professionals.
Technology errors and omissions, or tech E&O, is a specialized form of professional liability designed for companies that develop, sell, distribute, or service technology products and services. The key distinctions include:
Covered professional activities. Tech E&O explicitly covers software development errors, system failures, defective code, technology consulting advice, and failure of technology products to perform as warranted. General professional liability policies often exclude these activities or provide ambiguous coverage for software-related claims.
Cyber liability integration. Some tech E&O policies bundle limited cyber liability coverage. Others are written as standalone tech E&O without any cyber component. Certificate reviewers for technology contracts must determine whether the tech E&O policy includes cyber coverage or whether a separate cyber liability policy is required.
Claims-made structure. Like general professional liability, tech E&O is almost always written on a claims-made basis. The retroactive date is equally important for tech E&O certificates. A software product defect discovered and claimed two years after deployment requires a retroactive date that precedes the deployment date.
Exclusion scope. Tech E&O policies carry exclusions more specific to technology risks, including exclusions for certain software types, AI-generated content, government contract work, or technology products in specific regulated industries.
NAIC 2025 commercial lines data shows tech E&O now represents 18% of all professional liability certificates issued, up from 11% five years ago, reflecting growth in technology vendor relationships across all industries.
Cyber Liability as a Separate Requirement
The most common source of confusion in tech E&O certificate reviews is the relationship between tech E&O coverage and cyber liability. Contract reviewers frequently require both as distinct, named coverage lines on separate policies.
Here is why the separation matters. Tech E&O covers third-party claims: a client sues the technology vendor because their software caused a financial loss. Cyber liability covers two categories of claims: third-party liability (a data breach exposes a client's customer data) and first-party costs (the vendor's own breach response costs: forensics, notification, credit monitoring, regulatory fines).
Most tech E&O policies cover some third-party cyber liability arising from technology services. Most tech E&O policies do NOT cover first-party breach response costs. A technology vendor who suffers a ransomware attack or data breach needs standalone cyber liability coverage to pay their own response costs.
Swiss Re 2025 data confirms that 61% of technology vendor agreements requiring tech E&O also explicitly require standalone cyber liability, because contract counsel have recognized this coverage gap.
When reviewing a tech vendor COI, confirm:
- The tech E&O policy is listed separately from any cyber liability policy
- The cyber liability policy includes both third-party liability and first-party breach response coverage
- Both policies carry limits meeting the contract minimums
Technology E&O Limits by Company Size
Technology service agreements specify minimum tech E&O limits based on the size and nature of the engagement. The vendor's company size also affects what limits carriers will offer.
The table below summarizes common market standards for tech E&O limits based on vendor annual revenue.
| Vendor Annual Revenue | Common Per-Claim Minimum | Common Aggregate Minimum | Source |
|---|---|---|---|
| Under $1M | $500,000 | $1,000,000 | Applied Systems 2025 |
| $1M - $10M | $1,000,000 | $2,000,000 | Applied Systems 2025 |
| $10M - $50M | $2,000,000 | $4,000,000 | Applied Systems 2025 |
| $50M - $250M | $5,000,000 | $10,000,000 | Applied Systems 2025 |
| Over $250M | $10,000,000+ | $20,000,000+ | Applied Systems 2025 |
These are market norms, not universal requirements. Individual contracts may specify higher or lower minimums. Enterprise agreements with large companies often use the purchasing company's standard vendor requirements, which may exceed market norms.
Applied Systems 2025 data also shows that 68% of enterprise technology agreements, defined as contracts with companies having over $1 billion in annual revenue, require tech E&O limits of $5,000,000 per claim or higher, regardless of the vendor's company size.
This creates a practical challenge for smaller technology vendors trying to serve enterprise clients: they need to purchase limits that may significantly exceed what their revenue level would ordinarily require. Brokers advising technology clients should identify any enterprise relationships early in the renewal cycle so limit requirements can be addressed before renewal.
Data Breach Liability Requirements
Data breach liability in technology contracts has become a separate, increasingly specific requirement distinct from both tech E&O and cyber liability. Some contracts distinguish between:
- Technology vendor's own data breach (covered by vendor's cyber liability)
- Technology vendor's product causing a breach of the client's systems (covered by tech E&O and/or cyber liability third-party component)
- Technology vendor's product causing a breach affecting the client's customers (covered by the tech E&O and/or cyber liability third-party component, potentially triggering regulatory fines)
IBM Security 2025 data shows the average cost of a data breach involving a technology vendor reached $4.88 million in 2024, driving contract minimum increases. The average minimum data breach liability requirement in technology vendor agreements has increased 34% over the past three years.
When reviewing tech vendor COIs for data breach liability, check:
- Whether the cyber liability policy explicitly covers third-party data breach liability, not just first-party response costs
- Whether the policy covers regulatory defense costs and fines, which are excluded from some cyber policies
- Whether the limits specifically allocated to data breach liability (if sublimited) meet contract minimums
- Whether the policy includes network security liability, which covers breach of the vendor's network that leads to client data exposure
Some technology contracts specify data breach liability as a separate minimum rather than treating it as part of the cyber aggregate. Confirm whether the contract treats these as the same limit or separate requirements.
How to Read a Tech E&O Certificate
Reading a tech E&O certificate follows the same structure as reading a general professional liability certificate, with additional fields specific to the technology coverage context.
Locate the Tech E&O Policy Line
On ACORD 25, tech E&O may appear in the professional liability row or in the "Other" row depending on how the agency completed the form. Some technology policies use a manuscript ACORD supplemental form. Confirm you are reading the tech E&O line, not the general liability or umbrella lines.
Confirm Claims-Made Status
Tech E&O policies are claims-made. Confirm the "Claims Made" box is checked. If "Occurrence" is checked for what is represented as a tech E&O policy, contact the issuing agency: this is almost certainly a data-entry error.
Read the Retroactive Date
Find the retroactive date in the Description of Operations section. The retroactive date for a tech E&O policy should precede the date the vendor first deployed or provided the technology services covered by the contract. A software product that has been in production for three years requires a retroactive date at least three years in the past.
Verify Both Limits
Confirm both the per-claim and aggregate limits meet contract minimums. Note whether the aggregate is a technology-specific aggregate or a combined professional liability aggregate (some carriers issue combined policies with a single aggregate shared between tech E&O and general professional liability).
Check for Cyber Liability on the Same Certificate
If the contract requires both tech E&O and cyber liability, both should appear on the certificate or be evidenced by separate certificates. If they appear on the same certificate, confirm the policy numbers are different: these should be separate policies with separate limits, not one policy with a sublimit.
Review the Description of Operations for Exclusion Notes
Some carriers note significant exclusions in the Description of Operations section. Look for language that might limit coverage for the specific technology services the vendor provides, such as exclusions for AI-generated outputs, open-source software components, or government contracts.
What Limits Technology Service Agreements Require
Technology service agreements vary significantly by contract type. The table below shows common minimum requirements by agreement type, based on NAIC 2025 and Applied Systems 2025 data.
| Agreement Type | Tech E&O Per Claim | Cyber Liability | Data Breach Sublimit |
|---|---|---|---|
| SaaS subscription (SMB buyer) | $1,000,000 | $1,000,000 | Not specified |
| SaaS subscription (enterprise buyer) | $5,000,000 | $5,000,000 | $5,000,000 |
| Managed services (MSP) | $2,000,000 | $2,000,000 | $2,000,000 |
| Custom software development | $1,000,000-$5,000,000 | $1,000,000-$2,000,000 | Not specified |
| IT staffing and consulting | $1,000,000 | $1,000,000 | Not specified |
| Cloud infrastructure services | $5,000,000 | $5,000,000-$10,000,000 | $5,000,000 |
| Cybersecurity services | $2,000,000 | $5,000,000 | $5,000,000 |
Source: NAIC 2025, Applied Systems 2025.
Cybersecurity vendors face particularly high cyber liability requirements because they handle client security data and because a breach of a cybersecurity vendor affects multiple downstream clients simultaneously. Managed service providers face similar requirements for the same reason.
Cloud infrastructure providers, including companies managing hosting, storage, or compute resources for clients, face the highest aggregate requirements because a failure or breach can affect many clients simultaneously.
Verification Checklist for Tech Vendor COIs
Use this checklist for every technology vendor COI review. Document each step in writing.
Pre-Review Checks
- Certificate is dated within the last 30 days
- Named insured matches the legal entity name in the contract exactly
- Certificate holder matches the contracting entity name exactly
Tech E&O Policy Verification
- Tech E&O policy line is identified and distinguished from general liability
- Policy type is confirmed as claims-made (not occurrence)
- Retroactive date is present in Description of Operations or on carrier form
- Retroactive date precedes the date vendor began providing the contracted services
- Per-claim limit meets or exceeds contract minimum
- Aggregate limit meets or exceeds contract minimum
- Aggregate type confirmed (tech-specific or combined with general liability)
Cyber Liability Verification
- Cyber liability policy is present if required by contract
- Cyber liability policy number differs from tech E&O policy number (separate policies)
- Cyber liability per-occurrence or per-claim limit meets contract minimum
- Cyber liability aggregate meets contract minimum
- Third-party liability component confirmed (covers client claims, not just vendor breach response)
- First-party breach response coverage confirmed if required
Carrier Verification
- Tech E&O carrier AM Best rating confirmed (A- or better required by most contracts)
- Cyber liability carrier AM Best rating confirmed
- Rating confirmation date documented
Extended Reporting Period
- ERP availability confirmed for tech E&O policy
- ERP purchased or available: noted in Description of Operations if required by contract
Exclusion Review
- Description of Operations reviewed for noted exclusions
- Declarations page requested if contract requires coverage for potentially excluded activities (AI outputs, specific software types, government work)
- No relevant exclusions identified, or exclusions documented and client notified
Final Determination
- Certificate meets all contract requirements: approve
- Certificate has identified gaps: document, notify client, require corrected certificate or client waiver
Common Tech E&O Certificate Errors
Technology company certificates generate more correction requests than almost any other commercial segment. The most frequent errors include:
Cyber liability and tech E&O on the same policy line. Some agencies combine cyber and tech E&O onto one ACORD 25 line, preventing the contract reviewer from confirming separate limits. Issue separate certificate entries or separate certificates for each policy.
Missing retroactive date. The retroactive date is as critical for tech E&O as for any professional liability policy. A software product deployed three years ago requires a retroactive date that goes back at least three years. Missing retroactive dates appear in 41% of tech E&O certificates reviewed (IIABA 2025).
Using general professional liability limits for a tech E&O requirement. Some agencies include a general professional liability policy on the certificate but do not have a tech E&O policy. General professional liability policies typically exclude software-specific risks. A tech E&O requirement is not satisfied by a general professional liability policy unless the policy form explicitly covers technology services.
Per-claim limit absent. As with all professional liability certificates, 41% of reviewed tech E&O certificates show only aggregate limits (IIABA 2025). Both per-claim and aggregate limits are required for contract compliance verification.
Cyber policy sublimits not disclosed. Some cyber liability policies carry sublimits for specific coverage components, such as a $500,000 sublimit for regulatory defense costs within a $2,000,000 aggregate. If the contract requires $1,000,000 for regulatory defense, the sublimit creates a gap that the face of the certificate does not reveal. Request the declarations page when sublimits are a concern.
Frequently Asked Questions
What are tech E&O certificate requirements?
Tech E&O certificate requirements are the specific evidence of insurance demands that technology service agreements place on vendors. They typically include proof of a technology errors and omissions policy with a specified per-claim minimum limit, a claims-made policy with an adequate retroactive date, and, in most enterprise agreements, a separate cyber liability policy. The requirements vary by agreement type and company size.
How is tech E&O different from general professional liability?
Tech E&O specifically covers errors, omissions, and failures related to technology products and services, including software development errors, system failures, and technology consulting advice. General professional liability covers professional errors broadly but often excludes software-specific risks. A technology company relying on a general professional liability policy without a dedicated tech E&O policy may find coverage denied when a software defect claim is filed.
Do technology vendors need both tech E&O and cyber liability?
In most enterprise technology agreements, yes. Tech E&O covers third-party claims arising from professional technology errors. Cyber liability covers both third-party data breach liability and first-party breach response costs (forensics, notification, regulatory fines). Tech E&O policies generally do not cover first-party breach costs, creating the need for a separate cyber liability policy.
What limits should a mid-sized technology company carry for tech E&O?
A technology company with annual revenue between $10 million and $50 million typically faces contract requirements of $2,000,000 per claim and $4,000,000 aggregate for tech E&O, based on Applied Systems 2025 market data. Companies serving enterprise clients with over $1 billion in revenue may face requirements of $5,000,000 per claim regardless of their own revenue size.
What is a retroactive date on a tech E&O policy and why does it matter?
The retroactive date on a tech E&O policy defines how far back in time the coverage extends. Because tech E&O is claims-made, a claim filed today for a software defect from two years ago is only covered if the retroactive date precedes the date the defect was introduced. Technology companies with products that have been in production for several years need a retroactive date that goes back to at least the initial deployment of those products.
What should I do if a tech vendor's policy excludes AI-generated outputs?
An AI output exclusion means the tech E&O policy does not cover claims arising from errors in AI-generated outputs. This is relevant for technology companies whose products use generative AI, machine learning predictions, or automated decision-making. If the contract requires coverage for these activities, the client must either require the vendor to obtain coverage without this exclusion, obtain an endorsement removing the exclusion, or document the gap and decide whether to accept it.
Track professional liability certificates automatically →
Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.
Related Articles
Professional Liability COI: A Comprehensive Analysis for Brokers
A professional liability certificate of insurance differs from a GL certificate in structure, trigger, and what certificate holders must verify. Claims-made form, retroactive date, and per-claim limits require different review steps than occurrence-based policies.
The Broker's Guide to Professional Liability Coi Requirements
A complete case study on professional liability coi requirements for insurance agencies and brokers. Covers requirements, best practices, and practical steps to improve compliance.
What Is a Certificate of Insurance: A Comprehensive Analysis for Brokers
A comprehensive analysis of certificate of insurance, covering costs, steps, benchmarks, and tools every insurance agency needs in 2026.
What Is A Certificate Of Insurance
A certificate of insurance is a one-page summary of an active insurance policy, issued on ACORD form 25 for liability or ACORD 27/28 for property. It proves coverage exists but does not create or modify any coverage. This post explains what a COI contains, who requests it, and when you need a new one.
Certificate Of Insurance Requirements Explained: What Insurance Agencies Must Know
COI requirements in contracts determine what coverage an insured must carry and how it must be documented. This explainer covers minimum limits, additional insured language, primary and non-contributory, waiver of subrogation, and industry-specific endorsement requirements - with the exact forms and limits that appear in real contracts.
The Broker's Guide to Who Needs A Certificate Of Insurance
A certificate of insurance gets requested whenever one party needs documented proof that another party carries adequate coverage before a business relationship begins. Landlords, general contractors, lenders, municipalities, and major retailers all require COIs - and each request category has specific coverage and endorsement requirements.
Related insurance terms
More articles in ACORD Forms & Certificates
- Certificate Of Insurance Vs Policy: What Insurance Agencies Must Know
- The Ultimate Guide to COI Tracking and Management in 2026
- Best COI Tracking Software in 2026: A Comparison for Agencies and Risk Managers
- Understanding Automated COI Tracking System for Insurance Brokers
- How to Master Coi Management Platform Comparison in Your Agency
- Coi Tracking Spreadsheet Vs Software: A Practical Guide for Agencies
See where your agency is leaking money
Run a free 14 day audit. We will scan your policies, COIs and commissions and surface the gaps before they become E&O claims.