Insurance Requirements in Enterprise Contracts: What Customers Actually Demand
For a growing company, the insurance section of a customer contract is where a deal quietly stalls. The product is approved, the price is agreed — then procurement sends back a one-page list of coverages, limits, and endorsements you have to produce before signing. Knowing what enterprise customers actually demand, and being ready to meet it, is the difference between closing on time and watching the deal slip.
Short answer: For emerging technology founders and operators, the coverages enterprise customers scrutinize most are cyber liability, technology E&O, and crime / fidelity — the lines that respond when your software fails, a breach exposes their data, or funds you handle are diverted. But the coverages are only half of it. The contract also dictates minimum limits, an additional insured endorsement, a waiver of subrogation, primary and non-contributory wording, and a certificate of insurance as proof. Miss any one and the deal waits.
Below: why customers impose these requirements, the coverages and limits they ask for, the endorsement fine print that trips most companies up, how much coverage you actually need, and what to do the moment a contract lands on your desk.
Why customers impose insurance requirements
An insurance requirement is a risk-transfer tool. When a customer lets a vendor into its operations, systems, or data, it wants assurance that if something goes wrong, there is a funded policy — not just a promise — behind your contractual obligations. As Marsh puts it in its guidance on contractual risk transfer, the insurance clause exists to make sure financial resources are actually available to address the damages a vendor's failure could cause. That is also why the insurance clause is usually tied to the indemnification clause: the indemnity says you'll cover certain losses, and the insurance requirement makes that indemnity collectible.
Increasingly, the requirement is also a compliance and security gate. Enterprise vendor-risk and procurement teams now treat proof of coverage as a standard control, and frameworks and regulations (HIPAA, GDPR, PCI-DSS) push customers to require evidence of cyber risk management — including insurance — from their vendors. For a SaaS or technology vendor, the insurance clause increasingly sits right next to the SOC 2 request.
What coverages do enterprise contracts require?
The exact list depends on what you do and what the customer is exposed to, but a typical enterprise contract draws from the coverages below. The first three are near-universal for technology vendors.
| Coverage | Why the customer asks for it |
|---|---|
| Commercial general liability (CGL) | Third-party bodily injury and property damage. The baseline requirement in almost every commercial contract — commonly $1M per occurrence / $2M aggregate. |
| Cyber liability | Data breach, ransomware, and privacy incidents involving the customer's data. Standard for any vendor that touches systems or personal information. |
| Technology E&O / Professional liability | Financial harm from your software, services, or advice failing to perform — a missed SLA, a defect, professional negligence. |
| Workers' comp & employer's liability | Required when your people work on-site or in many states simply because you have employees. |
| Umbrella / excess liability | Sits above the primary limits to reach the total the contract demands (e.g., $5M+). |
| Crime / fidelity | Employee theft and social-engineering fraud — common where you handle funds or financial data. |
| Directors & officers (D&O) | Asked for by some financing, channel, and M&A counterparties as a condition of the relationship. |
| Hired & non-owned auto | Frequently bundled into the standard requirement list even for desk-bound vendors. |
For technology vendors, the load-bearing lines are usually cyber and technology E&O: contracts for vendors that access sensitive data routinely require both, with one university technology-contract standard calling for network security/privacy (cyber) and Tech E&O coverage. See also our overviews of general liability, errors & omissions, D&O, and crime / fidelity.
The fine print that actually decides compliance
Companies tend to focus on whether they "have" a coverage. Customers focus on the endorsements — the policy language that makes their protection real. These four cause the most last-minute scrambles:
- Additional insured. The customer wants to be added to your liability policy so that if they're sued over your work, your insurance defends and indemnifies them. Contracts routinely require the customer (and sometimes its affiliates) to be named as an additional insured, with that status reflected on the certificate of insurance and a notice of cancellation provided.
- Waiver of subrogation. Your insurer agrees not to come after the customer to recover what it pays on a claim. This is a near-standard ask alongside the additional insured endorsement.
- Primary and non-contributory. Your policy must pay first and in full, before the customer's own insurance is called on to contribute. Without this wording, the additional insured protection is materially weaker.
- Certificate of insurance (COI). The proof. For liability lines this is typically the ACORD 25 form, requested before work begins. Many customers also want the endorsements attached and to be notified if a policy lapses or is cancelled.
The trap: not every policy will issue every endorsement, and some carriers won't add a particular additional insured or agree to primary-and-non-contributory wording at all. If you only discover that after you've signed — or worse, after the customer's deadline — you're renegotiating coverage under time pressure. The endorsements are best checked before you commit, against the actual contract language. Founder Shield's guide is a useful primer on how these clauses are written and where they bite.
How much insurance do enterprise contracts require?
Required limits scale with the size and risk appetite of the customer. A practical pattern, drawn from one startup-insurance advisory's experience with enterprise contracts, looks like this:
| Customer tier | Typical required limits (cyber + Tech E&O) |
|---|---|
| Small business (SMB) | $1M–$2M |
| Mid-market ($10M–$100M revenue) | $2M–$5M |
| Enterprise / Fortune 500 | $5M–$10M |
Large technology contracts frequently land at $5 million per claim and $5 million aggregate for Tech E&O, and the same source warns that limits which satisfied contracts in 2023 often don't satisfy current enterprise requirements. The direction of travel is up, and the reason is the stakes: the global average cost of a data breach was $4.44 million in IBM's 2025 Cost of a Data Breach Report, while the U.S. average reached a record $10.22 million. Customers size their insurance requirements to the loss they're trying to transfer.
What to do when a contract lands on your desk
Treat the insurance and indemnification clauses as a deal term, not paperwork:
- Read both clauses together. The required limits only make sense in light of what you're indemnifying. An uncapped indemnity behind a $1M policy is a real problem.
- Map requirements to your current policies. Confirm you carry each required coverage at the required limit, and that your carriers will issue the specific additional insured, waiver, and primary-and-non-contributory endorsements named.
- Negotiate what doesn't fit. Requirements are often a template. Some can be right-sized; what can't be negotiated should be placed before signing, not after.
- Line up fast certificate turnaround. Once you sign, the customer wants a compliant COI quickly. A broker who can produce it the same day keeps the close on schedule.
This is the same discipline we bring to technology E&O and cyber placements and to coverage for venture-backed startups selling into the enterprise: read the contract first, then build the program to match it.
The bottom line
Enterprise customers don't just ask whether you're insured — they specify the coverages, the limits, and the endorsements, and they verify all of it with a certificate before they sign. The companies that close quickly are the ones whose policies were built with those clauses in mind: the right lines at the right limits, with additional insured, waiver of subrogation, and primary-and-non-contributory wording ready to issue. Get it right before the contract arrives, and insurance stops being the thing that holds up the deal.
Get vendor- and client-ready coverage from Alton Risk
We tailor insurance programs built to satisfy your customers' contracts — cyber, technology E&O, general liability, D&O, and crime at the limits your contracts demand, with the additional insured, waiver of subrogation, and primary-and-non-contributory endorsements they require, plus fast certificate turnaround. Reach out to Alton Risk and get a quote from our team.
Get a quote →Related reading: Cyber / Technology E&O · Errors & Omissions · Directors & Officers · Insurance for Startups
Frequently asked questions
What insurance do enterprise customers require in contracts?
+
Most B2B and enterprise contracts require commercial general liability (typically $1M per occurrence / $2M aggregate), and for technology vendors, cyber liability and technology errors & omissions (Tech E&O). Depending on the relationship, customers may also require workers' compensation, employer's liability, hired and non-owned auto, umbrella/excess liability, crime/fidelity, and — for some financing and M&A counterparties — directors & officers (D&O). The contract also dictates limits, an additional insured endorsement, a waiver of subrogation, primary and non-contributory wording, and a certificate of insurance as proof.
How much insurance do enterprise contracts require?
+
Limits scale with the size of the customer. Small-business customers commonly ask for $1M–$2M across Tech E&O and cyber; mid-market customers ask for $2M–$5M; and large enterprise customers often mandate $5M–$10M, with some technology contracts requiring a minimum of $5M per claim and $5M aggregate. Required limits have been rising — limits that satisfied contracts a couple of years ago frequently fall short of current enterprise requirements.
What is an additional insured endorsement and why do customers require it?
+
An additional insured endorsement extends your liability policy to cover the customer for claims arising out of your work, products, or services. Customers require it so that if they are sued over something you did, your insurance — not just theirs — responds. Contracts frequently pair it with a waiver of subrogation (your insurer agrees not to pursue the customer to recover what it pays) and primary and non-contributory wording (your policy pays first, before the customer's own insurance).
What is a certificate of insurance (COI) and what is ACORD 25?
+
A certificate of insurance is a one-page summary issued by your insurer or broker that proves you carry the required coverage and limits. For liability coverage it is usually the ACORD 25 form. Customers request a COI before work begins, often require the additional insured and waiver endorsements to be reflected on or attached to it, and ask to be notified if coverage is cancelled or lapses.
What happens if you can't meet a customer's insurance requirements?
+
Unmet insurance requirements stall or kill deals. Procurement and vendor-security teams treat the insurance clause as a gating item, so a missing coverage, an insufficient limit, or a policy that won't issue the required additional insured or waiver endorsements can delay signing or send the deal to a competitor. The fix is to read the insurance and indemnification clauses early, place coverage that matches them, and have a broker who can turn a compliant certificate around quickly.
Sources: Tufts University, "Insurance Requirements for Vendors, Contractors and Service Providers"; Insureon, "A Guide to Vendor Insurance"; University of Nevada, Reno, "Insurance requirements for technology contracts"; Alliance Risk, "Your First Enterprise Client Wants $5 Million in Insurance"; Founder Shield, "The Ultimate Guide to Insurance Requirements in Contracts"; Amwins, "Navigating Cyber Insurance for Vendor Agreements"; Marsh, "Writing Clear Contracts for Cyber Risk Transfer"; IBM, Cost of a Data Breach Report 2025; Help Net Security, "Average global data breach cost now $4.44 million" (2025). This article is general information, not legal, financial, or insurance advice.