What Business Insurance Doesn't Cover

Here's a scenario that plays out more often than it should. A SaaS company's platform is breached, client data is exposed, and the company files a claim under its Cyber policy. The carrier denies it, arguing the exposure stemmed from a service error, not a security incident. The company assumed their policy covered it, but the policy said it was an Errors & Omissions (E&O) issue. The E&O policy had its own carve-outs, and nobody paid.

That's a predictable outcome when coverage is bought policy by policy without understanding how the pieces interact, or more importantly, where they don't. The real risk for companies isn't usually a single uncovered event, but the gap between two policies that each assume the other one handles. That's what this guide addresses.

Key Takeaways

• Most business owners assume their insurance covers more than it does. The gaps between policies are where the real risk lives.
• General Liability Insurance doesn't cover professional errors, cyber incidents, or employee injuries. Those require separate policies.
• Cyber Insurance and E&O Insurance policies have a blind spot: each can point to the other when a claim involves both a service failure and a data exposure.
• E&O and Directors & Officers (D&O) Insurance are claims-made policies. If you cancel without buying tail coverage, you're exposed to claims that surface after your policy ends.
• AI-generated errors and model failures are increasingly excluded from standard Cyber and E&O policies. Don't assume you're covered.

What Business Insurance Generally Doesn't Cover

Before getting into specific policy types, a few exclusions apply broadly across nearly every commercial insurance policy.

Intentional Acts and Criminal Conduct

If you or your employees cause harm on purpose, no standard policy will respond. Insurance is designed to cover accidental and unforeseen losses, not deliberate ones. This applies to General Liability, Cyber, E&O, and virtually every other policy type.

Normal Wear, Tear, and Gradual Deterioration

Property and Liability policies cover sudden, accidental losses. Equipment that degrades over time, software that becomes obsolete, or infrastructure that slowly fails doesn't qualify. Gradual deterioration is a maintenance problem, not an insurable event.

Floods, Earthquakes, and Certain Natural Disasters

Most standard Commercial policies exclude catastrophic natural events. Flood and earthquake coverage require separate policies or riders. In certain coastal states, Named Windstorm is also commonly excluded and needs to be addressed separately.

Contractual Liability You Assumed Voluntarily

This one surprises a lot of B2B companies. If you sign a contract agreeing to hold a third party harmless and a claim arises from that agreement, standard General Liability may not respond. Unless your policy includes a contractual liability provision, the liability you assumed voluntarily isn't covered. Review your contracts and your policy language together.

What General Liability Insurance Doesn't Cover

General Liability Insurance is the most widely required policy, which is part of why its limitations catch people off guard. It's required for leases, accelerators, and most enterprise vendor agreements, so founders often assume it's doing more work than it is.

Professional Errors and Bad Advice

While General Liability covers physical harm and property damage to third parties, it doesn’t cover the quality of your work. If your code, advice, or deliverable causes a client financial harm, that's a professional liability claim, and it belongs under E&O coverage. This is one of the most common misunderstandings among tech founders. 

Learn more about the difference between General Liability and E&O coverage.

Cyberattacks and Data Breaches

General Liability has no meaningful Cyber coverage. A standalone Cyber Insurance policy handles notification costs, regulatory fines, forensic investigation, and business interruption from a security incident. General Liability might respond to a very narrow third-party bodily injury claim that somehow arises from a breach, but that's not a reliable coverage path. If you're collecting data, you need Cyber coverage.

Employee Injuries on the Job

Third parties like customers, vendors, visitors, and the general public are protected under General Liability, but it doesn't cover your own employees. Worker injuries are covered by Workers' Compensation, which is legally required in nearly every state once you have employees. These are separate policies covering separate populations.

Business Vehicles, Liquor Liability, and Pollution

A few other common General Liability exclusions worth knowing: vehicles used for business purposes require Commercial Auto Coverage. Events where alcohol is served may require a separate Liquor Liability policy. And environmental or pollution-related claims typically require a standalone Pollution Liability policy.

What Cyber Insurance Doesn't Cover

Cyber Insurance has expanded significantly over the past several years, but the policy has clear edges, and some of those edges are getting sharper as carriers respond to new risk categories.

Service Errors That Cause Financial Harm to Clients

This is the E&O-Cyber blind spot, and it's a consistent source of confusion at SaaS and AI companies. 

• Cyber covers security incidents: breaches, ransomware, and unauthorized access. 
• E&O covers professional mistakes: your software fails, your team makes an error, or your product doesn't perform as promised. 

If your platform goes down and causes a client financial loss, that's not a Cyber claim. It's an E&O claim, and if your E&O policy has gaps, you may be holding the loss yourself.

Internal Employee Fraud and Funds Transfer Scams

Cyber policies are generally designed to cover external attacks. Internal theft, embezzlement, and many social engineering schemes require Crime Insurance instead. Some Cyber policies offer a social engineering endorsement that covers certain wire fraud scenarios, but it's not included by default. Ask specifically whether your policy covers it, and at what limit.

AI-Generated Errors and Model Failures

This is a high-stakes emerging gap. Standard Cyber policies have historically been "silent" on AI, meaning they neither explicitly cover nor exclude AI-related losses. Since late 2025, major carriers have begun adding explicit AI exclusions to both Cyber and E&O policies. If your product is AI-powered, you can't assume that a model hallucination, a biased output, or a regulatory fine under emerging AI laws (the EU AI Act, for example, or state-level frameworks) is covered. Confirm affirmatively with your carrier or broker.

Cryptocurrency and Digital Asset Losses

Most standard Cyber policies exclude or heavily limit losses involving cryptocurrency theft or digital asset compromise. If your company accepts crypto payments, holds digital assets, or operates in fintech or Web3, verify your policy's treatment of these exposures explicitly. Don't assume the standard policy handles it.

What E&O Insurance Doesn't Cover

E&O Insurance is the policy that covers financial harm caused by your professional mistakes. It's essential for any company selling software, services, or advice. But it has its own clear boundaries.

Security Incidents and Data Breaches

This is the mirror of the Cyber gap. E&O covers the harm caused by a mistake. Cyber covers the cost of a breach. When a breach is triggered by an employee error, a claim could theoretically implicate both policies, or fall into the gap between them if they're not written to coordinate. The fix is making sure your policies are structured to work together.

Employment Disputes

Wrongful termination, harassment, and discrimination claims are Employment Practices Liability Insurance (EPLI) territory. E&O doesn't cover your people operations. If your team is growing quickly, EPLI is the policy to prioritize.

Claims Made After Your Policy Ends: The Claims-Made Trap

This is one of the most consequential and least-discussed gaps in business insurance.

E&O is typically written on a claims-made basis, meaning the policy only responds if the claim is filed while the policy is active. If you cancel your E&O policy without purchasing tail coverage (also called an extended reporting period), you're exposed to any claim that surfaces after cancellation, even if the underlying incident happened while you were covered.

This comes up regularly in conversations with founders who switched carriers or let coverage lapse. The gap can be years wide. If you're canceling or switching an E&O policy, always ask about tail coverage before you do.

What D&O Insurance Doesn't Cover

D&O Insurance protects the people who run your company from personal liability for management decisions. It's structured narrowly by design.

Bodily Injury and Property Damage

D&O covers financial loss arising from management decisions, things like investor claims, governance disputes, and breach of fiduciary duty. Physical harm and property damage are General Liability. These policies don't overlap.

Personal Profit and Intentional Fraud by Directors

It’s designed to protect good-faith business decisions, not to insulate directors who enrich themselves at the company's expense. Standard D&O policies include carve-outs for fraud, intentional misconduct, and illegal personal profit.

Claims After Policy Cancellation

D&O, like E&O, is typically written on a claims-made basis. The same tail coverage issue applies. If a former board member is named in a claim after your D&O policy has lapsed, you may have no coverage for that claim, even if the underlying decision was made years ago while coverage was in place.

What Crime Insurance Doesn't Cover

Crime Insurance is first-party coverage for your company's own financial losses from fraud and theft. It's narrower than most founders expect.

External Cyberattacks

Crime policies cover internal dishonesty: employee theft, embezzlement, and fraudulent transfers initiated by someone inside the company. A ransomware attack by an external threat actor is a Cyber event, not a Crime event. These are different policies covering different threat sources.

Third-Party Liability Claims From Clients

Because Crime Insurance is first-party coverage, it only addresses your losses. If a client sues you because your employee stole their data or misappropriated their funds, you need E&O or Cyber coverage to respond to that third-party claim. Crime Insurance won't get you there.

Coverage Gaps That Catch Tech Companies and Startups Off Guard

These scenarios are drawn from real conversations with founders and finance teams navigating claims and coverage questions.

Scenario 1: The E&O-Cyber Blind Spot in Practice

Imagine a SaaS company's platform goes down during a client's peak usage period, exposing client data in the process. Is that an E&O claim (the platform failed to perform) or a Cyber claim (data was exposed)? Carriers may each assert that it belongs to the other policy. The company is caught in the middle.

Making sure your E&O and Cyber policies are written to coordinate, with clear language about which policy responds first, is more important than increasing your limits. Ask your broker specifically whether your policies are structured to cover this scenario.

Scenario 2: Policy Limits Are Shared, Not Per Client or Contract

Your $1M per-occurrence limit doesn't reset for each customer. If two clients file simultaneous claims, you don't have $1M per claim. You have $1M total. This surprises founders who have large enterprise contracts and assumed their biggest clients were effectively isolated in their own coverage lane. They're not.

If your enterprise contracts expose you to large individual claims, your per-occurrence and aggregate limits both need to reflect that. It's worth reviewing those numbers with your broker before you sign your next major contract, not after a claim makes the gap obvious.

Scenario 3: You Can't Insure Property You Don't Own

Business Property coverage requires insurable interest. If a client loans your team equipment, or you're working with leased hardware, you likely can't add that property to your own policy without documentation confirming your interest in it. This catches hardware companies, AEC firms, and IT consultants who assume their Business Property policy covers anything in their possession.

If you're regularly working with equipment you don't own, talk to your broker about how to document insurable interest correctly, or whether a separate inland marine policy makes more sense for your situation.

Scenario 4: AI and Algorithm Risk Is a Coverage Gray Zone

If your product is AI-powered, your coverage has an emerging gap that's worth addressing now rather than after a claim. Standard Cyber and E&O policies may not cover hallucinations, biased model outputs, or regulatory fines under evolving AI legislation. This is an area moving quickly; the EU AI Act is creating new categories of liability, and state-level frameworks are following.

Don't assume your existing policies cover AI-related risks. Ask your broker specifically whether model output errors are affirmatively covered or excluded, and whether your program needs to be updated to reflect what your product actually does.

What to Do When You Find a Coverage Gap

Finding a gap in your coverage is only half the battle. What you do next determines whether that gap gets closed before it costs you. Here's where to start.

Don't Interpret Exclusions Alone

Insurance policy language is dense by design. An exclusion that looks absolute often has exceptions, endorsements, or coverage triggers that aren't obvious without context. An advisor who understands your industry can identify where your policies need to be layered or modified before you have a claim, not after.

Ask Specifically About Endorsements and Policy Coordination

Many exclusions can be addressed with endorsements, but only if you ask. Before your next renewal, consider asking your broker the following: 

• Does my Cyber policy coordinate with my E&O policy? 
• Is AI risk explicitly covered or excluded under my current policies? 
• Do I need tail coverage if I cancel or switch carriers? 
• Is social engineering covered under my Crime or Cyber policy, and at what limit?

Revisit Your Coverage at Every Major Milestone

Your exposure profile changes every time your company does. The coverage that made sense at pre-seed doesn't reflect the risk profile of a Series A company with enterprise contracts. Triggers worth reviewing: raising a new round, adding employees, launching a new product line, signing a major new contract, or entering a new market.

Know Your Gaps Before Your Carrier Does

The most expensive insurance mistakes aren't the obvious ones (like having no coverage at all). They're the subtle ones: the gap between two policies that each point to the other, the claims-made policy that lapses right before a claim surfaces, or the AI exclusion that nobody noticed until the carrier denied coverage.

Understanding what your policies don't cover is how you make sure the coverage you're paying for actually works when you need it.

Not sure what your current coverage does and doesn’t protect? Talk to a Vouch advisor.

Frequently Asked Questions

What does business insurance not cover?

Most standard business insurance policies exclude intentional acts, gradual wear and tear, natural disasters like floods and earthquakes, and contractual liability voluntarily assumed in contracts. Beyond those broad exclusions, each policy type has its own gaps. General Liability doesn't cover professional errors or cyber incidents. Cyber doesn't cover internal fraud. E&O doesn't cover security breaches. Understanding how your specific policies interact is as important as knowing what each one covers individually.

What does General Liability Insurance not cover?

General Liability doesn't cover professional errors, cyberattacks, employee injuries, or damage from business vehicles. It covers third-party bodily injury and property damage in the context of your physical business operations. For anything related to the quality of your work, your data, or your employees, you need additional policies.

What does Cyber Insurance not cover?

Standard Cyber policies typically don't cover service errors that cause client financial harm (that's E&O), internal employee fraud (that's Crime), cryptocurrency and digital asset losses, and increasingly, AI-generated errors and model failures. Some of these gaps can be addressed with endorsements, but only if they're specifically requested.

What's a claims-made policy, and why does it matter?

A claims-made policy only responds to claims filed while the policy is active. E&O and D&O are both typically written this way. If you cancel without purchasing tail coverage (an extended reporting period), you're exposed to any claim that surfaces after cancellation, even if the underlying event happened while you were covered. This is one of the most consequential and least-discussed gaps in business insurance.

Can I just add endorsements to fix coverage gaps?

Often, yes. Many exclusions can be addressed with endorsements if you ask specifically. Policy coordination between Cyber and E&O, Social Engineering coverage under Crime, and AI risk coverage are all areas where endorsements may be available. Don't assume an exclusion is fixed. Confirm it in writing.

How do I know if my policies coordinate properly?

Ask your broker directly. Request a coverage review that addresses how your E&O and Cyber policies interact, whether each policy has "other insurance" language that could create a gap, and whether your limits are appropriate given your largest client contract sizes. A startup-focused broker can spot coordination issues that a general commercial broker might miss.

Vouch Specialty Insurance Services, LLC (CA License #6004944) is a licensed insurance producer in states where it conducts business. A complete list of state licenses is available at vouch.us/legal/licenses. Insurance products are underwritten by various insurance carriers, not by Vouch. This material is for informational purposes only and does not create a binding contract or alter policy terms. Coverage availability, terms, and conditions vary by state and are subject to underwriting review and approval.