Index
Umbrella vs. excess. The two terms get used together, but they are not the same, and the difference matters more for a software company than for almost any other kind of business.
An umbrella policy sits on top of several underlying policies, usually general liability, commercial auto, and employer’s liability, and adds a single higher limit across them. It can also fill a few small gaps the underlying policies leave.
An excess policy adds limit to one specific underlying policy and usually “follows form,” meaning it copies that policy’s terms and conditions exactly. Excess is how you raise the ceiling on your specialty coverages like Cyber, Tech E&O, and D&O.
Here is the part that catches founders by surprise: a standard umbrella does not sit over Tech E&O, Cyber, D&O, or EPLI. Those policies hold your biggest exposures as a software company, and if a contract requires $5 million of Cyber coverage, the umbrella does nothing for it. You raise the Cyber limit through excess Cyber. This is the most expensive misunderstanding we see: a founder buys a generic small-business umbrella and assumes it covers everything.
Alliance Risk writes both umbrella and standalone excess through our umbrella and excess liability insurance program, and we pick the structure that matches what your contracts actually demand.
How limits stack: the tower
Think of each line of coverage as its own tower. The bottom floor is the primary policy. Excess or umbrella layers sit on top and add limit. You can stack layers from different carriers to build whatever height a contract demands, and you can build several towers in parallel, one per line of coverage.
A simple general liability tower for a $5 million contract requirement looks like this:
| Layer | Limit | Role |
|---|---|---|
| Primary general liability | $1M | Pays first, dollar one |
| Umbrella / excess layer | $4M | Sits above the primary and extends the limit |
| Total available | $5M | Meets the contract requirement |
A $5 million Cyber requirement is a separate tower:
| Layer | Limit | Role |
|---|---|---|
| Primary Cyber | $2M | Pays first for breach, ransomware, etc. |
| Excess Cyber | $3M | Sits above the primary on Cyber only |
| Total available | $5M | Meets the contract requirement |
For most tech companies signing enterprise contracts, you build three towers at once: general liability (the umbrella does this), Tech E&O (excess only), and Cyber (excess only). A specialist broker reads the contract and tells you which limit each requirement actually hits.
Why enterprise contracts demand $5M and up
Large companies are managing risk across hundreds of vendors. When they bring you into their stack, they take on your risk too. The insurance limits in their vendor agreement make sure that if something goes wrong, there is enough coverage to make them whole without draining your company or their own policies.
The first draft is often higher than the final number. We have seen procurement teams open at $20 million and settle at $5 million for an earlier-stage vendor. The limits are frequently negotiable, especially when you can show a clean risk profile, SOC 2 attestation, and a credible incident-response posture. Our guide to meeting enterprise insurance requirements covers that negotiation in depth.
A deal scenario
A 60-person Series A SaaS company lands a deal worth $1.4 million a year with a major retailer. The vendor agreement demands:
- $5 million umbrella over general liability and auto
- $5 million Tech E&O
- $5 million Cyber, with an explicit $1 million minimum sublimit for fraudulent funds transfer
- Additional insured and waiver of subrogation on the GL and umbrella
The company carries $1 million GL, $2 million Tech E&O, and $2 million Cyber with a $250,000 fraudulent-funds-transfer sublimit. Their broker builds three things in parallel: a $4 million umbrella over GL, $3 million of excess Tech E&O following form, and a $3 million excess Cyber tower with a dedicated layer addressing the funds-transfer sublimit. Two days later the certificate of insurance is on the procurement officer’s desk. The added premium is a fraction of the deal’s first-year revenue.
The contract closes on time. That is the entire job of excess liability: turning a procurement roadblock into a line item.
How to size your towers to a contract
Read the contract’s insurance section line by line, because it tells you exactly what to build. For each required limit, identify four things:
- The required total limit (for example, $5 million)
- Which underlying policy the requirement attaches to (GL, Cyber, Tech E&O, and so on)
- Any required endorsements (additional insured, waiver of subrogation, primary and non-contributory)
- Any sublimit floors (especially on Cyber for funds-transfer fraud, ransomware, or regulatory costs)
Then build each tower to the highest requirement you see across all of your enterprise customers, because one tower per line usually serves your entire pipeline. It is cheaper to carry one higher set of towers than to re-paper coverage for every new deal.
What umbrella sits over, and what it does not
A standard umbrella sits over general liability, commercial auto, and employer’s liability. It does not extend your Cyber, Tech E&O, D&O, or EPLI limits. Here is how each contract requirement maps to the policy you actually raise.
| Requirement in the contract | Which policy you raise |
|---|---|
| $5M umbrella / excess (over GL) | Umbrella or excess layer |
| $5M general liability | Primary GL plus umbrella |
| $5M Cyber liability | Excess Cyber, following form |
| $5M Tech E&O / professional | Excess Tech E&O, following form |
| $5M D&O | Excess D&O, following form |
| $5M EPLI | Excess EPLI, following form |
For a software company, the biggest claims almost always live in Tech E&O and Cyber, not general liability. A buggy release that costs a customer money, a breach that triggers notification across millions of records, a ransomware event that halts your platform: these are six- and seven-figure events the umbrella will not touch. If a contract wants $5 million of Cyber or professional coverage, the excess on those lines is what closes the deal.
Excess for sublimits: the Cyber funds-transfer problem
A less obvious but practically important use of excess is raising a sublimit inside a single policy. This comes up most on Cyber.
A typical Cyber policy might carry a $3 million aggregate limit but include a sublimit of $250,000 for fraudulent funds transfer, also called business email compromise or social engineering fraud. Funds-transfer fraud is the most common cyber event for early-stage tech companies, and a single successful wire-fraud incident often runs well past $250,000. When it does, the rest of your $3 million Cyber limit is irrelevant. The sublimit governs.
Excess can be structured to sit above that sublimit, adding funds-transfer protection without necessarily raising the overall policy limit. This takes careful coordination between the primary and excess carriers, but it is one of the more valuable tools available to a software company that wires meaningful sums for clients or itself. Ask your broker two questions directly: what is my funds-transfer sublimit, and does it make sense to buy excess over just that sublimit rather than the whole policy?
Why not just increase the primary limit?
Founders sometimes ask why they cannot simply have their primary carrier raise the limit. They can ask. The carrier will not always say yes, and even when it does, excess is usually the better deal.
Primary insurers have their own appetite and capacity ceilings. They are often wary of writing very high limits on smaller accounts, where they carry every dollar of loss from the first. Excess carriers attach higher up and price accordingly. Because the excess layer pays only after the primary is fully exhausted, the premium per dollar of limit drops sharply at each layer. For most tech companies, a tower built with one or two excess carriers costs materially less than buying the same total limit from the primary.
What it costs
Excess and umbrella coverage is one of the better values in your program. For a low-hazard tech or software company, the first $5 million of GL umbrella often runs in the low four figures a year. Excess on specialty lines costs more per dollar of limit, because the underlying exposure is higher, but it stays modest compared with the contracts it unlocks.
| Tower | Company profile | Indicative annual premium |
|---|---|---|
| $5M GL umbrella | Low-hazard SaaS | $2,500 – $7,500 |
| $10M GL umbrella (two layers) | Same, second layer added | $6,000 – $15,000 |
| $5M Cyber ($3M excess over $2M primary) | Series A/B SaaS, SOC 2 | $8,000 – $20,000 for the excess layer |
| $5M Tech E&O ($3M excess) | Series A/B SaaS, no large recent claims | $6,000 – $18,000 for the excess layer |
Pricing varies with revenue, headcount, data sensitivity, claims history, and the underlying policies you carry. A clean record and strong security controls move the number meaningfully.
How the primary and excess policies interact
A few mechanics are worth understanding before you bind excess coverage.
Following form.
Excess policies on specialty lines almost always follow form, meaning they pick up the same definitions, exclusions, and conditions as the primary policy. If your primary has a narrow definition of covered services, the excess inherits it. The right place to broaden coverage is the primary layer, not the excess.
Maintaining the underlying.
The excess policy names the underlying policy by carrier, policy number, and limit. If the primary lapses, is cancelled, or changes materially, the excess may not respond as intended. Renew on time, and tell your broker before you switch primary carriers.
Separate underwriting.
The excess carrier runs its own underwriting review. It is not automatic capacity from the same insurer, and different excess markets take different views on the same risk. A good broker shops the excess layer as carefully as the primary.
Defense within limits.
Most specialty policies, especially Tech E&O and Cyber, are written on a “defense within limits” basis: the cost of defending a claim reduces the limit available to pay a judgment or settlement. In a long dispute, defense costs alone can erode the primary limit before any resolution. The excess usually follows the same structure. This is one of the strongest arguments for buying more limit than your contract minimum, because defense erodes the cushion fast.
How to place it fast
Enterprise deals move faster than insurance usually does. To move quickly, send your broker the vendor agreement’s insurance section, your current policy declarations across every line, and the signing deadline. With those three items, an experienced tech-focused broker can build the towers and issue a certificate of insurance within a day or two.
The startups that clear procurement smoothly treat the limit requirement as a known step, not a surprise. Build the towers once, and the next enterprise contract becomes routine.
This coverage pairs with the broader insurance roadmap for tech and AI startups and the enterprise contract playbook.
Additional insured and the endorsements buyers demand
Higher limits are only half the job. Enterprise contracts almost always demand specific endorsements, and a certificate without them gets bounced.
Additional insured
status extends your coverage to the customer for claims tied to your work.
Waiver of subrogation
means your insurer agrees not to pursue the customer to recover a payout. Primary and non-contributory language says your policy pays first, before the customer’s own coverage. These three appear in most large vendor agreements. On the GL and umbrella tower they are routine. On specialty lines like Cyber and Tech E&O they are negotiated case by case, and carriers vary widely in what they will agree to.
The mistake founders make is buying the limit and forgetting the endorsements. The certificate then lists $5 million but omits additional insured status, and procurement sends it back two days before signing. Read the contract’s insurance section in full, list every endorsement it names against the policy it attaches to, and have your broker build them in from the start. Getting the paperwork right the first time is the difference between closing on schedule and missing the deadline.
Frequently asked questions
What is the difference between umbrella and excess liability for a tech company?
An umbrella sits over general liability, auto, and employer’s liability and adds breadth in places. An excess policy adds limit to one underlying policy and follows its terms. For a software company, the umbrella handles your GL tower, and excess handles your Tech E&O, Cyber, D&O, and EPLI towers. You usually need both.
Does an umbrella raise my Cyber or Tech E&O limits?
No. Standard umbrellas sit over GL, auto, and employer’s liability only. To raise Cyber or Tech E&O limits, you buy excess Cyber and excess Tech E&O directly, following the form of those policies.
My contract wants $5 million of Cyber but my policy has a $250,000 sublimit for wire fraud. Will excess Cyber fix that?
Sometimes, but not automatically. A standard excess Cyber policy raises the aggregate limit, not necessarily the funds-transfer sublimit. To raise that sublimit specifically, your broker may need to structure an excess layer that carves out additional funds-transfer capacity, or move you to a primary carrier with a higher built-in sublimit. Ask before you sign.
Why not just ask my primary carrier to raise the limit?
Primary carriers have capacity and appetite ceilings, and the price per dollar of limit at the primary layer is usually higher than at the excess. Excess markets sit at a higher attachment point and price accordingly, often making excess the cheaper way to reach a required total.
A contract wants $5 million but my deal is only worth $200,000. Can I negotiate?
Often yes. First drafts frequently open high. A clean risk profile, SOC 2 attestation, and a clear explanation of your data and revenue exposure can bring the number down, though some endorsements are non-negotiable.
How fast can I get excess in place for a deal?
With your underlying declarations across every line and the contract’s insurance section, a tech-focused broker can usually bind the towers and issue a certificate within one to two days.
Should I buy to my biggest customer’s requirement or my smallest?
Buy to the biggest. One higher set of towers serves all your customers and costs less than re-papering coverage for every new deal
What is “defense within limits” and why does it matter?
Most specialty policies pay defense costs out of the same limit they pay settlements and judgments. Defense in a contested case can run six figures quickly, and a $1 million policy can be half spent on defense before settlement talks even start. This is one of the strongest reasons to carry more limit than the contract minimum
Can I cancel the excess after the contract ends?
You can, but most growing tech companies keep it, because the next enterprise customer asks for the same limits. Carrying it continuously also costs less than buying and canceling each time.
Staring at a $5 million requirement with a deadline?
Talk to an Alliance Risk advisor. Send us the insurance clause and your current declarations, and we will build compliant towers across every line your contract touches.
