Life SciencesLiability

Question

What cyber and technology E&O insurance does a medical device manufacturer need?

Short answer

A medical device manufacturer needs cyber liability for the data it holds (patient and clinical information, employee and payment data) plus first-party costs of a breach or ransomware event, and, once its devices are connected or it ships software, technology errors and omissions for failures of that software or connectivity. The device dimension is what makes this different from a generic manufacturer: a connected device or a software-as-a-medical-device product creates exposure that sits between traditional products liability and cyber, and the program has to be built so those two policies do not leave a gap between them.

The short answer

Every medical device manufacturer holds data worth protecting - clinical and patient information from trials or post-market surveillance, employee records, and payment and vendor data - so cyber liability is a baseline line covering breach response, notification, regulatory defense, and third-party liability. On top of that, most device makers now face a second exposure that a generic manufacturer does not: connected devices, remote monitoring, and software components. That pulls technology errors and omissions (tech E&O) into the picture, covering claims that the device software or connectivity failed to perform.

The program is built around three questions: what data do you hold, is your device connected or software-driven, and where does cyber stop and products liability start. Getting the boundary right between those policies is the part that goes wrong most often.

What cyber covers for a device manufacturer

Cyber liability has two halves. First-party covers your own costs after an incident: forensic investigation, breach notification to affected individuals and regulators, credit monitoring, legal counsel, public relations, ransomware negotiation and extortion payments where permissible, and business interruption if an attack halts operations or a connected-device platform. Third-party covers claims brought against you by others whose data was exposed, including regulatory investigations and fines where insurable.

For device makers that touch protected health information, HIPAA and state privacy laws drive the notification and regulatory exposure, so the breach-response side is rarely optional. Even a company that thinks of itself as a pure manufacturer usually holds enough PHI or personal data through trials, complaints handling, or a patient-facing app to need the coverage.

Why connected devices and SaMD change the exposure

A device that connects to a network, phones home for updates, or is itself software (software as a medical device, or SaMD) carries risk that a mechanical device does not. If the software fails, is exploited, or a connectivity outage disrupts monitoring, the resulting claim may allege a technology or professional failure rather than a manufacturing defect. Technology E&O responds to that failure-of-the-technology claim, and for a SaMD company it is often the primary line, not an add-on.

FDA now treats cybersecurity as part of device safety, with premarket expectations for a secure product design and a plan to monitor and patch vulnerabilities over the device life. That regulatory posture raises both the likelihood of a cyber-related claim and the standard a manufacturer is held to, which is one reason underwriters look closely at a device maker's security program.

Where cyber ends and products liability begins

The gap that catches device manufacturers is the seam between cyber and products liability. If a hacked or malfunctioning connected device causes bodily injury to a patient, that is a products or bodily-injury claim, and many cyber policies exclude bodily injury while many products policies exclude cyber-triggered events. A device maker can hold both policies and still find neither responds to a patient injury caused by a software exploit.

The fix is to review the exclusions in both policies together and, where available, secure affirmative coverage or a carve-back so a cyber-triggered bodily injury does not fall between them. This is a program-architecture question, not a limits question, and it is worth resolving before a connected product goes to market.

Typical limits and what drives them

Cyber limits for a small-to-midsize device manufacturer commonly run $1M to $5M, scaling with the volume of records held, revenue, whether devices are connected, and any hospital or GPO contract that specifies a cyber limit. Technology E&O for a SaMD or connected-device company is frequently written alongside cyber, sometimes in a combined tech E&O and cyber form. Premium is driven far more by security controls (multifactor authentication, endpoint detection, encryption, tested backups, network segmentation) than by size, so a small company with strong controls can price well.

Sponsor, hospital, and GPO contracts increasingly name a required cyber limit and data-handling terms, so the right number is often set by the largest contract rather than by the company's own risk tolerance.

Primary sources

Sources and references

This answer draws on the following regulatory, statutory, and standards-body sources. Coverage availability and program structure also depend on carrier appetite and underwriter discretion not captured by these sources.

Related practice areas

Insurance clauses in this area

Related questions

Have a more specific question?

A specialist will reach out by the end of the day.

Request a free coverage review

Free coverage review

A specialist will reach out by the end of the day.

Request the review

A specialist will reach out by the end of the day.