Class II Device Insurance Before Commercialization

The day a Class II device leaves the clinical trial protocol and enters commerce is the day the insurance program needs to be different. During clinical trials, exposures are bounded: protocol-defined patient populations, IRB oversight, defined subject counts, clinical trials liability addressing the regulated activity. After 510(k) clearance and first commercial sale, the exposure profile changes structurally. Products liability becomes the dominant coverage. Recall risk becomes real. Distribution and supply chain exposures emerge. FDA’s regulatory engagement shifts from pre-market review to post-market surveillance, with MDR reporting under 21 CFR Part 803, correction and removal obligations, and Early Alert Program visibility.

Most companies underestimate this transition. The clinical-trials-coverage program was sized for a regulated activity that ended at clearance. The commercial program is sized for an open-ended exposure that begins at first sale and continues for the operational life of every device sold.

This walks through the four coverage areas that matter at commercialization, the exposures companies most often underestimate, and how the program structure should change as the company scales from first sale through mature commercial operations.

The Four Coverage Areas at Commercialization

Products Liability

Products liability is the primary exposure once the device is in commerce. The coverage addresses bodily injury and property damage claims arising from the device, including manufacturing defects, design defects, and failure-to-warn allegations.

Underwriting at commercialization focuses on several specifics:

• 510(k) clearance status and the predicate device chain. Underwriters evaluate not just that a 510(k) was cleared but what the predicate history looks like, including any predicate that has been subject to recall or class action.
• Indications for use. The cleared indications matter; off-label exposure is a separate consideration.
• Patient population. A device cleared for adult use in low-acuity settings has a different exposure profile than one cleared for pediatric, ICU, or implanted use.
• Mode of action. Mechanical-only devices, devices with software components, and devices involving energy delivery each underwrite differently.
• Post-market surveillance plan. Underwriters increasingly want to see the company’s MDR reporting process, complaint handling system, and CAPA workflow before binding.

Primary limits for a Class II commercial launch scale with projected unit volume, indication risk, patient population reach, and the severity profile of the cleared indication. Excess layers stack accordingly. Implanted devices, devices with energy delivery, and devices used in high-acuity care typically carry meaningfully higher excess limits than diagnostic or monitoring devices.

The “duty to warn” exposure deserves specific attention. Products liability claims increasingly turn on whether the manufacturer’s IFU, training materials, and post-clearance communications adequately warned of risks identified during commercial use. This is partly a coverage question (does the policy explicitly cover failure-to-warn claims) and partly an operations question (is the company actually tracking emerging risk signals and updating warnings).

Recall Coverage

Recall coverage becomes relevant the moment the device is in commerce. Most commercialization-stage manufacturers either do not carry recall or carry inadequate sub-limits, often because they assume the products liability policy covers recall costs. It usually does not.

Distinctions matter. FDA-mandated recall (initiated by FDA enforcement action) is the highest-severity scenario but the least common. Voluntary recall (initiated by the company in coordination with FDA) is the standard pathway for most safety-related actions. Market withdrawal (removal without FDA notification for issues like product expiration or non-safety quality issues) is a separate category with its own coverage implications.

Standard recall coverage includes notification costs, retrieval costs, replacement or rework costs, business interruption from suspended sales, and brand rehabilitation. FDA’s Early Alert Program was expanded in 2025 to accelerate communication of high-risk recalls; the resulting real-time public visibility is what brand rehabilitation coverage is designed to address.

The most expensive recall exposure for a Class II manufacturer is rarely the unit retrieval itself. It is the business interruption while the issue is remediated and the lost market share if a competitor captures customers during the suspension.

Cyber and Tech E&O

Cyber and Tech E&O are coverage requirements for any device with software components, internet connectivity, or PHI exposure. The category was once a footnote in medical device insurance and is now central to commercial-stage underwriting.

Section 524B of the FD&C Act, effective March 29, 2023, requires manufacturers of “cyber devices” (devices with validated software, internet connectivity, and characteristics that could be vulnerable to cybersecurity threats) to submit a Security Risk Management Report, a machine-readable Software Bill of Materials, and a Secure Product Development Framework as part of the 510(k) submission. Post-clearance, manufacturers must maintain a Cybersecurity Management Plan with Coordinated Vulnerability Disclosure procedures and commit to making postmarket updates available.

FDA’s cybersecurity enforcement has been active. Cybersecurity-related AINN and MAJR deficiency letters have increased by roughly 700% since October 2023. The June 27, 2025 final guidance on cybersecurity premarket submissions adds explicit alignment with the QMSR (effective February 2, 2026), tying cybersecurity into the Quality Management System rather than treating it as a parallel program.

For commercial-stage manufacturers, the insurance program needs to cover both the third-party liability for cyber events (data breach, ransomware, exploitation of device vulnerabilities) and the Tech E&O exposure for software-driven device failure. Devices that interact with PHI require explicit HIPAA-aware coverage even when the manufacturer itself is not a covered entity, because BAA relationships with hospital customers create indemnification flow-through.

D&O at the Commercial Stage

D&O at commercial stage is a different exposure profile than D&O during clinical trials. As the company raises capital and forms a board, leadership takes on its own exposure, which is why a device company often needs D&O once it has investors.

Securities risk increases. Companies approaching Series C, secondary, or public exit carry meaningful Side C exposure for securities claims. The 510(k) clearance event itself often triggers material disclosure obligations that get litigated later.

Regulatory enforcement risk expands. FDA pre-market interactions give way to FDA post-market surveillance enforcement (MDR reporting compliance, correction and removal actions), FTC oversight of marketing claims and advertising, and CMS interactions for any reimbursement-related representations.

Personnel risk increases. Commercial-stage hiring scales sales reps, regulatory leads, and commercial leadership roles. The frequency of wrongful termination, discrimination, and harassment claims rises with headcount.

D&O policies underwritten for clinical-stage companies sometimes have exclusions or sub-limits that become problematic in commercial operations. Renewal at commercialization is the opportunity to renegotiate.

What Manufacturers Most Often Underestimate

Six exposures appear repeatedly in commercial-stage Class II program reviews.

Off-label use liability. Devices cleared for one indication are frequently used clinically for adjacent indications. Plaintiff theory holds the manufacturer accountable if marketing materials, sales rep conduct, or post-clearance communications encouraged the off-label use. Products liability coverage usually addresses this exposure, but the policy wording and the company’s marketing controls both need to be aligned.

Foreign distribution exposure. CE Mark requirements under EU MDR are different from FDA 510(k) requirements. A device cleared in the U.S. and distributed in Europe carries simultaneous exposure to both regulatory regimes and to plaintiff bar approaches that vary significantly by jurisdiction. The insurance program needs to contemplate worldwide territory or explicitly carve it out.

Sales agent and distributor liability. Manufacturers using 1099 sales reps, independent distributors, or international representatives carry vicarious exposure for the conduct of those parties. The agreements need indemnification language. The insurance program needs to either cover those parties as additional insureds or confirm they carry their own coverage at adequate limits.

Adverse event reporting failures. 21 CFR Part 803 requires reporting of device-related deaths, serious injuries, and certain malfunctions within defined timelines (30 days for routine reports, 5 days for events requiring remedial action). FDA’s 2025 warning letter activity continues to cite MDR reporting deficiencies as among the most common findings. Failure-to-report can trigger both corporate enforcement and individual executive enforcement, which means D&O coverage needs to contemplate the personnel responsible for reporting decisions.

Cybersecurity exposure for legacy devices. Devices designed and cleared before cybersecurity was a primary concern continue to operate in the field. Section 524B applies prospectively to cleared cyber devices, but legacy devices in commerce are exposed to vulnerabilities that may not have a patch path. The risk surfaces in cyber claims, FDA correction-and-removal pressure, and customer demand for updated devices.

Post-market surveillance gaps. Class II devices have MDR reporting obligations that most companies do not fully systematize. The QMSR (effective February 2, 2026) and the new Inspection Compliance Program 7382.850 emphasize risk-based inspection that evaluates actual post-market surveillance practices, not documented policy alone. The previous QSIT framework was withdrawn; FDA inspections now organize around six QMS Areas with explicit risk-management integration. Companies that have policies but not systematic execution are at higher risk than they were under the prior framework.

How Insurance Evolves as a Class II Manufacturer Scales

The program at first commercial sale should not be the program at year three of commercial operations. Four phases capture the typical evolution.

Pre-launch (after clearance, before first sale). Clinical trials coverage sunsets. Products liability becomes the primary coverage, sized for projected first-year unit volume and indication risk. Recall coverage enters the program. Cyber and Tech E&O scale to address commercial-stage software exposure. D&O is reviewed and renegotiated for commercial-stage exposure language. The clearance-day transition itself is detailed in what changes about your insurance at FDA clearance.

Initial launch (year 1). Commercial volume is modest but real. Distribution agreements and initial recall preparedness are operational priorities. The insurance program is tested against actual claim activity for the first time. Underwriters watch for first-year loss patterns that inform renewal pricing.

Scale (years 2 to 3). Distribution expands, often internationally. Each distribution agreement sets its own insurance terms, covered in what insurance you need before signing a distribution agreement for your device. Recall exposure grows with unit count in commerce. Cyber matures with connected device updates. D&O becomes more sophisticated, often with a separate management liability tower if institutional capital has entered. Excess capacity becomes a priority as primary limits get tested.

Mature commercial (year 3 and beyond). Full commercial program. Multiple excess layers on products liability. Standalone management liability program. Separate cyber and Tech E&O placements (combined forms become inadequate at scale). Distribution and supply chain coverage. Possible standalone FDA regulatory defense and reputation programs.

A Note on Placement

Generalist commercial brokers struggle with commercial-stage Class II medical device risk because the program requires depth: 510(k) regulatory knowledge, predicate device analysis, post-market surveillance familiarity, distribution structure analysis, and the specific cybersecurity and quality system requirements that have moved aggressively over the last three years.

Class II manufacturers benefit from pre-binding underwriting conversations rather than blind submissions. Underwriters at the specialty markets writing this segment want to understand the device, the indication, the patient population, the post-market surveillance plan, and the cybersecurity posture before quoting. Brokers without that segment depth often submit packages that come back with conditional terms or that bind on terms that do not match the actual operational reality of the company.

MedTech Coverage works with Class II medical device manufacturers on programs structured around 510(k) clearance status, post-market surveillance obligations, cybersecurity requirements under Section 524B and the 2026 QMSR transition, and distribution structures including international expansion. Coverage is placed through Tower Street Insurance’s appointments with the specialty markets writing this segment.

If a Class II manufacturer is approaching commercialization, expanding distribution, preparing for international launch, or facing a renewal that needs to reflect actual commercial-stage exposure, a structured coverage review identifies the gaps specific to clearance status, indication, and operational footprint.