What Insurance Does an FDA-Regulated SaMD Company Need?

Software as a Medical Device sits at the intersection of three regulated domains that rarely overlap in any other industry: medical device law, software development, and protected health information. Each domain has its own underwriting expectations, claim patterns, and carrier appetite. The combination is what makes SaMD the most demanding placement in digital health, and the segment where the gap between a generalist tech insurance program and a properly structured one is widest.

This walks through why SaMD is regulatory-complex, the four core coverage areas, the underwriting factors specialty markets evaluate, the structural mistakes founders make, the role of the Predetermined Change Control Plan framework, and what placement complexity in this segment looks like.

Why SaMD Is Regulatory-Complex

SaMD is software intended to be used for one or more medical purposes that perform those purposes without being part of a hardware medical device. The FDA classifies SaMD as Class I, Class II, or Class III based on the risk to patients posed by the software’s intended use, the seriousness of the condition it addresses, and the criticality of the information it provides to clinical decision making.

The classification framework is familiar to medical device operators. What is less familiar is the software dimension that sits underneath it. A SaMD company is simultaneously a medical device manufacturer subject to 21 CFR Part 820 (now QMSR), a software development organization with the iteration cadence and architecture of a tech company, and (where the product touches patient data) a HIPAA-regulated entity or Business Associate.

The QMSR took effect February 2, 2026, incorporating ISO 13485:2016 by reference and replacing the prior Quality System Regulation. For SaMD companies, this raised the documentation bar on design controls, validation, post-market surveillance, and supplier management. FDA also adopted Compliance Program 7382.850 for inspections, which changes the expected audit profile.

Most generalist brokers struggle with SaMD because the placement requires both medical device underwriting depth and tech industry coverage fluency. A tech-focused broker can find limits but often misses the products liability dimension, FDA reporting obligations that affect claim notice, and the regulatory defense coverage triggers. A medical device broker without software exposure underwrites the device-side risk but misses cloud security, BAA flow-down, and continuous-deployment risk patterns. The placement needs both.

The Four Core Coverage Areas

Products Liability for SaMD

Products liability is the coverage line most often misunderstood in SaMD placements. Software that functions as a medical device is a product under product liability doctrine. Bodily injury or property damage arising from the software’s design, performance, or output can give rise to a products claim. The fact that the product is intangible does not change the analysis.

The duty to warn applies. SaMD products carry instructions for use, intended use statements, contraindications, and limitations. Failure to communicate known risks of the software’s clinical use, including the limits of its intended population and its known failure modes, can support a failure-to-warn theory in the event of an adverse outcome.

Adverse event reporting obligations under 21 CFR Part 803 apply to SaMD manufacturers. A reportable event includes death, serious injury, or malfunction that would likely cause or contribute to death or serious injury if the malfunction were to recur. Manufacturers have 30 calendar days from awareness to submit the report, compressed to 5 calendar days when remedial action is required to prevent unreasonable risk of substantial harm. Post-market surveillance under QMSR formalizes the systems for trending complaints by software version, failure mode, and indication, and the records produced through that surveillance are discoverable in litigation.

Limits scale with patient population reach, the severity of the condition the software addresses, and the Class designation of the cleared product. A Class II SaMD providing clinical decision support to a narrow specialty population is underwritten differently than a Class II SaMD intended for broad population screening. Indication risk is the single largest driver.

Tech E&O and SaMD-Specific Considerations

Tech E&O covers software failures, integration issues, output errors, and service delivery problems that cause financial loss to clients or end users. For SaMD, Tech E&O is necessary but not sufficient. Products liability addresses bodily injury arising from the software. Tech E&O addresses economic loss arising from software failure. Many claims fall in the seam between them.

A clinical decision support tool with an incorrect output is a products claim if a clinician relies on it and a patient is harmed. The same incorrect output is a Tech E&O claim if it causes operational disruption, financial loss to the health system, or breach of service-level commitments. The two policies need to be coordinated with consistent definitions, compatible exclusions, and a clear claim-handling pathway when a single event triggers both.

AI/ML decision support adds explainability exposure. When a model output is challenged, the defense often turns on whether the company can demonstrate how the model was trained, validated, and monitored. Inadequate model documentation increases litigation cost and shifts how Tech E&O carriers underwrite the placement.

Continuous learning algorithms operating outside an approved PCCP create complications. If production model behavior differs materially from what was approved at clearance, both products liability and Tech E&O carriers may treat the change as a material increase in risk.

Cyber for SaMD

Section 524B of the Food, Drug, and Cosmetic Act, added by the Consolidated Appropriations Act of 2023 and effective March 29, 2023, defines a cyber device as one that contains software, has the ability to connect to the internet or other networks, and carries cybersecurity risk. SaMD is captured. The section requires manufacturers to submit a cybersecurity management plan, monitor for and address postmarket vulnerabilities through coordinated disclosure, and provide a software bill of materials at submission.

FDA postmarket guidance treats critical uncontrolled vulnerabilities as requiring patches within 60 days. The cyber policy needs to cover not just the breach event but the regulatory defense and remediation costs associated with vulnerability disclosure obligations, FDA notice, and the operational disruption of pushing a security patch to a fielded medical device.

HIPAA exposure runs parallel where the SaMD touches PHI. The 2026 Security Rule updates introduced mandatory multi-factor authentication, network segmentation, encryption of ePHI at rest and in transit, and 72-hour breach notification to OCR. OCR’s enforcement priority in 2025-2026 has centered on the Risk Analysis Initiative and Business Associate scrutiny. SaMD operating as a Business Associate to one or more covered entities needs cyber coverage calibrated to BAA contractual liability, not just direct PHI exposure.

Cloud security expectations track SOC 2 Type II at a minimum. Specialty markets writing cyber for SaMD frequently ask for SOC 2 attestation, penetration test reports, and evidence of segmentation between PHI-bearing systems and the broader development environment. Cyber controls function as a precondition to limit availability, not as a discount mechanism.

D&O for SaMD Companies

SaMD D&O sits at the intersection of medical device regulatory risk and tech company securities risk. FDA enforcement actions, warning letters, and adverse inspection outcomes feed into the regulatory defense and entity coverage D&O provides. Inadequate disclosure of clinical evidence, premature claims about product performance, or material omissions related to regulatory status can give rise to securities claims if the company has raised institutional capital.

Venture-backed SaMD companies face the same investor diligence patterns as other digital health placements. The board member placed by the lead investor requires Side A coverage. Securities risk under Side C scales with round size, disclosure profile, and forward-looking claims about clearance timelines or commercial readiness. Underwriting questions focus on FDA correspondence history, pivot history, founder backgrounds, and whether the company has ever received a Warning Letter, 483, or similar adverse action.

D&O coverage at the SaMD stage scales with funding round size, board composition, and the depth of FDA-regulated history the company carries.

SaMD-Specific Underwriting Factors

Specialty underwriters evaluate six dimensions before quoting SaMD coverage.

FDA classification and clearance status. Pre-submission, post-submission, cleared, and on the market are four meaningfully different underwriting profiles. The same SaMD looks different to a carrier at each phase.

Patient population and indication. Broad indications and large populations drive higher limits and more conservative excess structures. Narrow indications in specialty populations sit better with the market.

AI/ML usage and PCCP framework. The presence or absence of a PCCP, the rigor of the change control documentation, and the company’s monitoring posture for model drift directly affect Tech E&O and products liability underwriting.

Cybersecurity controls. SOC 2 Type II, SBOM maintenance, vulnerability management program, coordinated disclosure process, and adherence to Section 524B postmarket obligations.

Quality management system maturity. QMSR compliance, ISO 13485 documentation depth, post-market surveillance systems, and complaint handling.

Clinical evidence and post-market surveillance. The strength of the clinical validation supporting clearance, the rigor of the post-market data collection, and the discipline around reporting under 21 CFR Part 803.

These are the substantive basis on which a specialty market decides whether to write the placement at all, and at what structure.

Common SaMD Founder Mistakes

Several patterns recur in SaMD program reviews.

Treating SaMD as a SaaS product for insurance. The most common structural error. A SaaS-shaped insurance program addresses Tech E&O and cyber but rarely products liability, and the products liability exposure for SaMD is the dominant severity risk.

Inadequate cyber for the PHI volume actually under management. Bundled startup cyber sized for a typical B2B SaaS does not address the BAA flow-down obligations or the 524B postmarket reporting exposure inherent in an FDA-cleared cyber device.

Missing the products liability piece because software does not feel like a product. Founders often skip the line item because the product is intangible. The case law on software products liability has matured enough that this gap is no longer defensible at diligence.

Insufficient documentation of clinical evidence and validation. When a claim arises, the defense lives or dies on the documentation. Carriers price the placement based on what the company can show, not what it says it has done.

Continuous learning algorithms without PCCP rigor. A model that updates in production outside an approved PCCP can be treated as a new device by regulators and as an uncovered change by carriers. Either treatment is an avoidable problem.

Inadequate AI explainability for liability defense. When the model output is challenged, the company needs to demonstrate training data, validation methodology, and monitoring approach. Companies that cannot produce this on demand face longer claim cycles and higher defense costs.

The PCCP Framework

The Predetermined Change Control Plan is a marketing submission mechanism that lets manufacturers of AI-enabled SaMD pre-authorize planned software changes without a new submission for each iteration. FDA finalized the framework in December 2024, expanding scope from the prior machine-learning draft to all AI-enabled device software functions.

A PCCP describes planned modifications, the methodology used to develop and validate them, and an assessment of their impact. It is reviewed and authorized as part of the marketing submission. Modifications consistent with the PCCP can then be implemented without a new submission.

For SaMD companies relying on iterative model improvement, the PCCP is the only viable regulatory path that aligns with continuous deployment practice. Without it, every material model change is a potential new submission.

For insurance underwriting, the PCCP carries weight in three ways. Its existence signals regulatory discipline that specialty markets read positively. Its scope defines the boundary of changes the company can make without triggering an underwriting review or coverage question. The rigor of post-market monitoring under the PCCP affects products liability defense posture if a claim arises from model behavior. Companies pursuing AI/ML-enabled SaMD without a PCCP should expect both regulatory and insurance pathways to treat them more conservatively.

The Placement Complexity for SaMD

SaMD requires specialty appointments on both the medical device and the technology sides. Carriers writing products liability for life sciences are not the same carriers writing Tech E&O for SaaS. The cyber market that underwrites HIPAA-regulated digital health does not always write the postmarket regulatory exposure that Section 524B introduces. A coherent program coordinates appointments across these tracks so the coverage stack works as one rather than four disconnected policies.

The pre-binding underwriting conversation matters more in SaMD than in almost any other digital health segment. A carrier writing SaMD products liability typically wants to see the 510(k) summary or De Novo decision, the indication, the patient population, the post-market surveillance system, and the PCCP if applicable before binding. This is not a transactional placement.

What companies should look for in a specialty broker for SaMD: medical device underwriting fluency, working appointments with the specialty life sciences markets, technology-segment cyber and Tech E&O appointments, experience with PCCP-bearing AI/ML SaMD submissions, and a placement workflow that begins with risk profile review rather than premium quoting.

A Note on Placement

MedTech Coverage works with SaMD companies on programs structured around FDA classification, PCCP framework, post-market surveillance, and HIPAA-regulated cyber exposure. Coverage is placed through Tower Street Insurance’s appointments with the specialty life sciences and technology markets that underwrite this segment.

If a SaMD placement is being assembled for the first time or an existing program is due for review against the 2026 regulatory baseline, a structured coverage review produces a working document calibrated to FDA classification, AI/ML usage, PCCP status, PHI exposure, and the company’s current stage.