Tech E&O vs Products Liability for SaMD

Software as a Medical Device is the single product category that sits across two structurally distinct coverage lines and creates the most consistent coverage debate in life sciences placements. Tech E&O is built for software companies. Products liability is built for medical device manufacturers. SaMD is both. The question of which policy responds to a given claim depends on the claim type, the wording of each policy, the FDA classification of the software, and the operational architecture of the product. A connected monitoring device sharpens this, since a remote patient monitoring company is a device, a clinical tool, and a data holder at once.

For a SaMD company, the question is not “Tech E&O or Products Liability.” It is “how do these two lines coordinate, and where between them does an exposure sit uncovered.” Most SaMD programs carry both. Before mapping these lines, settle the more basic mix-up between malpractice and professional liability for a device company. The structural gaps form in three places: bodily injury arising from software function failure, AI/ML model drift after deployment, and the cyber-rooted device incidents that Section 524B brought into active policy consideration.

This walks through what each line was built to cover, where the two overlap, where gaps form, the wording dimensions that matter for SaMD specifically, and the structural decisions a SaMD company should make at the placement level to close the gaps.

What Each Line Was Built to Cover

The two coverages emerged from different commercial origins and respond to different injury categories.

Tech E&O was built for technology services and software companies. The standard trigger is financial loss to a third party arising from the failure of the insured’s technology product or service to perform as represented. The injuries it contemplates are economic: lost revenue, lost data, cost to restore systems, business interruption flowing from a software defect. The form typically includes media liability and intellectual property defense components.

Most legacy Tech E&O forms include either a bodily injury exclusion or a narrow BI grant subject to strict sub-limits. The exclusion makes sense for traditional SaaS, where software failure produces financial harm rather than physical injury. The exclusion fails for SaMD, where software failure can produce direct patient harm.

Products Liability was built for tangible product manufacturers. The standard trigger is third-party bodily injury or property damage arising from a defect in the manufacturer’s product. The wording contemplates manufacturing defect, design defect, and failure to warn. Standard medical device products forms incorporate the regulatory framework (FDA classification, QMSR, post-market surveillance) into the underwriting.

The historical question was whether pure software, with no tangible product, qualifies as “product” for products liability purposes. The legal answer varied by jurisdiction. The practical answer in insurance markets has shifted as SaMD has become a recognized FDA device category. Modern medical device products forms increasingly contemplate software-only products. Legacy forms may not.

Where the Two Overlap

The overlap is real and intentional. Several claim types could attach to either line, and the policies should not duplicate the response.

Defective output causing financial harm without bodily injury. A SaMD diagnostic that produces a wrong output, but the downstream clinical decision does not produce physical harm, is closer to a Tech E&O claim. The injury is the cost of the redundant testing, the diagnostic delay, or the financial consequences of the wrong path. Either line could conceivably respond depending on wording. Coordination matters.

Defective output causing direct bodily injury. A SaMD therapy-driving software that produces a wrong dose, a wrong stimulation parameter, or a wrong therapeutic decision that injures a patient is closer to a products liability claim. The injury is physical harm flowing from the device’s performance. Most modern programs route this through products.

Service performance failures. Where the SaMD includes a service component (cloud-hosted analysis, ongoing model updates, clinical decision support) and the service fails, the boundary between product defect and service failure becomes wording-dependent. Tech E&O typically responds to service performance failure; products liability typically does not.

Reputational harm and regulatory consequences. Both lines may carry sub-limits for regulatory defense and breach response. The wording on which trigger applies and how the sub-limits coordinate is the active question.

Where Gaps Form

The structural gaps are predictable and surface at claim if not addressed at placement.

Bodily injury from a Tech E&O placement without products coverage. A SaMD company with only Tech E&O and a bodily injury exclusion on the form has no coverage when patient harm flows from the software. This is the largest single structural gap in SaMD programs and the most common.

Pure economic loss claims under products coverage. Products liability typically requires bodily injury or property damage. Pure economic loss claims (financial harm without physical injury) are not covered. A SaMD company relying only on products liability and skipping Tech E&O has no coverage for the diagnostic-delay or financial-consequence claim category.

AI/ML model drift after deployment. Where the software’s behavior changes after deployment through model retraining or PCCP-authorized updates, the question of which policy period responds to a claim arising from post-deployment behavior is wording-specific. Some products policies tie the trigger to the time of injury; some Tech E&O forms tie to the time of the service rendering. Continuous coverage across both lines is essential, and retroactive dates matter. That post-deployment behavior question is the crux of whether your product liability policy follows an AI device through its post-market changes.

Section 524B cyber device incidents. Software vulnerabilities exploited in deployed devices produce a class of incidents that sit across products, Tech E&O, and cyber lines. The 524B premarket submission requirements (effective March 29, 2023) made cybersecurity a documented part of the FDA submission. The post-market exposure is now an active products-cyber-Tech E&O boundary question.

Regulatory defense coverage. FDA inspection follow-up, 483 responses, and any post-market correction actions can attract defense costs. Whether these sit under products, Tech E&O, or D&O is wording-specific and the answer should be settled at placement.

International coverage. A SaMD company with EU customers also has EU MDR obligations and EU-jurisdiction exposure. The geographic scope of both Tech E&O and products policies should be reviewed against the company’s actual customer footprint.

Wording Dimensions That Matter for SaMD

Several wording dimensions sit at the center of the SaMD coverage placement.

Bodily injury grant or exclusion on Tech E&O. Whether the Tech E&O form includes bodily injury coverage, excludes it, or grants it subject to sub-limits is the first question. For SaMD, an explicit BI grant on the Tech E&O coordinated with the products policy produces the cleanest structure.

Products liability response to software-only claims. The products policy should explicitly contemplate software as covered product. Forms written for tangible-product manufacturers can leave the SaMD response in policy-interpretation territory.

AI/ML retraining language. Forms that anticipate model retraining, PCCP-authorized modifications, and continuous learning systems address the post-deployment behavior question directly. Forms written before the PCCP framework took shape may not.

Cyber device coverage. Section 524B compliance and post-market vulnerability response should be addressed through the cyber line, with coordination back to products and Tech E&O for any bodily injury or economic loss flowing from a cyber-rooted incident. Three-line coordination is the structural reality.

Subrogation against third-party model providers and infrastructure. Where the SaMD relies on third-party foundation models, cloud infrastructure, or upstream data sources, the question of subrogation rights and the AI grants on those vendors’ policies affects how losses are ultimately allocated.

Retroactive date alignment. Tech E&O is typically claims-made; products liability is typically occurrence-based. Aligning the retroactive date on the Tech E&O with the operational history of the software, and ensuring continuous products coverage, is essential. A coverage gap during the early commercialization period is hard to repair years later.

How Indication and Class Affect the Structure

The SaMD’s FDA classification and indication shape the relative weight of the two lines.

Class II SaMD with diagnostic function. Most CADe and CADx products sit here. The exposure profile leans toward false negative / false positive consequences. Both Tech E&O and products are required. The placement balance depends on whether the company has direct patient relationships or operates through provider intermediaries.

Class II SaMD with treatment-decision-support function. Software that supports dose calculation, parameter selection, or treatment protocol guidance carries higher bodily injury exposure. The products line carries more weight in the program structure.

Class III SaMD with therapy-driving function. Closed-loop therapy software, autonomous treatment delivery, and software that directly drives therapeutic intervention carry the highest products liability exposure. The placement is structurally closer to a Class III physical device than to a SaaS placement.

Wellness and clinical-decision-support software outside FDA classification. Where the software is not FDA-regulated (general wellness, low-risk CDS) the case for a Tech E&O-centric program is stronger, with products liability sized to the residual ambiguity in classification. The classification status itself can shift over time as FDA guidance evolves; placements should be revisited when the classification posture changes. The same classification ambiguity is acute for a digital pathology platform, which is software, device, and clinical service at the same time.

How HIPAA and Cyber Exposure Layer On

Most SaMD products process PHI. The HIPAA and cyber exposure is a third line that coordinates with Tech E&O and products. The wording question is which line responds to a given event:

• A cyber incident that breaches PHI without a clinical safety implication routes through the cyber line.
• A cyber incident that compromises device function and produces bodily injury routes through products with cyber-driven response components.
• A cyber incident that produces financial loss without bodily injury and without PHI breach routes through Tech E&O.

The three-line coordination requires the three policies’ wordings to be reviewed together. Sub-limit and exclusion language in any one of the three can leave a category of claim uncovered if the other two do not pick it up.

What SaMD Companies Most Often Get Wrong

Buying Tech E&O without products coverage. The most common structural error. A Tech E&O-only program with a bodily injury exclusion has no response to patient-harm claims. Class II and III SaMD requires both lines, and the bodily injury exclusion should be addressed directly.

Assuming the legacy products form responds to software. Older medical device products forms were written for tangible products. The implicit expectation that “product” includes software may not hold under tight wording review. SaMD-specific endorsements or modern forms that explicitly contemplate software products are the cleaner placement.

Treating model retraining as an operational matter outside the insurance conversation. Each retraining cycle is a change to the product’s behavior. PCCP-authorized modifications are the regulatory-acceptable form of this. The insurance program should be aware of the retraining cadence and the policy wording should accommodate it.

Skipping cyber on the assumption that Tech E&O covers data exposure. Tech E&O forms vary widely on cyber response. The placement should have explicit cyber coverage rather than relying on Tech E&O cyber sub-limits.

Underinsuring during pre-revenue clinical validation. Pre-launch SaMD companies with active validation studies but no commercial revenue often defer products liability under the assumption that exposure is limited. Clinical validation produces patient interaction, and patient interaction produces exposure. The pre-commercial program should anticipate the post-commercial structure rather than being assembled emergency-style at FDA clearance. For venture-backed SaMD companies specifically, the Series A diligence framing walks through how investor counsel reads the program against the regulatory profile.

A Note on Placement

MedTech Coverage works with SaMD companies on programs structured around FDA classification, indication, PCCP posture, and the three-line coordination of products, Tech E&O, and cyber. Coverage is placed through Tower Street Insurance’s appointments with the specialty markets that underwrite SaMD across both the life sciences and the technology insurance segments.

If a SaMD placement is being assembled for a first commercialization, restructured around an AI/ML retraining program or a PCCP-authorized modification, or evaluated against a Section 524B cyber device assessment, a structured coverage review produces a working document calibrated to the device’s classification, indication, software architecture, and the boundaries between the three coverage lines that respond.