top of page
TSM Insurance Services logo

Cyber + Errors & Omissions: Why California Agencies Require Both in One Policy

  • Writer: TSM Insurance
    TSM Insurance
  • Jan 9
  • 9 min read

Updated: Jan 11

You have just received a Request for Proposal (RFP) from a California county or healthcare district. You scan the "Insurance Requirements" section, expecting the usual requests for General Liability and Workers' Compensation. But then you see it: a requirement for "Cyber Liability" that also explicitly demands coverage for "Errors and Omissions" (E&O), "professional negligence," or "technology services failure."


Even more confusing, the language seems to blur the lines. It talks about hackers in one sentence and software bugs in the next. It demands coverage for financial injury caused by your service failing, right alongside coverage for ransomware.


You might be asking yourself: Do I need two separate policies? Why are they lumping these together? And does my current policy cover any of this?


If you are a technology vendor, a healthcare provider, or a professional service firm in the Central Valley, this confusion is common. But for California government agencies, the logic is crystal clear. They view your digital risks and your professional performance risks as two sides of the same coin.


In this guide, we will explore exactly why California public agencies—from Modesto to Sacramento—are increasingly demanding that cyber and E&O insurance California vendors hold be bundled into a single, comprehensive policy. We will decode the RFP language, identify who is most at risk, and explain how to secure the right coverage to win the contract.


The Great Convergence: Why Cyber and E&O Are Now Inseparable

Historically, "Errors and Omissions" (Professional Liability) and "Cyber Liability" were distinct.

  • E&O was for when you made a mistake in your advice or service (e.g., an accountant filing a tax return late).

  • Cyber was for when a criminal hacked your system (e.g., a data breach).


However, in the modern digital economy, the line between "mistake" and "hack" has vanished.


Consider a software developer who creates a patient portal for a county behavioral health department. If the developer leaves a server unsecured due to bad coding (an error), and a hacker finds it and steals patient records (a cyber event), which policy pays?

  • The E&O carrier might say, "This is a cyber attack, go talk to your cyber insurer."

  • The Cyber carrier might say, "This was caused by professional negligence (bad coding), go talk to your E&O insurer."


This is the "finger-pointing" scenario that government legal teams dread. When a crisis happens, they do not want to watch two insurance companies fight over who is responsible while their citizens’ data is compromised.


By requiring government contract E&O requirements to be met within a bundled policy, agencies ensure there is no gap. They want one policy limit that covers the entire spectrum of failure, whether it stems from a malicious outsider or a negligent insider.


Decoding the RFP Language: What They Are Really Asking For

When you read through an RFP from a California municipality or healthcare district, you likely won't see simple terms like "Cyber" or "E&O." Instead, you will see complex clauses describing specific types of harm.


Here is a breakdown of the three most common phrases used in these contracts and what they actually mean for your insurance coverage.


1. "Product or Service Failure"

The Language: "Coverage for liabilities arising from product or service defect, performance failure, or delay in delivery."


The Meaning: This is pure Errors & Omissions. This is not about hackers stealing data. This is about you failing to do what you promised.

  • Scenario: You are an IT vendor hired to migrate a city's email system to the cloud over a weekend. You mess up the configuration, and the city's email is down for four days. No data was stolen, but the city couldn't operate. They sued you for the financial loss of productivity.

  • The Insurance Gap: A standalone Cyber policy (which focuses on data theft) would deny this claim. You need E&O coverage to protect against performance failure.


2. "Technology Errors"

The Language: "Coverage for technology-related injury caused by an act, error, or omission in the software code or hardware implementation."


The Meaning: This targets the root cause of many issues: your work product.

  • Scenario: You build a website for a water district that allows residents to pay bills. A bug in your code calculates the late fees incorrectly, overcharging 10,000 residents. The district faces a class-action lawsuit.

  • The Insurance Gap: Again, this is not a "hack." It is a professional mistake. Only a technology E&O insurance Modesto policy would cover the legal defense and settlement costs for this coding error.


3. "Financial Injury" (The Bridge Between Cyber and E&O)

The Language: "Coverage for financial loss sustained by the Agency due to the Vendor’s failure to maintain network security."


The Meaning: This is where the two worlds collide. If your professional failure (E&O) allows a cyber attack (Cyber) that costs the government money, this clause triggers.

  • Scenario: You are a managed service provider (MSP) for a county library. You forget to install a critical security patch (Omission). Ransomware hits the library's network through that unpatched hole (Cyber). The library has to pay a ransom and hire forensics experts.

  • The Solution: A bundled policy treats this as a single event. It covers the professional negligence (failing to patch) and the resulting cyber damages (ransomware costs) without dispute.


Who Needs This Bundled Coverage Most?

While almost any government contractor needs General Liability, the requirement for bundled Cyber + E&O is strictly enforced for specific sectors. If you fall into one of these categories, you should assume this requirement is coming your way.


1. IT Vendors and Managed Service Providers (MSPs)

If you manage networks, install hardware, or provide help-desk support, you are the first line of defense. If you fail, the client's operations stop.

  • Risk: You accidentally delete a server backup while trying to restore a file.

  • Why You Need Both: This is a direct "Omission" that causes data loss. You need a policy that covers the cost to restore the data (Cyber) and the liability for the client's downtime (E&O).


2. SaaS Companies (Software as a Service)

If you provide a cloud-based platform—whether it's for dog licensing, parking tickets, or case management—you are holding the agency's data.

  • Risk: Your platform goes offline for 48 hours due to a DDoS attack.

  • Why You Need Both: The DDoS attack is a Cyber event. The inability of the agency to use the software they pay for is a Service Failure (E&O). A bundled policy covers the business interruption costs for the client.


3. Healthcare and Behavioral Health Providers

Agencies like "Integral Care" or county mental health departments outsource huge amounts of work to private therapists, clinics, and non-profits.

  • Risk: A case manager leaves a laptop with unencrypted patient records on a bus.

  • Why You Need Both: This triggers HIPAA violations (Cyber/Regulatory) and constitutes a failure to uphold professional standards of patient care (Medical E&O).

  • Note: For healthcare providers, it is crucial to ensure your policy covers regulatory fines. You can learn more about specialized coverage for this sector on our Health & Benefits page.


4. Data Processors and BPOs

Business Process Outsourcing (BPO) firms that handle payroll, billing, or document scanning for the government are prime targets.

  • Risk: You mail 5,000 billing statements to the wrong addresses.

  • Why You Need Both: This is a privacy breach (Cyber) caused by a clerical error (E&O).


The "Local Angle": California Agencies Are Leading the Charge

Why is this so prevalent here? California has some of the strictest privacy laws in the nation (CCPA/CPRA) and a highly litigious environment.


Public entities in our region—from the City of Modesto to Stanislaus County, and broader California healthcare districts—are acutely aware of their exposure. They rely on the California Joint Powers Insurance Authority (CJPIA) and other risk pools that set very high standards for vendor contracts.


When you bid on a project for a California public agency, you are not just negotiating with that agency; you are often navigating requirements set by a massive statewide risk management framework. They know that a vendor with separate, disjointed policies is a liability. They prefer—and often demand—vendors who carry technology E&O insurance Modesto agencies can trust, specifically policies that are "Admitted" or written by carriers with high financial ratings.


At TSM Insurance, we have deep roots in the Central Valley. We understand the specific language used by our local municipalities and counties. We know that when a local RFP asks for "Professional Liability for Technology Services," they are effectively asking for this bundled Cyber/E&O structure.


The 4 Key Advantages of a Bundled Policy

Beyond satisfying the RFP requirement, buying a combined Cyber + E&O policy actually makes better business sense for you as the vendor. Here is why.


1. Seamless Coverage (No Gaps)

As mentioned earlier, the biggest risk in separate policies is the "grey area" where coverage overlaps.

  • Separate Policies: If a software bug causes a breach, your E&O carrier denies it because it's a "Cyber" event, and your Cyber carrier denies it because it was caused by a "Professional Error." You are stuck in the middle with no coverage.

  • Bundled Policy: The same carrier covers both. It doesn't matter if they classify it as an error or a hack; the policy pays.


2. One Deductible

If you have two separate policies and a complex claim triggers both (e.g., a hack that also causes a service outage), you might have to pay two deductibles.

  • Example: $10,000 deductible for Cyber + $10,000 deductible for E&O = $20,000 out of pocket.With a bundled policy, you generally pay only one retention (deductible) for the entire event, saving you significant money during a crisis.


3. Unified Limits

Government RFPs often ask for high limits, such as $5 million.Buying a $5 million E&O policy AND a $5 million Cyber policy separately can be incredibly expensive.A bundled policy allows you to share that limit (or tower limits) more efficiently, often resulting in a lower total premium than buying them separately.


4. Simplified Claims Process

When a crisis hits, you do not want to be coordinating between two different claims adjusters from two different insurance companies who are both looking for a way to deny payment.With a bundled policy, you have one point of contact, one legal team, and one forensics team working to solve the problem.


What to Look for in Your Policy Language

If you are reviewing your current insurance to see if it meets government contract E&O requirements, pull out your policy declarations page and look for these specific insuring agreements.


A compliant bundled policy should explicitly list coverage for:

  1. Technology Professional Liability: Damages arising from acts, errors, or omissions in the performance of technology services.

  2. Network Security Liability: Damages arising from a failure to prevent unauthorized access (hacks).

  3. Privacy Liability: Damages arising from the theft or loss of PII (Personally Identifiable Information) or PHI (Protected Health Information).

  4. Media Liability: Infringement of copyright or intellectual property (often required for website developers and marketing agencies).

  5. Breach Response Costs: First-party coverage for notifying victims, credit monitoring, and PR.


If your policy only lists "Network Security" and "Privacy," you are missing the E&O component. If it only lists "Professional Liability," you are likely missing the Cyber component (ransomware, notification costs).


A Warning for General Liability Endorsements

Many small business owners think they are covered because they have a "Cyber Endorsement" on their General Liability (GL) or Business Owners Policy (BOP).


This is almost never sufficient for government contracts.

  • Low Limits: GL endorsements often have sub-limits of $25,000 or $50,000. California RFPs usually demand $1 million to $5 million.

  • No E&O: These endorsements rarely cover Technology Errors & Omissions. They are designed for "passive" cyber risks (like a retailer losing credit card numbers), not "active" tech risks (like a developer crashing a server).

  • Restrictive Wording: They often lack the specific endorsements for "Waiver of Subrogation" or "Primary and Non-Contributory" status that government contracts mandate.


You can read more about our comprehensive coverage options for businesses on our Business Insurance page.


Real-World Example: The "Smart City" Project

Let's look at a hypothetical scenario involving a vendor in the Central Valley to illustrate why this matters.


The Project:A local municipality in the Central Valley issues an RFP for a "Smart Parking" system. The vendor needs to install sensors in parking spots and provide a cloud-based app for citizens to pay for parking.


The Risk:The vendor wins the bid. Six months later, the sensors start failing due to a firmware update the vendor pushed out (Tech Error). At the same time, researchers discover the app is transmitting user credit card data without encryption (Privacy Violation).


The Outcome with Separate Policies:

  • The city sues the vendor for lost parking revenue (estimated $200,000). The Cyber carrier denies this part because it’s a "product failure."

  • The city demands the vendor notify 50,000 drivers about the credit card exposure. The E&O carrier denies this because it’s a "privacy breach."

  • The vendor is left funding the defense for the lost revenue suit out of pocket while fighting their insurers.


The Outcome with TSM’s Bundled Solution:

  • The vendor has a "Tech E&O + Cyber" package.

  • The carrier accepts the claim.

  • The "Technology Professional Liability" section covers the $200,000 in lost revenue settlement.

  • The "Privacy Notification" section covers the cost of emailing the drivers.

  • The vendor pays one deductible and keeps the contract.


How TSM Insurance Can Help You Win the Bid

Navigating the intersection of cyber and E&O insurance California requirements is not something you should do alone. A single missing clause or an insufficient limit can disqualify your bid before it is even read.


At TSM Insurance, we have been protecting businesses for 100 years. We specialize in reviewing complex government contracts and helping our clients structure the exact coverage they need to comply—without paying for unnecessary extras.


We understand the local market. We know what the City of Modesto, Stanislaus County, and regional healthcare districts look for. We work with top-tier carriers who write specific "Gov-Tech" policies that bundle Cyber and E&O into a single, seamless, RFP-compliant package.


Don't let insurance jargon cost you a contract.

If you are a vendor preparing a proposal for a public agency, let us review your insurance requirements. We can identify the gaps, explain the "Financial Injury" clauses, and secure a bundled policy that protects your business and satisfies the government's rigorous standards.


Contact TSM Insurance today for a tailored solution that turns your insurance policy from a barrier into a competitive advantage.



Comments

We would love to hear from you, tell us how we can help!

INTERESTED IN:

Meet Our President

Guy.png

Guy Miligi

Guy brings over 25 years of proven leadership in the insurance and financial services industry. He has a deep understanding of both the strategic and operational sides of the business. 

Our Company

Meeting at the office

About TSM Insurance

Guy brings over 35 of proven leadership in the insurance and financial services industry. With a deep understanding of both the strategic and operational sides of the business

bottom of page