Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
Technology companies carry a set of director-level exposures that most other sectors do not: cyber-incident escalation to a regulator investigation, intellectual-property disputes over source code or datasets, and personal-data enforcement under UK GDPR. This entry sets out where those exposures attach to the board rather than the operating company, how D&O responds to a director sued or investigated for how the company handled data, code or IP, and where the wording of a tech-sector D&O tower needs to be aligned with cyber, IP and PI cover to avoid gaps.
Companies Act 2006 duties apply to a technology company’s directors in the same way they apply to any other sector, but the trigger events look different. A material cyber breach is usually followed by an Information Commissioner’s Office (ICO) investigation under the Data Protection Act 2018 and the UK GDPR. Where a director signed off the security posture — or where a director’s email was the compromised account — the ICO’s enforcement can reach for information under paragraph 1 of Schedule 15 to the DPA 2018, and litigation from affected data subjects can name officers alongside the entity. Shareholder actions after a material misstatement of security position, IP ownership, or ARR are a further head.
The Building Safety Act and Consumer Duty are not sector-specific to tech, but where a technology company’s product is sold into regulated verticals — healthtech, fintech, edtech — the director-level exposure travels through the client’s regulator to the supplier’s board.
Side A covers the individual director when the company will not or cannot indemnify. Side B reimburses the company for costs of indemnifying its directors under a section 234 qualifying third-party indemnity provision. Side C responds to securities claims against the entity, which becomes central for VC-backed tech companies approaching a listing or a large secondary transaction. Extensions that matter for the tech sector include pre-claim investigation costs (ICO and CMA enquiries typically fall here), employment practices liability, and specific outside-directorship cover for founders sitting on portfolio boards.
Deliberate dishonesty and improper personal profit are excluded once established by final adjudication. Prior known circumstances — any breach, disclosure or incident the board knew about before inception — are excluded. Bodily injury and property damage sit on other policies. Claims by one insured against another are excluded save for the standard carve-outs. Fines and penalties that are not insurable as a matter of English public policy fall outside cover.
UK GDPR (retained EU Regulation 2016/679) and Data Protection Act 2018 for personal data. Network and Information Systems Regulations 2018 for essential and digital service providers. The Product Security and Telecommunications Infrastructure Act 2022 for connected devices. The Online Safety Act 2023 for regulated user-to-user and search services under Ofcom. The Copyright, Designs and Patents Act 1988 for source-code IP disputes. Companies Act 2006 sections 171-177 for the general directors’ duties. Insolvency Act 1986 sections 213-214 where a company fails after a material incident. Insurance Act 2015 sections 3, 7 and 8 for the fair-presentation duty at inception and renewal.
D&O covers the director’s decisions as a director — the board’s oversight of the security programme, disclosures to shareholders, decisions to launch or pull products. Technology PI (often written with a cyber section) covers the company’s services and products delivered to clients — a coding error, a system outage, misdelivery of a build. The two policies overlap most obviously when a client claim escalates into a shareholder claim or a regulator investigation of the individuals. A specialist broker aligns the definitions of ‘insured’ and ‘claim’, the retro-dates and the notification wording across D&O, cyber and PI so that a real event finds a real home.
A UK SaaS company suffers a supply-chain compromise that exposes customer credentials over a six-week window before detection. The ICO opens an investigation under Schedule 15 to the Data Protection Act 2018 and issues a formal information notice. Two customer classes threaten group litigation; a subsequent-round investor writes to the board asking about warranties given in the last SPA. The finance director and CTO are named individually in the pre-action correspondence. D&O responds to the individual defence costs of the ICO investigation (pre-claim investigation costs), the personal defence of the SPA warranty allegation (Side A / Side B), and the personal element of the customer class action once individuals are separately named. The customer breach itself sits within the cyber policy, and the technology PI section responds to the underlying service failure claim. All three towers are engaged; the wordings need to co-operate.
D&O policies are almost always claims-made. Where an ICO information notice, a CMA enquiry, a large customer breach-notification demand or an investor letter of concern lands during a policy year, that circumstance needs to r