top of page

Liability Without Control: How Risk Flows Through the Modern Tech Stack

  • Writer: Steven Barge-Siever, Esq.
    Steven Barge-Siever, Esq.
  • Jun 15
  • 4 min read

Updated: Jun 17

By Steven Barge-Siever, Esq.

Founder | Upward Risk Management LLC | Undr AI


You were probably affected by the Google Cloud outage last week. I received a handful of downtime notices from platforms - followed shortly by “we’re back online” messages. Maybe you did too. This was a short outage, and probably amounted to a minor inconvenience for most. But it highlighted an interconnectivity risk that is often overlooked by companies that provide mission critical services in finance, physical goods, and AI:

Companies can suffer meaningful operational and reputational harm without ever making a mistake
Tech Stack Risk

When disruptions occur, accountability flows downstream - and the burden lands on companies tied to infrastructure they don’t control, but are legally and contractually responsible for.


Insurers are looking to understand these risks - and companies should be asking themselves:

  • What happens when uptime is contractually guaranteed, but the failure is upstream?

  • Do you offer refunds for downtime?

  • If data is lost, corrupted, or delayed, who bears the liability - and under which policy?

  • What if a system failure results in physical harm or safety-critical disruptions (think deep tech)?

  • How much reputational harm could happen from a prolonged outage?

  • And if your platform relies on multiple third-party vendors, how are you assessing your exposure without understanding theirs?


These aren’t edge cases. They’re the operating reality of modern tech - and the fault lines where E&O coverage often breaks down.



A Reminder: Downtime Isn’t Always Your Fault - But It’s Always Your Problem

This isn’t abstract. We’ve seen what happens when these dependencies fail - notably in the Synapse collapse of 2024, when a little-known middleware provider quietly supporting dozens of fintech platforms unraveled almost overnight.


It wasn’t just a vendor outage - it was a breakdown in visibility, ownership, and accountability:

  • Customer funds froze

  • Core functions stalled

  • Support teams couldn’t explain the problem

  • Legal teams couldn’t identify who owed what to whom


The most damaging failure wasn’t technical. It was structural.


Because in modern tech, no one owns the full stack - But everyone becomes liable for the part they touch.


And despite doing everything “right,” many well-capitalized, well-insured companies were left with:

  • Lawsuits

  • Regulatory scrutiny

  • And no clear path to recovery


The real point is that it is impossible to know what risks your partners truly have until they unravel. So how can you protect your company from correlated failure?


Tech E&O Was the Safety Net. Until It Wasn’t.

Many affected companies turned to their Technology Errors & Omissions (Tech E&O) policies - often bundled with Cyber coverage - expecting relief.


But most Tech E&O policies are structured around a narrow premise:

You broke it, you own it.

That logic doesn’t hold in an interdependent world.


A vendor fails. An API crashes. A system goes dark.


The client doesn’t care who caused it - they only see one name on the contract: yours.


In theory, you could look upstream for indemnification or support. In practice - especially with Synapse - that upstream entity no longer existed. No remediation. No defense. Sometimes not even documentation.


Just silence. And exposure.



What Tech E&O Should Cover in 2025 - But Often Doesn’t

Let’s take a Series B company offering AI-powered financial software. Their stack includes:

  • Google Cloud – infrastructure

  • OpenAI – AI logic

  • Plaid – banking integrations

  • Stripe – payments

  • MongoDB – data storage


If any one of those fails:

  • Transactions stall

  • Clients sue

  • SLAs are breached


Did the startup act negligently? No. Did the client suffer a loss? Yes. Does their Tech E&O respond? It depends.


Because real-world risk isn’t just about negligence. It’s about dependency.



Could a CLIP Help?

One alternative that’s gaining attention is the Contractual Liability Insurance Policy (CLIP) - a form of coverage specifically designed to respond when companies are held liable for promises they’ve made in contracts, even if the failure wasn’t theirs.


A well-structured CLIP can address scenarios where:

  • A third-party vendor fails to perform

  • A contractual uptime or service-level obligation is missed

  • The insured is obligated to indemnify a client for damages - regardless of fault


In a stack-driven world, where you’re on the hook for the performance of infrastructure you don’t control, a CLIP can serve as a tailored buffer between legal exposure and insurance silence. It doesn’t replace Tech E&O - it fills the contractual gap that E&O was never built to cover.



AI Exponentiates Risk. Insurance is Catching Up.

Modern AI companies don’t just build software. They orchestrate value across dozens of external providers:

  • Model APIs (OpenAI, Anthropic, Mistral)

  • Cloud compute (Azure, Google Cloud)

  • Middleware (vector stores, embeddings, observability tools)

  • SaaS layers they don’t fully control


The liability lives where the client relationship lives - even if the fault doesn’t.


Today, most Tech E&O policies:

  • Do not cover AI model output or hallucinations

  • Do not treat upstream failure as a covered event

  • Do not trigger for latency, outages, or errors without a breach


Affirmative AI endorsements are starting to emerge - but they’re inconsistent, untested, and often misunderstood.


This leaves AI companies with the highest dependency exposure in tech - and the least reliable coverage for it.



Is Your Broker Acting Like a Risk Stack Admin - or a Pass-Through API?

Your broker controls:

  • How your policy is structured

  • Which exclusions are negotiated

  • How risk is communicated to underwriters

  • How your claims narrative is framed


If your broker doesn’t understand your infrastructure, your vendors, and your product dependencies - they can’t protect you.


If they’re just forwarding submissions and documents, they’re not acting like middleware.They’re acting like a pass-through API.


And that means a critical node in your risk stack is unprotected.



Ask This One Question

“What happens if our most critical vendor fails tomorrow?” Not a breach. Not misconduct. Just downtime.

  • Are we covered?

  • Are we defended?

  • Could we survive the litigation?


If your broker can’t answer in clear, specific terms within a few hours - with references to your actual policy - they don’t know.


And if they don’t know, your risk stack has a blind spot.


And it’s not a hypothetical one.

Because in 2025, you don’t need to fail to be held accountable. You just need to be connected to someone who does.

Upward Risk Management

When Expertise Matters

Comments

bottom of page