Insurance and Authorization. The two non-negotiables.

Section 1

Cyber liability + E&O insurance

One missed finding that contributes to a downstream breach can become a personal-bankruptcy-grade liability. Your entire stock-portfolio runway and savings buffer disappear in a single uninsured claim.

The standard coverage stack

• Professional Liability / Errors and Omissions (E&O). $1M aggregate minimum, $500k per occurrence. Covers claims that your advice or testing caused the client financial loss. Core cover for security work.
• Cyber Liability. $1M aggregate minimum. Covers claims arising from a security incident you either caused, contributed to, or failed to detect. Distinct from E&O because it addresses data-breach scenarios specifically.
• General Liability. $1M aggregate. Only required if hosting in-person events or training. Skippable for fully remote consultancy.

Broker comparison (solo security consultants under $250k/year)

Broker	Market	Monthly (combined E&O + Cyber)	Best fit
Hiscox	UK and EU	~$60-100/mo at $1M / $500k limits	German Einzelunternehmen invoicing into EU clients
Embroker	US	~$80-150/mo for equivalent coverage	US Delaware LLC invoicing into US clients
Hiscox Deutschland / Markel / Allianz Trade	Germany	~EUR 60-120/mo, broker-quoted	German-language policy documents when DACH clients ask for proof of cover in German

What NOT to skimp on

• Coverage limit. $1M aggregate is the absolute floor. Persona B and C buyers (Series A and DACH compliance) will check the limit on the Certificate of Insurance. Anything under $1M signals amateur.
• Retroactive date. Some policies exclude work done before policy bind. Ask for full prior-acts coverage if you have done any informal paid work already.
• Exclusion list. Most policies exclude crypto, adult content, gambling. Read the exclusion list before quoting clients in any of those verticals.
• Defense costs. Some policies cap defense costs separately. Prefer policies where defense is "outside the limit", not eroding it.

Hard rule on timing

Quote-only is not binding. The certificate of insurance (COI) must show effective-date earlier than the SOW signature date. Hiscox and Embroker both issue COIs same-day on policy bind; request one immediately and store the PDF. Tier 2 and Tier 3 clients will request it as part of vendor onboarding.

Section 2

The Authorization Letter

A signed SOW is a commercial agreement. It is NOT, by itself, legal cover to send security testing traffic at a production system. Under US, UK, and German law, unauthorized access to a computer system is a criminal offense regardless of whether a commercial contract exists. The contract proves both parties agreed to the engagement. The authorization letter proves an officer with actual authority over the system gave explicit permission to test it.

The statutes that make this matter

• US: Computer Fraud and Abuse Act (CFAA), 18 USC 1030. Criminalises accessing a computer "without authorization or exceeding authorized access". Penalties include felony charges and personal liability. A signed authorization letter from an authorised officer is the standard CFAA defense.
• UK: Computer Misuse Act 1990, sections 1-3. Criminalises unauthorised access, unauthorised access with intent, and unauthorised acts impairing operation. Authorization letter is the standard defense.
• Germany: Strafgesetzbuch (StGB), 202a (Ausspaehen von Daten) and 202c (Vorbereiten des Ausspaehens und Abfangens von Daten). Section 202a criminalises accessing data secured against access. Section 202c is the so-called "hacker paragraph" that criminalises the production, sale, or distribution of hacking tools. A signed authorization letter (Einwilligungserklaerung) plus a documented contractual basis (Vertragsgrundlage) is the defense.

Why a developer signature is not enough

Three failure modes the authorization letter prevents:

1. The signer was not authorised. A developer signs but did not have the authority to bind the company. The company later disputes the testing. Defense: only accept the letter from a VP-level signer or above, identified by title in the document.
2. The testing window was unclear. You test on day 5 thinking the engagement runs days 1-7; the client's internal incident response team treats it as an external attack. Defense: explicit start-date and end-date in the letter.
3. A finding caused service degradation. Your rate-limit test trips a circuit breaker and a production outage follows. Without an in-letter emergency-contact and an indemnification clause for in-scope testing, you absorb the loss. Defense: emergency contact, indemnification for in-scope testing, explicit non-destructive scope.

The Authorization Letter template (inline)

Single page, signed by an authorised Client officer, dated before the first byte of testing traffic. Store the signed PDF for at least 7 years after the engagement ends.

AUTHORIZATION LETTER FOR SECURITY TESTING

Date: <<DATE>>

To: <<Consultant Legal Name>>
    <<Consultant Address>>

Re: Authorization to perform security testing under SOW No. <<SOW-NUMBER>>


I, <<Authorized Officer Name>>, holding the title of <<Title (must be
Vice President or higher, or equivalent C-suite role)>> at <<Client
Legal Name>> ("Client"), and authorized to bind Client, hereby grant
explicit written authorization to <<Consultant Legal Name>>
("Consultant") to perform security testing of the systems identified
below, on the terms set out in this letter.

This letter is issued under, and supplements, the Statement of Work
referenced above and the Master Services Agreement between Client and
Consultant dated <<MSA-DATE>>.


1. AUTHORIZED TESTING WINDOW

Start: <<TESTING-START-DATE>> at <<START-TIME>> <<TIMEZONE>>
End:   <<TESTING-END-DATE>> at <<END-TIME>> <<TIMEZONE>>

Consultant is authorized to perform testing only within this window.
Testing outside this window requires a written extension signed by
an Authorized Officer of Client.


2. IN-SCOPE SYSTEMS

The following systems, URLs, and endpoints are in scope for testing:

   a. <<Primary URL or endpoint, e.g. https://app.client.com/ai-chat>>
   b. <<Secondary URL or endpoint, if any>>
   c. <<AI feature endpoints, API paths, or sub-domains in scope>>

No other systems, URLs, endpoints, sub-domains, or services owned or
operated by Client are authorized for testing under this letter.


3. AUTHORIZED TESTING TECHNIQUES

Consultant is authorized to use the following techniques:

   a. Manual security testing using web browsers, intercepting proxies
      (Burp Suite), and custom payloads.
   b. Tool-assisted security testing using publicly available,
      non-destructive scanning and probing tools (including Garak,
      PyRIT, Promptfoo, and similar AI-security tooling).
   c. Authentication and rate-limit probing within reasonable bounds
      (no sustained brute-force, no traffic volume designed to cause
      service degradation).
   d. Prompt-injection and output-handling probing against the in-scope
      AI feature.


4. PROHIBITED ACTIONS

Notwithstanding Section 3, Consultant will NOT:

   a. Perform Denial-of-Service or load testing designed to disrupt
      service availability.
   b. Exfiltrate production customer data beyond what is minimally
      necessary to demonstrate a finding (and even then, will redact
      or anonymise any extracted data in the Report).
   c. Perform social engineering, phishing, or pretexting against
      Client personnel or customers.
   d. Test physical security or attempt physical access.
   e. Modify, delete, or corrupt Client production data.
   f. Use credentials of real Client customers for testing.
   g. Test third-party systems not owned or controlled by Client.


5. CLIENT EMERGENCY CONTACT

If Consultant's testing causes or is suspected of causing service
degradation, an outage, or any other incident requiring immediate
response, Consultant will contact:

   Name:  <<Emergency Contact Name>>
   Title: <<Emergency Contact Title>>
   Phone: <<24-hour Phone Number>>
   Email: <<Emergency Contact Email>>

Client confirms this contact is available 24/7 throughout the
Authorized Testing Window.


6. CLIENT INDEMNIFICATION FOR IN-SCOPE TESTING

Client agrees to indemnify and hold Consultant harmless from any
third-party claim arising from Consultant's testing performed within
the scope authorized by this letter, except for claims arising from
Consultant's gross negligence or willful misconduct.


7. CLIENT REPRESENTATIONS

Client represents and warrants that:

   a. The undersigned is an Authorized Officer of Client with actual
      authority to bind Client to this letter.
   b. Client owns or has the legal right to authorize security testing
      of the systems identified in Section 2.
   c. Client has notified, or will notify before the Authorized Testing
      Window begins, all relevant internal teams (including security
      operations, incident response, and any third-party security
      monitoring providers).
   d. Client has obtained any third-party consents required (for
      example, from cloud providers whose acceptable-use policies
      require prior notice of penetration testing).


8. CRITICAL LEGAL ACKNOWLEDGMENT

Client acknowledges that this Authorization Letter is the legal basis
under applicable computer-crime statutes (including the US Computer
Fraud and Abuse Act, the UK Computer Misuse Act 1990, the German
Strafgesetzbuch sections 202a and 202c, and equivalent statutes in
other jurisdictions) for Consultant's testing activities. Without
this letter, the testing activities would constitute unauthorized
access. Client warrants that the authorization granted here is
genuine, current, and not revocable retroactively.


SIGNED FOR CLIENT BY AN AUTHORIZED OFFICER:

___________________________
Name:  <<Authorized Officer Name>>
Title: <<Title (VP or higher)>>
Date:  ____________________