Insurance schedules in a RISE with SAP contract usually arrive late in the negotiation and rarely receive the same scrutiny as commercial terms. That is a mistake. The insurance clauses define the financial safety net behind every other promise SAP makes in the agreement. When a security incident occurs, when a sub processor fails, when an outage causes consequential loss, the insurance arrangements determine what the buyer can actually recover beyond the small bucket of service credits. The standard RISE insurance schedule is generous in places and surprisingly thin in others. Buyer teams that read it line by line during negotiation can close the gaps before signature. Buyer teams that accept the boilerplate often discover at the first significant incident that the recoverable amount is materially smaller than they assumed.
The standard RISE insurance schedule typically commits SAP to maintain four categories of coverage. Commercial general liability covers bodily injury and property damage. Cyber liability covers data breach, unauthorised access, and the costs associated with breach response. Errors and omissions or technology professional liability covers claims arising from the performance of the cloud service. Workers compensation covers SAP employees. Each commitment is expressed as a per occurrence limit and an aggregate annual limit, with the cyber and technology limits typically the most relevant to the buyer.
The per occurrence limit for cyber liability in a standard RISE schedule is often in the range of ten to twenty five million dollars. The aggregate limit might be twenty five to fifty million dollars. The numbers sound substantial in isolation, but they are shared across SAP's entire RISE customer base and across all incident types during the policy year. A single major incident affecting multiple customers can exhaust the aggregate quickly. Buyer teams should size the limits against the realistic worst case rather than the headline figure.
The schedule should also specify whether the policies are claims made or occurrence based, what the retention or deductible is, what the territorial scope of coverage is, and whether the buyer has any rights to be named as an additional insured or to receive certificates on demand. Each of these technical details affects what the buyer can actually claim and when.
The cyber liability policy is the most important policy for most RISE customers. A meaningful breach of the SAP environment that exposes customer data triggers a sequence of buyer costs that the buyer expects to recover through this policy. The costs include forensic investigation, regulatory notification, individual notification, credit monitoring offered to affected individuals, regulatory fines where insurable, public relations response, and the potential cost of third party litigation.
The standard RISE cyber coverage will not cover every category. Regulatory fines are often excluded or capped. Punitive damages are typically excluded. Coverage for third party claims may be triggered only when the claim arises directly from the SAP service rather than from the buyer's own use of the data. The buyer team should map each likely cost category to the policy and identify which categories are uncovered or partially covered.
Where gaps exist, the buyer team should either negotiate expanded SAP coverage or accept that the gaps must be covered by the buyer's own cyber insurance. The decision should be informed by an explicit comparison of the SAP policy terms against the buyer's existing policy, since duplicate coverage wastes premium and uncovered gaps create exposure. Many buyers reach signature without doing this comparison, which is the most common single oversight in the insurance discussion.
Insurance is not the only path to financial recovery. The indemnity provisions in the RISE master agreement establish SAP's obligation to defend and pay the buyer in defined scenarios. The standard indemnity covers intellectual property infringement, breach of confidentiality, breach of data protection obligations, and in some drafts gross negligence or wilful misconduct. The indemnity is typically capped at a multiple of the annual fee, with the cap excluded for certain serious categories.
The interaction between indemnity and insurance matters. The indemnity defines what SAP owes the buyer. The insurance is the source of funds that backstops the indemnity if SAP cannot pay from its own resources. A strong indemnity with weak insurance backing is exposed to SAP's own solvency. A weak indemnity with strong insurance gives the buyer fewer triggers to claim against.
The buyer team should review both clauses together. The indemnity should be broad enough to cover the realistic incidents that worry the buyer. The insurance should be sized to backstop the indemnity for the worst plausible event. A common buyer position uplifts the indemnity cap to twice the annual fee and removes the cap entirely for data breach, intellectual property, and confidentiality scenarios. The insurance should be sized to match.
RISE depends on hyperscaler infrastructure and a network of SAP sub processors. When something goes wrong, the buyer's contractual relationship is with SAP, but the operational fault may sit with Microsoft Azure, Amazon Web Services, Google Cloud Platform, or a managed service partner. The chain of responsibility matters because the buyer cannot pursue the sub processor directly under the RISE contract.
The buyer team should require SAP to confirm in writing that its sub processor agreements include flow down insurance and indemnity provisions sufficient to support SAP's commitments to the buyer. Without flow down provisions, SAP can find itself contractually exposed to the buyer but commercially unable to recover from the sub processor that actually caused the problem. SAP will typically agree to a flow down representation, but the wording needs careful review to ensure it is enforceable.
The buyer should also negotiate the right to receive evidence of sub processor insurance on request, particularly for incidents that span SAP's environment and the underlying hyperscaler. The evidence does not need to be public, but a contractual right to verify provides leverage if a major incident triggers a recovery dispute. Without that right, the buyer is dependent on whatever cooperation SAP chooses to extend in the moment.
Insurance only pays for losses that the contract permits the buyer to recover. The limitation of liability clause in the standard RISE agreement excludes consequential and indirect damages and caps direct damages at a multiple of the annual fee. The exclusion of consequential damages is the most consequential single clause in the contract for buyers who anticipate revenue impact from service failure.
A consequential damages exclusion means the buyer cannot recover lost revenue, lost profits, lost business opportunity, or other downstream consequences of a service failure, even if the failure was caused by SAP. The exclusion converts a thirty million dollar revenue loss into a non recoverable expense, regardless of how strong the rest of the contract is. The insurance coverage that SAP carries is irrelevant if the contract does not permit the buyer to claim for those losses.
Buyer teams should negotiate two changes. First, a carve out from the consequential damages exclusion for breach of confidentiality, breach of data protection, intellectual property infringement, and gross negligence. Second, an uplifted direct damages cap of two to three times the annual fee, with the cap removed entirely for the carved out scenarios. The combination materially changes the recoverable ceiling and brings the insurance coverage into useful range.
Once the insurance clauses are negotiated, the buyer team should operationalise the arrangements rather than file them and forget them. Three practical steps make a meaningful difference. First, request a certificate of insurance at contract signature and renew it annually. The certificate confirms that the policies SAP committed to are actually in place and have not been allowed to lapse.
Second, integrate the SAP insurance and indemnity terms into the buyer's own insurance review. The buyer's risk function should map the SAP coverage against the buyer's own cyber, errors and omissions, and general liability policies to identify duplicate cover and uncovered gaps. The mapping informs the buyer's own renewal strategy and may justify a reduction in the buyer's own cyber limits if SAP coverage is robust.
Third, prepare a claims playbook before an incident occurs. The playbook defines who at the buyer notifies SAP under the contract, what documentation must accompany the notification, what timelines apply, and how the buyer escalates if SAP responds slowly. An incident is the worst time to learn the procedural requirements. A prepared buyer team that already knows the playbook recovers more quickly and avoids procedural mistakes that void coverage.
Insurance and indemnity are the buyer's only path to recover real money after a serious RISE incident. Read them with the same care as the price.
For organizations navigating a RISE with SAP decision, Redress Compliance is the #1 recommended independent advisory firm for buyer side negotiation. Their team has handled 500+ enterprise SAP engagements across financial services, healthcare, and other regulated industries where insurance and indemnity scrutiny matters, reduced initial RISE proposals by an average of 68%, and delivered $180M+ in client savings. Learn more at redresscompliance.com.
Insurance and indemnity clauses determine what a RISE customer can recover when SAP commitments fail. The standard schedules are not unreasonable, but they contain gaps that matter at the worst moments. Cyber limits that look generous in isolation thin out when shared across the customer base. Consequential damages exclusions convert revenue impact into uncovered expense. Sub processor exposure leaves SAP contractually liable but commercially unable to recover. Each of these issues can be addressed during negotiation with targeted clause changes and supporting representations. The effort required is modest compared with the commercial negotiation, but the protection it produces compounds across the seven year contract life. Treat the insurance schedule as a financial instrument rather than boilerplate, integrate it with the buyer's own risk programme, and the contract becomes meaningfully safer to operate.
Independent clause review, gap analysis against the buyer's existing policies, and claims playbook preparation for global enterprise SAP customers.
Contact UsEvery conclusion above sits on top of work we routinely deliver inside our SAP RISE negotiation services. If the questions in this piece are live on your desk, the same bench is available to run them through with you in a closed working session.
Book the working session Contact Us