An Apex Insurance Brokers publication — 2026 Edition
Most charity trustees we meet are not professional risk-managers. They are accountants, teachers, retired clinicians, business owners and community leaders who have agreed to serve on a board because they care about what the charity does. They have read the Charity Commission’s CC3 (“The Essential Trustee”) at some point, possibly when they were appointed; they have signed a register-of-interests declaration; and they have a passing sense that the charity has insurance in place because someone arranged it.
That position is understandable. It is also exposed. Trustees carry personal duties under the Charities Act 2011 and at common law. Charities operate in regulated spaces — fundraising, lotteries, safeguarding, data protection, employment, premises — each with its own enforcement regime. And the insurance picture that sits around all of this is genuinely complex, more so than most charities’ insurance budgets suggest.
This handbook is written for the board member who wants a working understanding of what their charity’s insurance does, what it does not, and where the personal exposure of trustees sits. It is plain-English. It draws on the law as we find it operating in 2026 and on what we see across our charity client base.
This is general guidance — not regulated advice. We have flagged areas where reform is anticipated or status uncertain. For specific decisions, consult your broker and your governance support (the Charity Commission’s CC guidance series is excellent; for harder questions, your charity solicitor).
— The team at Apex Insurance Brokers, Bristol
Why this chapter matters. Insurance is not a head-office administrative matter delegated to the operations lead. It is one of the few financial backstops to trustee personal liability — and trustees should understand it from the board.
Trustees of a registered charity owe duties under the Charities Act 2011 and at common law. The Act consolidates much of charity law and is the operative statute for most charity-governance questions. Key trustee duties summarised:
The standard of care expected was articulated in cases including Bartlett v Barclays Bank Trust Co Ltd [1980] Ch 515 (charitable trust corporate-trustee standard) and more broadly in Bristol & West Building Society v Mothew [1998] Ch 1 (the fiduciary’s duty of loyalty). These remain authoritative.
Trustees acting in good faith and within their powers are generally protected. Trustees acting outside their powers, in breach of duty, or in conflict with the charity’s interests can find themselves personally liable.
The Charity Commission publishes a series of CC-numbered guidance documents that set the regulator’s expectations of trustee conduct:
A senior-management regime for charities had been the subject of consultation following the 2024 charity governance review. As at May 2026, status: confirm current Charity Commission position before relying — the proposal evolved through 2025 and may be in transitional form.
The personal-liability picture differs by charity structure:
In all cases, trustee personal exposure for breach of duty does not disappear because of the corporate form. Trustee D&O insurance addresses that exposure.
Section 189 of the Charities Act 2011 provides express statutory authority for trustees to purchase trustee indemnity insurance out of charity funds, subject to specific conditions. The premium spend is a permitted “trustee benefit” under the Act. The conditions broadly require:
This statutory authority is important: trustees of older governing documents that pre-date 2011 sometimes worry that purchasing trustee insurance constitutes an unauthorised trustee benefit. Section 189 resolves that question for the Commission.
[Broker’s view sidebar — “At least once a year, somebody at the board table says ‘we’ve always had insurance — it’s fine, isn’t it?’. Most of the time, it is — but the right answer is to read the schedule before agreeing. The annual review of insurance arrangements deserves an item on the board agenda, not a delegation to the operations lead.”]
Why this chapter matters. Trustee D&O is the policy most directly addressing personal trustee exposure. Its structure (Sides A / B / C) is genuinely different from most other commercial cover.
Trustee Directors’ & Officers’ (D&O) insurance is a claims-made policy responding to claims first made against trustees during the period of insurance. The policy responds to claims alleging a wrongful act — a wide concept covering breach of duty, breach of trust, negligence, breach of statute, misrepresentation and similar.
The cover is built around three “Sides”:
Side A pays losses that the charity is not legally able or financially able to indemnify the trustee for. The classic case is where the trustee has been found in breach of trust — the charity may not lawfully indemnify the trustee for the consequence — and the trustee is personally exposed for damages and defence costs.
Side A is the part of D&O that protects the trustee’s personal pocket. It is the layer that matters most to the individual trustee.
Side B reimburses the charity where the charity has indemnified the trustee for a covered loss. The classic case is defence costs where the trustee is ultimately exonerated — the charity has indemnified those costs and recovers them from the policy.
Side C extends the policy to cover the charity entity itself for certain claims made against the charity. In commercial D&O (corporate boards) Side C is common and broad. In charity D&O, Side C is typically narrower — often limited to employment-practices claims, regulatory investigations, or specific named perils. Read the wording.
[Diagram: three columns labelled Side A / Side B / Side C, with arrows showing who indemnifies whom in each scenario. Annotation: “Side A is the trustee-personal layer. Lose Side A and the trustee is exposed for non-indemnifiable loss.”]
A typical trustee D&O policy will exclude:
As with PI, defence costs in D&O are sometimes inside the limit and sometimes in addition to it. The wording determines this; the schedule rarely makes it clear at first glance. Press your broker for the position.
A specific extension worth understanding is investigation costs cover — funding for legal representation when the trustee is the subject of an inquiry by a regulator (the Charity Commission, the Information Commissioner, HMRC, the Fundraising Regulator). Investigation cover is sometimes a sub-limit, sometimes built into Side A; it is often the most-used part of a trustee D&O policy in practice. Confirm it is there.
[Common mistake call-out — “Treating D&O limit selection as a one-line decision in the renewal pack. The limit should be sized to the worst-case combined defence + indemnity cost for a multi-trustee inquiry — which for a mid-sized charity can comfortably reach six figures even on a successful defence.”]
Why this chapter matters. The standard against which a trustee is judged determines whether a claim succeeds. Insurance pays the consequence; the standard determines whether there is a consequence.
The standard of care expected of a trustee was articulated in Bartlett v Barclays Bank Trust Co Ltd [1980] Ch 515 (where a corporate trustee was held to a higher standard than a lay trustee, on the basis that it had held itself out as having professional skill in trust administration) and in subsequent authorities. The common-law standard for a lay trustee is one of ordinary prudence in conducting one’s own affairs, with additional skill expected of those who hold themselves out as having it.
For trustees of incorporated charities (charitable companies, CIOs), the duty is part-codified in company law (notably section 174 Companies Act 2006 for charitable companies — duty to exercise reasonable care, skill and diligence). The objective standard is what could reasonably be expected of a person carrying out the trustee role, modified upward by any specific skill or experience the individual trustee actually has.
The Charity Commission’s working framework of trustee duties (summarised in CC3) is:
[Trustee duties map — diagram with the six duties as petals around a central “Trustee” node, with statutory anchors annotated on each petal. Strap-line: “Six duties — every trustee decision should be defensible against at least one of them.”]
Trustees who:
…are very unlikely to face a successful personal-liability claim. Most trustee D&O claims that go anywhere arise where one or more of the above is missing.
A trustee who has a relevant professional background (accountant, solicitor, surveyor, clinician) is held to the standard of their profession in respect of matters within that profession. The accountant trustee who fails to spot an obvious problem in the management accounts is harder to defend than the lay trustee in the same position.
This is not a reason to keep professional trustees off boards — they are essential — but it is a reason for professionals to be especially careful about minuting their advice, especially where the board’s decision diverges from it.
[Broker’s view sidebar — “The most defensible trustee minute is one that records the question asked, the information considered, the alternatives discussed, and the basis for the decision. It is also, not coincidentally, the format that makes board meetings actually useful.”]
Why this chapter matters. The Charity Commission’s enforcement powers have been used more actively over the past decade. Understanding them is part of understanding why trustee D&O exists.
The Charity Commission’s enforcement framework sits in Parts 4 and 6 of the Charities Act 2011. The relevant powers include:
The publication of an inquiry report is, in itself, a material consequence for trustees — personally and reputationally — independent of any financial sanction.
Trustee D&O cover typically excludes payment of fines and penalties imposed personally on the trustee. This is important: where the Commission disqualifies a trustee or imposes a sanction, the D&O policy will not pay the sanction itself, though it will usually fund the legal defence costs through to and including the determination.
This exclusion is one of the strongest arguments for getting professional help early at the first sign of a regulatory issue. The defence cost is covered; the eventual penalty is not.
[Charity Commission inquiry pathway flow chart — entry points (complaint / proactive supervision / serious incident report) → preliminary engagement → statutory inquiry under s.46 → s.76 protective orders → remedial action / removal / scheme. Annotations on where insurance defence cover typically engages and where exclusions bite.]
Trustees are expected to report serious incidents to the Charity Commission promptly. The threshold for reporting includes safeguarding incidents, significant financial loss (fraud, theft, missing funds), significant data breaches, links to terrorism, and other matters set out in current Commission guidance.
Failure to report a reportable incident is, in itself, a governance failure that can trigger regulatory action. The trustee D&O policy generally does not directly cover the consequence of a failure to report — but a charity with a properly maintained reporting protocol is significantly less exposed.
Following the 2024 charity governance review, proposals have been brought forward for a senior-manager-style regime applying particular accountability standards to nominated senior individuals within larger charities. As at May 2026, status: confirm current position — the proposals were under consultation and may not yet be commenced. The principle to watch: heightened expectations of named senior individuals beyond the trustee body.
[Common mistake call-out — “Treating a Charity Commission preliminary letter as something to be answered by the operations lead in the next few days. The first response sets the tone of the engagement. Brief your broker, brief your legal adviser, and treat the response as a board-level matter from day one.”]
Why this chapter matters. Fundraising activity sits in several overlapping regulatory regimes. A single fundraising event can engage three regulators.
The Fundraising Regulator is the independent body responsible for fundraising standards in England, Wales and Northern Ireland (Scotland has the Office of the Scottish Charity Regulator overseeing Scottish fundraising). The Fundraising Regulator publishes the Code of Fundraising Practice, which sets the operational standards for fundraising activity and supplements the Charity Commission’s CC9 guidance.
The Fundraising Regulator replaced the Fundraising Standards Board (FRSB) in 2016. The Code is updated periodically — confirm current version with the regulator.
The Code addresses:
Charities should have a written fundraising policy aligned to the Code and review it at trustee level annually.
The Information Commissioner’s enforcement actions against the RSPCA, the British Heart Foundation, Wellcome Trust and others in 2016–18 over fundraising profiling and data sharing remain the operative case-law of charity-fundraising-and-data-protection. The ICO’s position then — that profiling donors and sharing data with other charities without specific consent breached data protection law — has been reflected in subsequent guidance and is still material.
For trustees, the practical consequence is that fundraising and data protection are not separate questions. They must be governed together.
Charity lotteries (raffles, prize draws, sweepstakes) are regulated under the Gambling Act 2005. The framework distinguishes:
The line between these categories matters. A charity running a large prize draw without the appropriate licence is committing a criminal offence under the Gambling Act and the trustees are exposed personally for the failure to comply.
[Fundraising regulatory map — four-quadrant diagram with Fundraising Regulator / Gambling Commission / ICO / Charity Commission, with examples of activities triggering each. Strap-line: “A single fundraising event can engage all four. Plan accordingly.”]
A charity fundraising event (gala, fete, sponsored marathon, sponsored walk, ball, abseil) typically needs:
Some standard charity policies extend automatically to small fundraising events; others require notification and underwriter agreement. Always confirm in advance.
[Broker’s view sidebar — “Where the fundraising event is a ‘first’ for the charity — a new format, a new venue, a new activity — the assumption that the standard policy covers it is the assumption to test. The conversation with the broker takes ten minutes and protects the trustees.”]
Why this chapter matters. Safeguarding is the highest-stakes single area of charity risk, and the insurance trigger language is materially specific. Trustees should not assume it is in the standard policy.
Charities working with children or adults at risk are subject to a complex safeguarding framework:
The Charity Commission has been explicit that safeguarding is a trustee-board matter, not an operational one. Trustees are expected to oversee safeguarding policy, training, incident management and reporting — not merely to be told about it.
For charities working with children or adults at risk, Disclosure and Barring Service checks are central. The regime has tiers:
A charity in any regulated activity should have a DBS policy specifying which roles require which level, retention periods, and the process for handling positive disclosures.
Standard charity liability policies typically have an abuse and molestation exclusion — physical, sexual or emotional abuse arising from the charity’s activities is excluded unless specific cover is added.
Most charities working with children or adults at risk should buy abuse and molestation cover explicitly as an extension. The cover is typically:
The exclusion is one of the most-missed gaps in charity insurance. Confirm the position on every policy review.
[Safeguarding cover trigger matrix — rows: physical / sexual / emotional / financial / neglect. Columns: standard policy / abuse extension / specialist cover. Cells showing where each is or is not covered. Strap-line: “Read the exclusion before assuming you have cover.”]
Trustees are exposed personally where the charity’s safeguarding regime is inadequate and a safeguarding incident occurs. The exposure is partly civil (claim by the victim’s family or estate against the charity, with potential trustee involvement) and partly regulatory (Charity Commission inquiry).
Trustee D&O cover responds to the trustee-personal element, subject to its usual exclusions (no cover for criminal acts, no cover for fines and penalties). The charity-level liability sits in the charity liability policy with abuse and molestation extension.
[Common mistake call-out — “Buying a policy because it is cheap, without checking whether the abuse and molestation exclusion is present and whether the extension has been added. For any charity working with children or adults at risk, this is the single most important thing to check.”]
Why this chapter matters. Charities hold sensitive personal data — donors, beneficiaries, staff, volunteers. Cyber and data breach risk is no longer a “large charities only” question.
Charities are data controllers under the UK GDPR (as enacted in UK law via the Data Protection Act 2018, with subsequent reforms under the Data Protection and Digital Information legislation — status of the most recent reforms: confirm current commencement). The principles are well-known but the application to charities is specific:
The Wellcome / RSPCA / BHF enforcement history (referenced above) is the operative case-law on fundraising data practices. The ICO’s enforcement appetite around charities has been periodic and unpredictable; treat it as live.
In recent years grant-funders (the Lottery, major trust funders, statutory funders) have routinely asked grant applicants about their cyber and information-security posture. The questions typically reference:
Smaller charities sometimes treat this as a tick-box. The funders’ due-diligence teams generally do not. Getting Cyber Essentials in place — usually a few hundred pounds in cost, with a few days of preparation — is both an insurance argument (cyber underwriters favour Cyber Essentials) and a funding argument.
A standalone cyber policy responds to:
For a charity holding any meaningful volume of donor or beneficiary data, cyber cover is increasingly considered standard. Sub-limits at £250k–£1m are typical at smaller-charity level; mid-market charities are buying £1m–£5m+.
[Cyber for small charities decision tree — branching from “Do we hold personal data?” through “Have we got Cyber Essentials?” → “Do our funders require it?” → policy recommendation. Strap-line: “Cyber is no longer a large-charity-only question.”]
Why this chapter matters. A complete charity insurance picture includes a number of lines beyond trustee D&O. Trustees should know what each does.
Employers’ Liability insurance is statutorily required under the Employers’ Liability (Compulsory Insurance) Act 1969 for charities with employees. The minimum statutory limit is £5 million; most policies provide £10 million as standard.
Volunteers are not employees but are typically included within the EL policy by extension — confirm this is in place. A charity relying heavily on volunteers without confirming the EL extension is exposed for the volunteer who is injured in the course of the charity’s activities.
Public Liability covers the charity’s liability to third parties (the public, beneficiaries, members) for injury or property damage. Limits of £2m–£10m are typical at smaller-charity level; mid-market charities often hold £10m–£25m. Activities involving children, vulnerable adults, vehicles or premises open to the public push the limit upward.
For charities owning premises (a community centre, an office, a school, a residential home), buildings insurance is critical. Standard issues:
Charities running minibuses for non-PSV (Public Service Vehicle) use commonly operate under a Section 19 permit under the Transport Act 1985. The permit allows minibuses to be operated for hire and reward in specific charitable contexts without a full PSV operator’s licence. Insurance must be specific to the s.19 use — a standard private-car policy does not cover a minibus operated under a s.19 permit.
The s.19 framework was the subject of consultation and reform discussion in the early 2020s; status as at May 2026: confirm current Department for Transport position before relying for new permit applications.
Some D&O policies include personal accident cover for trustees in the course of trustee duties. Where it is not included, a standalone trustee personal accident cover is inexpensive and worth considering — particularly where trustees travel or attend events on the charity’s behalf.
Where two charities merge — a not-uncommon outcome of pressure on smaller charities — the insurance picture changes materially. The acquiring or new entity must:
Mergers are insurance-relevant events; do not assume the policies follow without action.
Why this chapter matters. A short tour of the wrong assumptions we hear most often from charity boards.
Myth 1: “The charity has insurance, so I’m covered as trustee.” Not necessarily. The charity has its policies; trustee D&O is a specific cover that may or may not be in place. Check.
Myth 2: “Buying trustee insurance is a trustee benefit and not allowed.” It is allowed under section 189 of the Charities Act 2011. The board’s decision should be properly minuted.
Myth 3: “We don’t work with children so safeguarding doesn’t apply.” Safeguarding extends to adults at risk and to vulnerable beneficiaries generally. If your charity has any contact with vulnerable people, safeguarding is a board issue.
Myth 4: “Our public liability includes abuse and molestation.” Almost certainly it does not — it is a standard exclusion. The cover must be added explicitly.
Myth 5: “Volunteers don’t need insurance because they’re not employees.” They do — typically via an extension to EL and PL. Confirm it is in place.
Myth 6: “Cyber is for big charities.” Funders are asking smaller charities about cyber posture and a serious cyber incident is materially more disruptive to a small charity than a large one.
Myth 7: “Our raffle is fine — it’s a small one.” Maybe. The Gambling Act 2005 framework is specific and a “small” lottery is a defined category, not a casual descriptor. Check before running.
Myth 8: “We’ve got a safeguarding policy on the shelf — we’re compliant.” A policy without training, supervision and incident management is paper compliance. The Charity Commission expects substance.
Myth 9: “D&O covers regulatory fines.” It typically covers the legal defence cost but excludes the fine or penalty itself. The fine is uninsurable; the defence is usually covered.
Myth 10: “The trustees are personally protected because we’re a CIO.” Limited liability protects against creditor claims against the charity. It does not protect against breach of trustee duty. The duties are personal.
If you do one thing after reading this handbook, put trustee insurance on the agenda for the next board meeting. Pull the current schedules (D&O, public liability, employers’ liability, buildings, abuse and molestation extension, cyber if held), and walk the board through them in plain English. The first time this is done it usually takes an hour and surfaces at least one gap. After the first time, it is a fifteen-minute item once a year.
If you would like a second opinion on your current arrangements, or a broker who works with UK charities across the small-to-mid-market spectrum, we are happy to talk. No fee for a conversation, no obligation, and we will tell you honestly if your current arrangements look sensible to us.
Apex Insurance Brokers Ltd is a UK insurance broker, Bristol-based, working with charities and other not-for-profit and commercial organisations across England and Wales. We are an independent firm authorised by the Financial Conduct Authority since 2014.
Contact us: - Telephone: 0117 325 0027 - Email: info@apexinsurancebrokers.co.uk - Web: apexinsurancebrokers.co.uk
Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ Registered office: c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT
This handbook is published by Apex Insurance Brokers Ltd, Companies House registration 07014570, authorised and regulated by the Financial Conduct Authority under firm reference 724952. You can verify our regulatory status on the FCA register at register.fca.org.uk.
General guidance only — not regulated advice. Always consult your broker on your specific cover and circumstances. This handbook is not legal, regulatory, tax or governance advice and it is not a personal recommendation as to any specific insurance product. Any decision about insurance cover should be taken having regard to your charity’s individual circumstances, its governing document, the law, and (where appropriate) advice from your own legal, governance and tax advisors. We do not undertake to update this guide to reflect changes in regulation, market practice or law after the version date above.
Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Reviewed by Matt Bartlett, Director, May 2026.
Last reviewed: May 2026
— End of handbook —
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote