Insurance and legal commentary, not advice on your specific position. Aggregation outcomes are highly fact-sensitive — consult your broker and legal advisors. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.

Cyber and data breach aggregation — the emerging issue in PI

Cyber and data breach aggregation is the fastest-evolving area of aggregation drafting in 2026. The combination of supply-chain attacks (Kaseya, MOVEit, Capita), ransomware-as-a-service operators hitting multiple firms simultaneously, and the regulatory framework that turns one breach into hundreds or thousands of consumer claims has produced wordings, exclusions and sub-limits unique to this corner of the market. PI cover and standalone cyber cover both engage with the question — sometimes with conflicting answers.

This article is Spoke 11 of the Apex hub on aggregation and series clauses in PI insurance.

Plain English explanation

A regulated firm suffers a cyber incident. Personal data of 50,000 customers is exfiltrated. The firm faces (a) regulatory fines (ICO), (b) consumer claims for misuse of private information and breach of statutory duty, (c) third-party claims by clients whose data was caught up in the breach, and (d) first-party losses from business interruption, ransomware payments, forensics and notification.

The PI policy may respond to (b) and (c) if the firm's negligent handling of data caused the claims (e.g. failing to patch a known vulnerability). The cyber policy may respond to (a), (d) and (b)/(c). The question of how those claims aggregate — is it one breach, one event, one originating cause, or many — decides whether the cover responds once or many times.

The drafting has not settled. Some wordings treat a single cyber event as one occurrence regardless of the number of affected systems or victims. Others fragment by victim, by system or by jurisdiction. Some have bespoke aggregation for supply-chain events.

The two-policy interaction

Most regulated firms have both PI and standalone cyber cover. The two interact:

PI cover. Responds to third-party claims arising from the firm's professional negligence in handling data, software or systems. Aggregation under standard PI wording (originating cause / series of related matters / similar acts in related matters).

Cyber cover. Responds to first-party and third-party cyber losses. Aggregation under bespoke cyber wording — typically a "cyber event", "cyber incident" or "single source / single source code" concept.

The wordings differ. A claim that aggregates broadly under cyber wording might fragment under PI wording, or vice versa. The interaction is often the most expensive line in a major cyber claim because contribution between insurers can absorb months of broker time.

Cyber aggregation wordings — the current landscape

Three families dominate cyber aggregation drafting in 2026:

"Cyber event" aggregation. The standard market wording. All losses arising from a single cyber event aggregate. "Cyber event" is then defined — typically as "any single incident, single connected series of incidents or single related set of cyber-attacks". A ransomware deployment is one event; a phishing campaign with multiple successful logins is one event; a supply-chain compromise is one event.

"Single source / single source code" aggregation. Aggregates by reference to the underlying technical source. All losses arising from exploitation of the same vulnerability, the same backdoor, the same compromised vendor or the same malware family aggregate. Adopted by some insurers post-MOVEit.

"Same originating cause" aggregation. Imports the Spire-style originating cause language into cyber wording. Broadest. Aggregates losses arising from a single root cause, which in cyber terms can be very broad indeed (e.g. failure to maintain proper patching as a single cause across multiple separate incidents).

The choice of wording produces different outcomes on the same facts.

How the standard cyber wordings handle a supply-chain event

Take the MOVEit-style scenario: a vendor's file transfer software has a zero-day vulnerability. Many of the vendor's customers (including a regulated firm) use the software. The vulnerability is exploited. Data from each customer is exfiltrated.

Under "cyber event" aggregation: the exploitation of the vulnerability is one event affecting many customers. Each customer's policy sees one event. Aggregation succeeds.

Under "single source" aggregation: the same vulnerability is the source for all losses. Aggregation succeeds.

Under "originating cause" aggregation: the vendor's failure to patch is the originating cause. Aggregation succeeds at scale.

Under PI policy "series of related matters or transactions": less clear. The customer-facing relationships (clients of the regulated firm) are not necessarily related to each other. Each client's data exfiltration is its own loss. Aggregation under PI rung is uncertain.

The result: the cyber policy aggregates everything cleanly; the PI policy may or may not. This is one reason cyber cover is essential alongside PI cover even where PI nominally covers data breach liability.

Worked example with numbers

Take a regulated professional firm with £2 million PI limit, £25,000 PI excess, and a separate £5 million cyber policy with £50,000 cyber retention. Cyber event: MOVEit-style vulnerability exploited by attacker, leading to exfiltration of personal data of 30,000 clients. Each client claims £2,000 in distress damages, plus a small ICO fine of £500,000.

Total third-party claims: 30,000 × £2,000 = £60 million. ICO fine: £500,000.

Cyber policy response (assume cyber event aggregation): one event. £5 million cyber limit. £50,000 retention. Insurer pays £4.95 million toward the £60 million. £500,000 ICO fine within limit (if cover extends). Firm liability: £55 million unfunded.

PI policy response (assume aggregation succeeds under series rung): one claim. £2 million limit. £25,000 excess. Insurer pays £1.975 million. Firm liability: £58 million unfunded.

Combined response: if both policies respond and aggregation is broad in each, the firm has approximately £7 million of cover against £60 million of claims. The remaining £53 million is unfunded.

This is the central reason why standalone cyber limits have moved sharply upward over the last three years. Firms exposed to mass data sets routinely now carry £25 million to £100 million cyber towers, with PI sitting as a backstop for professional negligence aspects.

The Lloyd's "cyber-attack exclusion" and "war" overlay

Two further drafting overlays bear on cyber aggregation:

Lloyd's mandatory cyber-attack exclusion (LMA5400 series). Since 2023 most Lloyd's policies, including PI policies, exclude losses arising from cyber-attacks unless cyber cover is expressly written-back. This is a coverage question, not an aggregation question, but it means the PI policy may not respond to cyber-originated losses at all.

War / cyber war exclusions. State-sponsored cyber attacks are increasingly carved out. Aggregation under the carve-out is irrelevant because there is no cover.

Brokers should clarify which version of the LMA series applies to your PI policy and whether your cyber tower has cyber-attack write-back.

Sector implications

Solicitors. Mass data sets in conveyancing and probate. MOVEit-style supply-chain events have hit law firms hard. PI cover is patchy depending on cyber-attack exclusion. Standalone cyber essential.

Surveyors. Less personal data exposure but operational disruption risk significant. Cyber cover for ransomware and BI is standard.

Architects. Similar to surveyors. IP loss risk significant.

IFAs. Significant personal data exposure. Cyber cover essential. PI/cyber interaction complex.

Accountants. Mass financial data. Cyber cover essential. Audit and tax services particularly exposed.

IT consultants. The PI / cyber boundary is hardest here because the consultancy itself involves data and systems. See the IT/tech consultant PI proposal completion guide.

What this means for your firm

Buy standalone cyber cover sized for your data exposure. PI cover alone is not adequate for cyber exposure. Cyber limits should be sized against the realistic number of affected data subjects × the realistic per-subject claim value plus regulatory fines.

Clarify cyber-attack exclusions in your PI. Have your broker confirm the LMA series and whether cyber-attack write-back applies.

Coordinate notifications across PI and cyber insurers. A cyber event with PI implications needs notification to both carriers, with consistent factual narrative. Inconsistent notifications create coverage disputes between insurers.

Map your aggregation triggers across both policies. A cyber event might aggregate under cyber wording but fragment under PI wording. Understand which dimensions of loss go to which insurer.

Stress-test supply-chain risk. Identify the third-party software and services where a single vulnerability could compromise your data or systems. MOVEit was unforeseen by most users; the next supply-chain event will be too.

How cyber aggregation differs from PI aggregation

Trigger language. Cyber wordings use bespoke triggers (cyber event, cyber incident, single source) not found in PI wordings.

Aggregation scale. Cyber events typically aggregate at much larger scale (thousands of victims under one cyber event) than PI clusters (typically dozens to hundreds).

Time horizon. Cyber claims often emerge in weeks or months; PI claims emerge over years. Aggregation analysis in cyber proceeds faster.

Regulatory dimension. Cyber events have a regulator (ICO) and statutory framework that drives consumer claims. PI claims are usually contract-based.

FAQs

Q1. Does my PI policy cover data breach claims? Sometimes, depending on cyber-attack exclusions and write-back. Read your policy carefully.

Q2. Do I need standalone cyber cover if I have PI? For any firm holding meaningful personal data: yes. PI alone is not adequate.

Q3. How do cyber events aggregate under standard cyber wording? Typically as a single event regardless of the number of affected systems or victims. Wording varies.

Q4. Does MOVEit aggregate as one event for all affected firms? For each affected firm, the MOVEit exploitation is one event. Cross-firm aggregation (i.e. insurers aggregating across all their MOVEit-affected insureds) is a different question, typically handled at reinsurer/treaty level.

Q5. How does the Lloyd's cyber-attack exclusion affect PI cover? It excludes cyber-attack-originated losses unless written back. Most PI policies in 2026 either exclude cyber-attack losses or include limited write-back.

Q6. Is regulatory fine cover available? Some cyber policies cover regulatory fines where insurable as a matter of law. Insurability varies by jurisdiction. ICO fines are generally insurable in England and Wales.

Q7. How do PI and cyber insurers handle contribution disputes? Usually through other-insurance clauses and rateable contribution under the Civil Liability (Contribution) Act 1978. Disputes can take months to resolve and can delay claim payments.

Q8. Should I buy a combined cyber-PI policy? Some insurers offer combined cyber-PI products that close the contribution gap. Worth considering for firms where the two exposures are tightly intertwined (IT consultants, fintech).

Q9. How does cyber aggregation interact with the SRA / RICS / FCA frameworks? The regulators do not prescribe cyber aggregation wording. Standard PI minimum requirements apply; cyber cover sits outside.

Q10. What is the single most important step in 2026? Get your broker to map your cover stack — PI + cyber + crime + fidelity — against your three worst-case cyber scenarios. Identify gaps, contribution issues and aggregation conflicts.

Cyber and data breach aggregation - the emerging issue