A cyber exclusion in a professional indemnity policy is a clause that removes cover for any claim or loss that arises from a cyber event — unauthorised access to systems, malware, ransomware, denial of service, data corruption or the failure of electronic security. It does not remove cover for the firm’s ordinary professional services; it carves out the digital-incident pathway as a separate exposure that the insurer expects the firm to address through a standalone cyber policy.
The clause has become standard wording on most UK professional indemnity policies since around 2020, following insurance market guidance and reinsurance pressure to separate cyber risk from traditional liability covers. The detail of the exclusion matters: a narrow cyber exclusion still leaves PI cover for the professional consequences of a cyber incident, while a broad one shuts the door more completely.
For the wider picture of how PI cover is structured, see the Ultimate UK Professional Indemnity Insurance Guide 2026.
What a cyber exclusion means in PI insurance
In a PI policy, a cyber exclusion is a clause stating that the insurer will not pay for loss, damage, liability, cost or expense arising directly or indirectly from a defined list of cyber-related causes. The list typically includes the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process. It also typically captures unauthorised access, denial of service attacks, and the corruption, destruction or distortion of electronic data.
The exclusion exists because cyber risk is now treated by the global insurance market as a distinct line of business, with its own underwriting model, its own claims patterns and its own reinsurance arrangements. PI underwriters write to a model that assumes professional error is the trigger; they do not want to pick up cover for ransomware extortion, business email compromise or large-scale data breach where the trigger is criminal interference with systems.
The Lloyd’s Market Association has issued model cyber exclusion wordings (LMA5400 family and successor clauses) which many UK PI insurers have adopted or adapted. The wording is not identical between insurers, and the differences between a “war and cyber” exclusion, a “cyber and data” exclusion and a “silent cyber” carve-back all matter.
How it works in practice
Most UK PI policies now sit somewhere on a spectrum between three broad approaches:
Full cyber exclusion. The policy excludes any claim arising directly or indirectly from a cyber event. This is the most restrictive position. If a client sues the firm for losses connected to a cyber incident — even where the firm’s professional advice was the underlying cause — the insurer can decline.
Cyber exclusion with professional services carve-back. The policy excludes cyber events as a first-party loss but preserves cover where the firm’s professional negligence is the proximate cause of the claim, even if a cyber pathway is involved. This is the most common position in 2026 and is the wording most firms should expect to see.
Affirmative cyber cover within PI. A small number of insurers still write PI with affirmative cyber cover bolted on, typically with a modest sub-limit. This is becoming rare and is mostly seen on packaged products for very small firms.
The practical test, when a claim is being assessed, is whether the chain of causation runs through a cyber event in a way the exclusion captures. A negligent piece of advice that happens to have been sent by email is not a cyber claim. A negligent failure to advise a client to encrypt sensitive data, followed by a breach of that data, may or may not be — depending on whether the wording excludes claims “arising from” cyber events or claims “caused by” cyber events.
Worked example with realistic figures
A Bristol-based IT consultancy with annual fee income of £400,000 carries £1m of PI cover with a £5,000 excess and a £5m turnover. The policy contains a standard cyber exclusion with a professional services carve-back.
The consultancy advises a retail client on configuring a cloud backup system. The advice is incomplete — a key permission setting is not reviewed — and eighteen months later the client suffers a ransomware attack that exploits the misconfiguration. The client’s loss is £350,000 in business interruption, recovery costs and a regulatory fine for inadequate data protection.
Under the policy:
- The PI insurer accepts that the claim arises from the firm’s professional advice. The carve-back applies.
- The cyber event (the ransomware attack) is part of the causation chain but is not the trigger; the trigger is the alleged professional negligence.
- The insurer indemnifies the firm for the £345,000 (£350,000 minus £5,000 excess) of settled loss, subject to ordinary policy terms.
Now consider the same facts with a full cyber exclusion and no carve-back. The insurer would likely decline on the basis that the loss arises directly or indirectly from a cyber event, regardless of the firm’s professional input. The firm would bear the £350,000 itself or fall back on any standalone cyber policy it holds — which, for an IT consultancy advising on systems it does not own or operate, may not respond either.
The numbers used here are illustrative. Actual premiums vary widely with risk profile, fee income, claims history and market conditions.
When this matters most
The cyber exclusion bites hardest where the firm’s professional work touches digital systems directly. The sectors most exposed are IT consultancies, software developers, managed service providers, web designers, digital agencies, fintech advisers and any consultancy that handles or recommends solutions for client data.
It also matters for firms whose work involves holding client data — solicitors, accountants, surveyors, architects with project data, healthcare practices, recruitment agencies and HR consultancies. A data breach at the firm itself, where client information is exposed, can produce both a regulatory exposure under UK GDPR and a civil claim from the client. PI cover with a broad cyber exclusion will not respond to either pathway; a standalone cyber policy is needed.
For smaller firms with limited digital touchpoints — a sole-trader chartered surveyor doing residential valuations, for example — the cyber exclusion is less commercially significant, but the standalone cyber market is also affordable enough that the cover should still be considered.
Common variations and market wording
Different insurers use different language. The variations that matter most:
“Cyber event” definition. Narrow definitions limit the exclusion to unauthorised access and malware. Broader definitions sweep in any failure or interruption of computer systems, including accidental data loss or software bugs. A broad definition can catch claims that would not intuitively read as “cyber”.
Direct vs indirect causation. Wordings that exclude claims “arising directly or indirectly from” a cyber event are wider than those that exclude claims “caused by” a cyber event. The “indirectly” language is meaningful — it lets the insurer follow the chain of causation a step further back.
Bodily injury and property damage carve-back. Some PI policies preserve cover for bodily injury and tangible property damage arising from a cyber event. This is less relevant to most PI risks but matters for engineers, surveyors and similar.
Regulatory fines carve-out. Most cyber exclusions are silent on regulatory fines under UK GDPR; some make clear that fines are excluded regardless. See the related definition on fines and penalties for more.
War and cyber combined clauses. Following the Merck v ACE judgment in the US and similar reasoning in the London market, many insurers now use combined war-and-cyber exclusion wordings that exclude cyber operations attributable to a state or state-like actor. This sits alongside the ordinary cyber exclusion.
Related concepts
A cyber exclusion is closely related to the loss of documents extension, which addresses physical and electronic document loss in a way that pre-dates the modern cyber exclusion and now sits in an awkward overlap with it. It also interacts with the breach of contract cover where the breach involves a data protection obligation. Firms with both PI and cyber policies should also understand the civil liability extension, which broadens PI cover to civil liability generally and can affect how the two policies dovetail.
Frequently asked questions
Does every UK PI policy now have a cyber exclusion?
Almost all PI policies written in the UK since 2022 contain some form of cyber exclusion or cyber clarification clause, following Lloyd’s Market Bulletin guidance issued in 2019 requiring insurers to address “silent cyber” exposure. The breadth of the exclusion varies. Older policies still in force on long-tail run-off may not contain modern cyber language and can leave the position ambiguous on incidents notified now.
Does a cyber exclusion mean my PI won’t pay for any digital claim?
No. Most current PI policies preserve cover where the firm’s professional negligence is the underlying cause of the claim, even if digital systems are involved. The exclusion typically bites where the trigger is a discrete cyber incident — ransomware, hacking, denial of service — rather than a professional error that happens to involve digital systems. Read the carve-back wording with care.
Do I still need a standalone cyber policy if my PI has a carve-back?
Generally yes. The PI carve-back only responds to claims by clients alleging professional negligence. A standalone cyber policy responds to the firm’s own first-party losses — ransom payment, business interruption, breach response costs, regulatory investigation costs and credit monitoring for affected individuals. These are not the same exposures and PI does not duplicate them.
Does the cyber exclusion affect cover for UK GDPR fines?
UK GDPR regulatory fines are not insurable as a matter of public policy in most circumstances, and most PI policies exclude them explicitly regardless of cyber wording. Cyber policies may provide cover for the investigation costs and legal expenses arising from a regulator’s enquiry, but the fine itself is typically uninsurable. See the related definition on fines and penalties.
Is a “cyber event” the same as a “data breach” in the policy?
Not exactly. A cyber event in policy wording usually means an unauthorised or malicious interaction with computer systems — hacking, malware, denial of service. A data breach is broader and can include accidental disclosure, lost devices and insider error. Some PI cyber exclusions capture both, others only the malicious pathway. The definitions section of the policy is where to look.
Does the exclusion apply to claims about advice on cyber security?
A claim by a client that the firm gave negligent cyber security advice is, in principle, an ordinary PI claim. Most policies with a professional services carve-back will respond. However, where the firm is being sued for failing to prevent a specific incident, insurers sometimes argue that the proximate cause is the incident itself and decline. Wording matters and the position can be contested.
Can the cyber exclusion be removed or narrowed?
Some insurers will agree to narrow the exclusion — for example, by limiting it to claims arising directly from a cyber event rather than directly or indirectly. A few will offer affirmative cyber cover within the PI policy, usually with a sub-limit. Both options are available mainly to better-risk firms with robust cyber controls. Most small-to-mid firms will carry the standard exclusion and place separate cyber cover.
How does the cyber exclusion affect run-off cover?
Run-off cover normally continues on the same terms as the last working policy, including any cyber exclusion. A firm closing down with a long tail of past digital work should consider whether standalone cyber run-off is also needed. Cyber policies are usually written annually with retroactive cover, so a lapsed cyber policy can leave a gap that the PI run-off does not fill.
{
"@context": "https://schema.org",
"@type": "Article",
"headline": "Cyber exclusion in PI insurance — what it means and why it matters",
"author": {
"@type": "Organization",
"name": "Apex Insurance Brokers Ltd",
"url": "https://www.apexinsurancebrokers.co.uk/"
},
"publisher": {
"@type": "Organization",
"name": "Apex Insurance Brokers Ltd"
},
"datePublished": "2026-05-29",
"dateModified": "2026-05-29",
"description": "A cyber exclusion in PI insurance removes cover for losses arising from cyber events, hacking, malware or data breach — here is what UK firms need to know in 2026."
}
{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "Cyber exclusion (PI insurance)",
"description": "A clause in a professional indemnity insurance policy that removes cover for claims, losses or costs arising from cyber events including hacking, malware, ransomware, denial of service or data corruption. Most current UK PI policies contain a cyber exclusion with a professional services carve-back that preserves cover where the firm's professional negligence is the underlying cause of the claim.",
"inDefinedTermSet": {
"@type": "DefinedTermSet",
"name": "Apex Insurance Brokers Glossary",
"url": "https://www.apexinsurancebrokers.co.uk/glossary/"
}
}
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Does every UK PI policy now have a cyber exclusion?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Almost all PI policies written in the UK since 2022 contain some form of cyber exclusion or cyber clarification clause, following Lloyd's Market Bulletin guidance issued in 2019 requiring insurers to address silent cyber exposure. The breadth varies. Older policies still in force on long-tail run-off may not contain modern cyber language."
}
},
{
"@type": "Question",
"name": "Does a cyber exclusion mean my PI won't pay for any digital claim?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Most current PI policies preserve cover where the firm's professional negligence is the underlying cause of the claim, even if digital systems are involved. The exclusion typically bites where the trigger is a discrete cyber incident rather than a professional error that happens to involve digital systems."
}
},
{
"@type": "Question",
"name": "Do I still need a standalone cyber policy if my PI has a carve-back?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Generally yes. The PI carve-back responds to claims by clients alleging professional negligence. A standalone cyber policy responds to the firm's own first-party losses including ransom payment, business interruption, breach response costs and regulatory investigation costs. These are not the same exposures and PI does not duplicate them."
}
},
{
"@type": "Question",
"name": "Does the cyber exclusion affect cover for UK GDPR fines?",
"acceptedAnswer": {
"@type": "Answer",
"text": "UK GDPR regulatory fines are not insurable as a matter of public policy in most circumstances, and most PI policies exclude them explicitly regardless of cyber wording. Cyber policies may provide cover for investigation costs and legal expenses, but the fine itself is typically uninsurable."
}
},
{
"@type": "Question",
"name": "Is a cyber event the same as a data breach in the policy?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Not exactly. A cyber event usually means an unauthorised or malicious interaction with computer systems including hacking, malware and denial of service. A data breach is broader and can include accidental disclosure, lost devices and insider error. Some PI cyber exclusions capture both, others only the malicious pathway."
}
},
{
"@type": "Question",
"name": "Does the exclusion apply to claims about advice on cyber security?",
"acceptedAnswer": {
"@type": "Answer",
"text": "A claim by a client that the firm gave negligent cyber security advice is, in principle, an ordinary PI claim. Most policies with a professional services carve-back will respond. However, where the firm is being sued for failing to prevent a specific incident, insurers sometimes argue that the proximate cause is the incident itself and decline."
}
},
{
"@type": "Question",
"name": "Can the cyber exclusion be removed or narrowed?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Some insurers will agree to narrow the exclusion by limiting it to claims arising directly from a cyber event. A few will offer affirmative cyber cover within the PI policy, usually with a sub-limit. Both options are available mainly to better-risk firms with robust cyber controls."
}
},
{
"@type": "Question",
"name": "How does the cyber exclusion affect run-off cover?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Run-off cover normally continues on the same terms as the last working policy, including any cyber exclusion. A firm closing down with a long tail of past digital work should consider whether standalone cyber run-off is also needed. Cyber policies are usually written annually with retroactive cover, so a lapsed cyber policy can leave a gap that the PI run-off does not fill."
}
}
]
}
About Apex Insurance Brokers Ltd
Apex Insurance Brokers Ltd is a Bristol-based insurance broker authorised and regulated by the Financial Conduct Authority, firm reference number 724952. The firm is registered at Companies House under number 07014570. We can be contacted at info@apexinsurancebrokers.co.uk or on 0117 325 0027.
Last reviewed: May 2026 by Apex Insurance Brokers Ltd.
Important: this article is general information, not advice on your specific circumstances. For advice on PI insurance for your firm, contact us on 0117 325 0027 or info@apexinsurancebrokers.co.uk.