The fair presentation duty under section 3 of the Insurance Act 2015. Why a cyber incident must be disclosed on a PI proposal form even when no PI claim was made. The remedies for non-disclosure: proportionate, draconian, and the avoidance trap.
A 45-fee-earner SRA-regulated firm experienced a phishing attack in October that led to compromise of a single mailbox and limited data exfiltration. The cyber policy responded; the ICO was notified and closed the matter with informal advice. Total cyber payout: approximately £180k. No PI claim was made or notified — the incident was contained quickly and no client suffered loss.
In the following March the firm’s PI renewal application is being completed. The renewal application includes the question:
Have any cyber incidents, data breaches, ransomware events or significant attempted compromises affected the firm in the last [five] years?
The risk partner pauses. There is no PI claim. The cyber matter was resolved. Does it have to be disclosed?
The answer is yes. The reason matters, and the consequences of getting this wrong can be the loss of the entire PI policy.
Section 3 of the Insurance Act 2015 requires the insured to make a fair presentation of the risk to the insurer before the contract is entered into. The duty is active. The insured must disclose:
Every material circumstance the insured knows or ought to know.
Sufficient information to put a prudent insurer on notice that it needs to make further enquiries to reveal other material circumstances.
A circumstance is material if it would influence the judgement of a prudent insurer in determining whether to take the risk and, if so, on what terms. The test is objective: would a prudent insurer care?
For a PI insurer underwriting a professional services firm in 2026, a cyber incident is highly material. The reasons:
The incident may indicate weaknesses in the firm’s information security controls, which is itself a PI risk indicator (because PI cover is wider than cyber and many cyber-rooted claims are PI claims).
The incident may have given rise to circumstances notifiable under the PI policy itself, which the prudent insurer needs to assess.
The incident may indicate a pattern of risk that affects the underwriter’s appetite and pricing.
The PI insurer’s questions about cyber are precisely the questions that signal materiality. If the insurer is asking, the answer is material.
The trap that catches firms most often: at a new insurer renewal, the firm is asked about cyber incidents. The new insurer’s underwriting question is a clear signal that the matter is material.
If the firm answers “no” because no PI claim was made — incorrectly thinking the question is about claims, not incidents — the firm has failed the fair presentation duty.
Section 8 of the Insurance Act 2015 sets out the remedies for breach of the duty:
If the breach was deliberate or reckless, the insurer may avoid the contract, retain the premium, and refuse all claims under it.
If the breach was neither deliberate nor reckless — typically a careless non-disclosure — the remedy is proportionate: - If the insurer would not have entered the contract, avoidance with return of premium. - If the insurer would have entered the contract on different terms, the contract is treated as having included those terms (e.g. a higher excess, a cyber exclusion). - If the insurer would have charged a higher premium, claims are reduced proportionately.
The “would have” question is determined by reference to the insurer’s underwriting practices at the time of placement. The insurer must prove what it would have done.
In practice the proportionate remedies are difficult for insurers to apply. The path of least resistance is often to avoid — and the firm then faces the burden of proving the non-disclosure was not deliberate or reckless.
A cyber incident is materially disclosable even where:
There was no PI claim.
No client suffered loss.
The ICO did not impose a fine.
The cyber policy paid in full.
The incident was contained quickly.
The disclosure is about the risk indicator, not about the financial impact. A near-miss is materially disclosable. An attempted attack that was blocked may also be disclosable depending on its character.
The form of disclosure should be:
Factual description of what happened.
Date of discovery.
Cause and root cause analysis (insofar as known).
Remediation actions taken.
Notification status with regulators.
Quantum of cyber policy payment.
Any current circumstances notification under the existing PI policy.
Lessons learned and ongoing improvements.
A short paragraph is usually sufficient; an extensive memo is not necessary. Better to err on the side of disclosure.
The fair presentation duty also extends to the firm’s current cyber controls. Modern PI proposal forms ask:
MFA on all email accounts: yes/no.
EDR on all endpoints: yes/no.
Patching cycle: time to patch critical CVEs.
Backup testing frequency.
Phishing simulation programme: in place yes/no.
Cyber awareness training: frequency.
Privileged access management: yes/no.
Each of these answers is a material representation. If MFA was partially deployed at the time of placement but the firm answered “yes”, the answer is materially incorrect. The remedy may be proportionate (the insurer would have charged more for an MFA-incomplete firm) or, where the incorrect answer affected the loss, more aggressive.
The fair presentation duty applies to information the insured knows or ought to know. A senior partner’s actual knowledge counts. The information held by the firm’s IT manager counts (because the IT manager is an “employee” whose knowledge is attributed to the firm). The information held by an outsourced IT vendor probably does not count automatically unless attributed by contract or by the firm’s own knowledge of the vendor’s report. Section 4 of the Insurance Act 2015 clarifies whose knowledge is the insured’s.
The most dangerous outcome for a firm is a finding of deliberate or reckless non-disclosure. The consequences (full avoidance, no premium return for the proportion of the policy term elapsed, all claims refused) are devastating.
The test for deliberate is straightforward: did the insured know the information was relevant and intentionally withhold it? The test for reckless is more subtle: did the insured close their mind to whether the information was relevant?
A firm whose risk partner consciously decided not to disclose a known cyber incident risks a finding of recklessness. The standard mitigation is full disclosure even where doubt exists about materiality.
Path A. The firm completes the PI renewal application accurately, disclosing the October cyber incident. The PI insurer adjusts its quote: premium up 15%, excess up to £75k from £50k, with a specific endorsement noting the disclosed incident. The placement proceeds.
Path B. The firm completes the PI renewal application without disclosing the cyber incident. The PI insurer issues a standard quote. The placement proceeds at lower premium and excess.
Two years later, a civil claim arises from the original incident — a data subject from the October exfiltration files an Article 82 claim. The PI insurer investigates, discovers the non-disclosure, and seeks to avoid the policy.
Under section 8 the insurer must establish either (a) deliberate or reckless non-disclosure (giving avoidance) or (b) what it would have done with full disclosure. Almost certainly (b) would have produced a different premium and terms; the proportionate remedy is applied. The insurer reduces the claim payment by reference to the premium differential — a ~15% reduction. Worse, the insurer charges a deductible of £75k rather than £50k. The firm bears the difference.
If the underwriter’s evidence is that they would not have written the risk at all without further enquiry (which is plausible for a recently-incident firm), the remedy is avoidance and the entire claim is uninsured.
The cost of Path A — a 15% premium uplift and a £25k higher excess — is essentially negligible compared with the cost of Path B in the worst-case outcome.
The fair presentation duty applies to each policy independently. When the cyber policy is being renewed, the question is materiality to the cyber insurer. When the PI policy is being renewed, the question is materiality to the PI insurer.
Information that is material to one is usually material to both, but the wording of the disclosure may differ:
Cyber proposal: detail on the technical incident, controls, response capability.
PI proposal: detail on the professional services impact, client communications, regulatory engagement.
A single broker placing both policies can coordinate disclosure so that the same factual core is presented appropriately to each market. A divided broker arrangement risks inconsistent disclosures, which themselves can be problematic.
For any PI renewal following a cyber incident in the relevant lookback period:
The incident itself: date, scope, vector, affected data.
Whether the incident was notified to the ICO, FCA or other regulators.
Whether the incident was notified under the existing PI policy as circumstances.
Whether any civil claims have been made or are anticipated.
Whether any clients have raised concerns.
The cyber insurer’s payment for the incident response.
The firm’s remediation actions including controls implemented post-incident.
Updated information on current cyber controls.
The firm’s incident response plan and any updates.
Any current Skilled Persons review under FSMA s.166 if applicable.
For SRA firms, any SRA engagement post-incident.
For FCA firms, any FCA engagement post-incident.
In October the firm discovered unauthorised access to a single mailbox arising from a phishing attack. Limited exfiltration of personal data affected approximately 312 client records. The matter was notified to the ICO; the ICO closed the matter on 23 January with informal advice. No civil claims have been made. The firm’s cyber insurer paid approximately £180,000 in incident response, forensic and legal costs. The cause was identified as a single click on a phishing email by a paraplanner; MFA was bypassed via a session-token capture. The firm has implemented FIDO2 hardware-key MFA for all administrative accounts as of 14 November and rolled out enhanced phishing simulation training. We notified circumstances under our prior PI policy on 1 November and the prior PI insurer acknowledged receipt and reserved rights without making any coverage determination. No subsequent claims have been notified.
This level of factual disclosure protects the firm and supports the insurer’s underwriting properly.
A professional broker (and we hope Apex is one of them) will:
Walk through the disclosure obligations with the firm before the renewal application is completed.
Identify all material circumstances arising from cyber incidents, near-misses, control changes and personnel changes.
Draft the disclosure in suitable form for the proposal.
Confirm with the firm that the disclosure is accurate and complete.
Place the risk with the disclosure clearly recorded so that future disputes about what was disclosed are avoided.
Maintain a placing file recording the disclosure, the underwriter’s questions and the resulting terms.
Where complex disclosures are involved (e.g. a major incident, multiple controls changes, a pending regulatory action), the broker may also obtain legal advice on the form of the disclosure.
Treat every cyber incident as material for PI renewal. The default is disclosure.
Maintain a cyber incident register at all times. Include date, nature, scope, response, regulator engagement, cyber payments and remediation.
Make sure your IT team and your risk team feed into the renewal process. The IT team holds information the risk team needs.
Send the proposal answers to the broker for review before submitting. The broker should challenge any “no” answer to cyber questions where there has been any incident.
Document the proposal disclosure in a separate file. Keep it for the policy’s full retention period (usually 7 years post-expiry).
Renew cyber and PI together with the same broker where possible. Coordination is much easier.
Don’t change PI insurer mid-incident-response. The new insurer’s retroactive date may bite.
Brief your senior partners on the proportionate remedy regime. The default assumption that “the insurer will probably pay anyway” is wrong.
Q1. What’s the lookback period for disclosable incidents? Most proposal forms ask for 5 years. The fair presentation duty extends to any material circumstance, regardless of period. Older incidents may still be material if they affect current risk.
Q2. Is a near-miss (attempted attack blocked) materially disclosable? Possibly. A sophisticated near-miss that illustrates the firm’s threat profile may be material. A routine phishing email blocked by the email filter probably is not. Document and ask.
Q3. What if I disclosed but the underwriter didn’t ask follow-up questions? The duty is to make a fair presentation; the insurer’s failure to ask follow-ups does not extinguish the duty. But where the insured has presented information that should have prompted further enquiry, the insured has discharged the duty (this is the section 3(4) reasonable enquiries provision).
Q4. What if the firm’s IT manager knew about an incident but the partners didn’t? The IT manager’s knowledge is attributed to the firm. The fair presentation duty applies. Lack of partner-level awareness is not a defence.
Q5. Does the duty apply at variation as well as at inception? Yes — section 7 of the Insurance Act 2015 extends the duty to variations. A material change in risk during the policy period (e.g. acquisition of another firm, change of cyber controls) may require disclosure mid-term.
Q6. What if I disclose and the insurer won’t renew? A real possibility for severely-affected firms. The mitigation is to present the disclosure positively: incident + remediation + improved controls + stronger overall risk profile. Many firms emerge from incidents better-defended than before.
Q7. Is the broker liable if I follow their advice incorrectly? A broker who advises non-disclosure of a material matter may be liable for negligent broking advice. The firm’s first recourse is the broker’s PI; the firm’s second recourse is the broker’s regulator (FCA in the case of insurance broking). But the firm itself remains liable for fair presentation.
Q8. Can the insurer avoid the policy retroactively for non-disclosure? Yes. Avoidance under section 8 unwinds the contract from inception. The firm is treated as if it never had cover. This is the worst-case outcome and the reason for thorough disclosure.
Insurance Act 2015, sections 3 (fair presentation), 4 (knowledge of the insured), 5 (knowledge of the insurer), 6 (knowledge), 7 (variations), 8 (remedies for breach of duty). FCA Insurance: Conduct of Business Sourcebook (ICOBS). SRA Code of Conduct for Firms. Investors Compensation Scheme Ltd v West Bromwich Building Society [1998] 1 WLR 896 (principles of contractual interpretation). Versloot Dredging BV v HDI Gerling [2016] UKSC 45 (fraudulent claims and the materiality threshold). British Insurance Brokers’ Association (BIBA) practice guidance on proposal form completion.
Hub: Cyber vs PI — where cover ends and begins Spoke 1: Solicitor data breach claim Spoke 6: The notification clock problem Spoke 9: Cyber insurance for IFAs and wealth managers
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote