The most common technical failure that costs firms cover. Cyber’s events-discovered trigger and 72-hour breach notification window collide with PI’s claims-made-and-notified trigger and the section 11 Insurance Act regime. The result is a trap that catches firms every quarter.
A 60-partner accountancy and advisory firm in central London discovers, late on a Thursday evening in July, that a cluster of mailboxes has been compromised. The compromise has been live for around three weeks. The firm’s panel forensic team is deployed by midnight; the cyber insurer is notified by 9am Friday.
The 72-hour ICO notification clock runs out at 9pm Sunday. The firm makes a precautionary Article 33 notification on Saturday morning, holding open the question of whether the incident is a notifiable personal data breach pending forensic confirmation.
Over the following six weeks, the forensic and legal team confirm that approximately 18,000 personal data records were exfiltrated, including some sensitive financial planning information about clients. The firm settles into a managed incident response. The cyber insurer is closely engaged. The ICO investigation begins formally.
In December, six months after the incident, the firm’s partner responsible for risk is preparing for the PI renewal in April. The risk partner asks the broker: did we notify under PI?
The firm has not. The cyber incident has been treated as a cyber matter; nobody made a PI notification.
In February the first civil claim from a data subject is received. The PI policy renews in April. The new PI insurer is asked to assume the claim. The new PI insurer asks: when did you become aware of circumstances that might give rise to a claim under the old policy?
The risk partner has to answer honestly: in July of the prior year.
The new PI insurer rejects the claim as a prior known matter. The old PI insurer rejects the claim as not notified within the policy period. The firm has lost the cover entirely.
This is the notification clock problem. It is preventable and it is the most common technical failure in our claims book.
When a cyber incident occurs, four notification obligations begin to tick:
Clock 1: UK GDPR Article 33 — ICO breach notification. 72 hours from awareness of a personal data breach. Reg-mandated, not insurance-related.
Clock 2: UK GDPR Article 34 — affected individuals. “Without undue delay” where the breach is likely to result in a high risk to rights and freedoms. Reg-mandated.
Clock 3: Cyber policy notification. “As soon as reasonably practicable” with most wordings, often paired with a hard maximum (30–90 days) and a condition precedent. Insurance-related.
Clock 4: PI policy notification. The PI policy responds to claims first made (or circumstances first notified) during the policy period. The notification of circumstances is the operative event for cyber-rooted PI claims, because the claim itself often arrives months later. Insurance-related.
The first three usually attract attention because they have specific time limits. The fourth — the PI circumstances notification — has a softer trigger that is exactly the trap.
A standard PI wording will include a definition along the lines of:
Circumstances means any incident, occurrence, fact, matter, act, error or omission of which the insured first becomes aware during the policy period that might reasonably be expected to give rise to a claim under this policy.
When the insured becomes aware of circumstances and notifies the insurer within the policy period, the deemed effect is that any later claim arising from those circumstances is a claim under the policy in force at the date of notification — even if the actual claim arrives years later.
The trigger word is might. The threshold is low. A cyber incident that may have exposed client data might reasonably be expected to give rise to a claim. The firm does not need to be certain that a claim is coming; it needs to identify that the circumstances are capable of giving rise to one.
The Court of Appeal’s decision in J Rothschild Assurance Plc v Collyear [1998] CLC 1697 and the more recent line of authority including Kajima UK Engineering Ltd v Underwriters of QBE [2008] EWHC 83 (TCC) and Kidsons v Lloyd’s Underwriters [2008] EWCA Civ 1206 establish that the threshold is whether a reasonable insured would notify, not whether a claim is more likely than not.
The corollary: when in doubt, notify.
Section 11 of the Insurance Act 2015 reformed the law on terms that operate as conditions precedent. The reform provides that where a term of a contract of insurance would tend to reduce the risk of loss of a particular kind, location or time, and the insured proves on the balance of probabilities that the non-compliance could not have increased the risk of the loss that actually occurred, the insurer cannot rely on the non-compliance to deny the claim.
The notification trigger is not covered by section 11. The notification trigger is the trigger of the policy — it is not a term reducing risk. A failure to notify within the policy period (or within a contractual period) means the policy never responds. Section 11 does not save it.
Section 11 does apply to ancillary notification requirements — e.g. a term requiring you to provide a written statement within 30 days of becoming aware. Failure to provide the statement may be saved by section 11 if it can be shown the failure didn’t affect the loss. But the failure to notify the existence of circumstances within the policy period is fatal.
In the scenario above, the firm’s failure flowed from four points of breakdown:
The cyber incident response team did not include the PI broker. The cyber broker was engaged; the PI broker was not informed.
The PI broker was not asked to consider whether a notification of circumstances should be made under the existing PI policy.
The firm’s internal incident response runbook covered ICO, FCA and cyber insurer notifications but did not list PI notification as a routine step.
The PI policy renewal came up six months later and the renewal application asked about “claims and circumstances notified during the policy year” — by then it was too late.
A best-practice cyber incident response runbook should include the following PI notification step, executed within seven days of the incident at the latest:
The PI broker is informed of the incident at the same time as the cyber broker.
The PI broker advises whether a notification of circumstances should be made under the existing PI policy.
Where the broker advises in favour, a notification letter is sent to the PI insurer describing the circumstances, naming the underlying incident, and reserving rights in respect of any later claim flowing from those circumstances.
The PI insurer’s response is recorded.
A diary note is created for the PI renewal date so that the circumstances notification is properly reflected in the renewal application.
The cost of this workflow is essentially zero. The cost of missing it can be the entire claim.
A typical PI circumstances notification letter for a cyber incident reads along these lines:
Dear Underwriters,
Notification of circumstances under section [reference] of the above policy.
We write to notify you of circumstances of which we have become aware that may reasonably be expected to give rise to a claim under the above policy.
On [date] the firm discovered that [brief factual description of the incident]. The forensic investigation is ongoing. We anticipate notification to the ICO and to affected data subjects has been or will be made under UK GDPR Articles 33 and 34. We anticipate that affected data subjects may bring civil claims against the firm under Article 82 UK GDPR or in misuse of private information.
No specific claim has yet been made against the firm. We will keep underwriters informed of developments. We reserve our rights in respect of any later claim flowing from these circumstances.
[The firm’s contact for the matter is named.]
That single letter, properly sent within the policy period, deems any later claim flowing from the same circumstances to be a claim under the current policy. It is the single most important piece of paper in the cyber incident response process from a PI perspective.
At the next PI renewal, the application will ask:
About claims notified during the last (typically) five years.
About circumstances notified during the same period.
About any incidents that might have been notifiable but were not notified.
About any cyber events affecting the firm or its data.
Each of these must be answered accurately. The fair presentation duty under section 3 of the Insurance Act 2015 makes material non-disclosure a basis for proportionate remedy or avoidance. A cyber incident that you have notified to the cyber insurer is a material circumstance for the PI insurer regardless of whether claims have been made yet.
For more on fair presentation at PI renewal, see spoke 10.
A firm with a £10m PI limit notifies cyber properly but fails to notify PI within the policy period. A civil claim arrives 14 months later, valued at £2.6m. The old PI insurer (when the circumstances arose) denies cover on non-notification. The new PI insurer (when the claim is made) denies cover on prior known matter.
The firm pays the full £2.6m plus £450k defence costs out of own funds. The cyber policy may pick up a portion under its third-party liability head (if the head is sufficiently broad to cover PI-style claims) but most cyber policies do not contemplate this as primary.
Net out-of-pocket: £3.05m on a preventable failure. The cost of the precautionary PI notification letter was zero.
A subtler trap: the firm changes PI insurer at renewal. The new insurer’s retroactive date may exclude prior known matters. If the firm did not notify the old insurer of circumstances, and the new insurer’s retroactive date excludes the period in which the incident occurred, both policies decline.
The mitigation: at any change of PI insurer, the broker should review the cyber incident history and confirm in writing with the new insurer how prior cyber incidents are treated. A notification on inception of any historic cyber incidents may protect cover for later-developing claims.
Add PI notification as an explicit step in your cyber incident response runbook. Day 1 or day 2 at the latest.
Brief your PI broker the moment a cyber incident is declared, alongside the cyber broker.
Send a precautionary circumstances notification under your PI policy for any cyber incident involving potential third-party loss. Cost of doing so: nothing. Cost of not: the entire claim.
Diary the PI renewal disclosure for every notified incident. The fair presentation duty applies.
Do not change PI insurer in the middle of a developing cyber incident without specialist broking advice.
Ensure your cyber policy contains an as soon as reasonably practicable notification clause, not a hard 72-hour condition precedent (negotiable in most markets).
Confirm in writing whether your cyber policy’s notification of an incident also counts as notification under any related policies in the same programme placed with the same insurer (some markets offer integrated notification mechanisms).
Train your senior team on what circumstances notification means and why it matters. The cost of a one-hour session is trivial.
Q1. Can I make a precautionary notification just in case? Yes — most PI policies welcome and accept precautionary notifications. They cost nothing. They protect cover.
Q2. Does notifying my cyber insurer count as notifying my PI insurer? No — they are separate contracts. Notify each policy separately even if the underlying incident is the same.
Q3. If I notify circumstances and no claim ever materialises, what’s the consequence? At renewal you must disclose the notified circumstances. The renewal premium may be affected. The notification itself does not “use up” cover.
Q4. What’s the cyber policy notification deadline? Typically as soon as reasonably practicable with a hard maximum of 30–90 days. Many policies impose a 72-hour clock for personal data breaches to match Article 33. Read your wording carefully.
Q5. Does the cyber policy’s 72-hour clock run from forensic confirmation or from initial discovery? Initial awareness. The Article 33 clock similarly runs from awareness, not from forensic confirmation. Make the notification on awareness and update with forensic findings.
Q6. What if my broker is on holiday and I can’t get notification advice quickly? Make the notification yourself. A short factual notification within the relevant window is better than a polished one outside it.
Q7. What’s the difference between notifying a “claim” and notifying “circumstances”? A claim is a demand for compensation made against the firm. Circumstances are facts that might give rise to a claim. The trigger word is might — the threshold is low.
Q8. Does my retroactive date matter? Yes — for both cyber and PI. The retroactive date excludes losses or events that occurred before that date even if they are notified during the policy period. Match retroactive dates across cyber and PI to avoid a gap.
Insurance Act 2015, sections 3, 11. UK GDPR Articles 33, 34. J Rothschild Assurance Plc v Collyear [1998] CLC 1697. Kajima UK Engineering Ltd v Underwriters of QBE [2008] EWHC 83 (TCC). Kidsons v Lloyd’s Underwriters [2008] EWCA Civ 1206. HLB Kidsons v Lloyd’s Underwriters line of authority on circumstances notification. Standard market PI and cyber policy notification wordings.
Hub: Cyber vs PI — where cover ends and begins Spoke 1: Solicitor data breach claim Spoke 5: Data Protection Act 2018 / UK GDPR — civil claim coverage Spoke 10: Broker due diligence at PI renewal
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote