Cyber for the ransom, PI for the missed deadline and the damages to the client. The interaction explained with a worked architect’s example.
A 24-architect mid-market practice in Manchester is engaged on the redevelopment of a former mill site. The client is a property developer with a six-month option on the land, exercisable on submission of an outline planning application. Outline planning submission is the trigger. The architect is contractually obliged to file the application by 15 May or the developer loses the option, and with it an estimated £2.4m of development gross profit.
On Friday 9 May, the practice’s network is hit by a ransomware attack. The attacker, a known ransomware-as-a-service operator on the OFAC list of blocking but not embargoed designations, encrypts the practice’s file server, the BIM model repository, the financial system and, critically, the email archive and the version-controlled drawings. The ransom demand is $1.8m. The attacker also threatens to publish 240GB of files including drawings, client correspondence and HR data.
The practice declares the incident to its cyber insurer’s panel within two hours. The forensic firm and the panel law firm are deployed by Monday morning. Backups exist but are old (the last successful offsite restore point is 4 May, five days before the encryption) and partial (the BIM repository was excluded from the offsite backup as too large). Restoration is estimated to take ten working days even with full ransom payment and decryption key cooperation.
The practice misses the 15 May filing deadline. The developer’s option lapses on 18 May. The developer sues the practice for £2.4m.
Contractual liability to the developer. The practice’s appointment terms incorporate a standard form (RIBA Plan of Work-aligned client appointment with bespoke amendments). The deadline obligation is a contractual one and the developer’s claim is for breach of contract leading to consequential loss.
Negligence claim. Parallel cause of action available to the developer in tort, though contractual remedy is usually the cleaner route where there is privity.
Liability cap in appointment. The practice’s appointment contains a £2m aggregate liability cap. The developer’s claim is therefore capped contractually, though the developer is likely to challenge the cap’s enforceability for fundamental breach.
Foreseeability and remoteness. Hadley v Baxendale (1854) 9 Ex 341 governs the recoverability of consequential loss. The £2.4m lost development gross profit is consequential. The developer needs to establish it as within the contemplation of the parties at the time of contracting — a standard developer-architect dispute. The practice’s appointment expressly references the option deadline, which makes the loss foreseeable.
Regulatory dimension. The ransomware incident exposed personal data (HR records, client personal data in correspondence). The ICO must be notified under UK GDPR Article 33. Threats to publish data trigger a likelihood of high risk, which may require Article 34 notification to affected data subjects.
Ransomware sanctions framework. The OFAC advisory of September 2021 (and the parallel UK OFSI guidance) notes that ransom payment to sanctioned threat actors may breach US, UK or other sanctions regimes. The practice’s panel must perform a sanctions screen of the threat actor before recommending payment. In this scenario the threat group is on the OFAC list of blocking designations; payment is potentially permissible but carries regulatory risk.
The practice’s cyber policy is a mid-market form with a £5m limit, a £25k retention, a 12-hour BI waiting period, and a 180-day BI period of indemnity.
Incident response. Forensic investigation, legal coordination, ransom negotiation, decryption tool deployment, data restoration. Cyber pays. Typical cost for an incident of this scale: £350k–£600k including the negotiator.
Ransom payment. Subject to sanctions clearance, cyber pays the ransom. In this scenario, after legal and sanctions analysis, the panel recommends paying $900k (negotiated down from $1.8m) to obtain the decryption key. Cyber pays.
Cryptocurrency handling. The cyber insurer’s panel includes a crypto facility — the practice does not need to acquire Bitcoin itself. Cyber pays.
Business interruption. The practice’s revenue during the 14-day restoration window drops to approximately 20% of normal. Lost gross profit: approximately £140,000 for the practice. After the 12-hour waiting period, cyber BI pays the £140k.
Data restoration. Where data is unrecoverable, cyber pays the cost of reconstructing it. The BIM model for the affected projects needs partial reconstruction (5 days lost work). Cost: £80k. Cyber pays.
Breach notification. Personal data of staff and clients was potentially exfiltrated. UK GDPR Article 33 ICO notification within 72 hours; Article 34 notifications to data subjects. Cyber pays the legal and operational cost.
ICO investigation defence. The ICO opens an investigation. Cyber pays the defence cost (estimated £150k–£250k). If a fine is imposed, the policy responds to the extent insurable as a matter of law.
The practice’s PI policy is a £10m limit, £25k excess, claims-made-and-notified form with an architectural professional services scope.
Claim by developer for missed planning deadline. This is a third-party claim arising from the practice’s failure to deliver a professional service in time. The civil liability head of the PI policy responds. Defence costs and indemnity are covered.
Limit and aggregation. The £2.4m claim is within the PI limit. The claim aggregates with any related developer-side claims into one originating cause under typical PI wording.
Cyber exclusion in PI. The critical question: does the PI policy contain a cyber-event-related claims exclusion? In this scenario the policy contains a cyber events exclusion in the form of LMA5402 (a typical Lloyd’s market exclusion), with a carve-back for “loss arising from the supply of professional services where the cyber event is incidental to the professional failure”. The PI insurer argues the practice’s missed deadline was caused by the cyber event, not by any independent professional negligence, and the exclusion bites. The practice argues the exclusion’s carve-back applies because the professional service (timely filing of the planning application) is the substance of the claim.
This argument is real and is the single most important coverage question in modern PI for technology-dependent professions. The drafting of the cyber exclusion and its carve-back is decisive.
Coverage of consequential loss. Standard PI policies cover financial loss to third parties including loss of profit, subject to the policy limit. The £2.4m claim is therefore within scope (subject to the cyber exclusion question above).
Liability cap argument. The PI insurer will argue that the £2m contractual cap in the appointment limits the developer’s recovery to £2m. The developer may challenge the cap. The PI insurer typically takes over conduct of defence and runs the cap argument as part of the defence.
The overlap is the incident response and the data restoration. Cyber is clearly the primary home; PI does not respond to first-party costs.
The gap is the PI/cyber boundary on the developer’s claim. If the PI cyber exclusion bites and the cyber policy’s third-party liability for client claims arising from ransomware-induced delay is sub-limited or excluded (many cyber policies do not contemplate third-party PI-style claims as a primary head), the developer’s £2.4m may sit in a gap.
Modern best-in-class cyber policies now include a contingent business interruption or failure to deliver head that responds to exactly this scenario. Older or mid-market cyber wordings do not. The practical advice: read the wording.
Putting it together:
| Head | Quantum | Policy | Notes |
|---|---|---|---|
| Forensic + legal + negotiator | £420,000 | Cyber | first-party incident response |
| Ransom payment ($900k) | £710,000 | Cyber | after sanctions clearance |
| Practice BI loss (14 days) | £140,000 | Cyber | after 12hr wait |
| Data restoration | £80,000 | Cyber | non-recoverable data |
| Notification + DPO support | £45,000 | Cyber | UK GDPR Art 33/34 |
| ICO defence (estimated) | £180,000 | Cyber | regulatory investigation |
| Developer claim — settled | £1,400,000 | PI (if cyber exclusion does not bite) | after contractual cap arguments |
| Developer defence costs | £350,000 | PI | within the limit or in addition |
| Practice reputational + churn (year 1) | £600,000 | Uninsured | not covered |
| Total quantum | £3,925,000 | mixed |
The single sentence that decides whether the developer’s £2.4m claim is covered under PI looks something like:
Exclusion: this policy does not cover any claim arising directly or indirectly from any cyber event, including loss of, damage to or corruption of data or any failure or interruption of any computer system. Carve-back: this exclusion shall not apply to any claim arising from the supply of professional services described in the schedule where the cyber event is incidental to the alleged breach of professional duty.
The italic carve-back is doing all the work. Whether the developer’s claim is “incidental to” the breach of professional duty is a fact-dependent question. Brokers should negotiate the wording at renewal to ensure the carve-back is explicit and triggered by the type of claim the firm is most exposed to.
The Insurance Act 2015, section 11, provides that a term not relevant to the actual loss cannot be relied upon to deny a claim. The cyber exclusion is plainly relevant to a loss caused by a cyber event; section 11 does not directly help. But the broader principles of contra proferentem and reasonable construction apply, and a well-argued case may push the exclusion’s edge.
For any technology-dependent professional services firm:
Confirm in writing with your PI insurer that the cyber exclusion (if any) does not bite on claims where the cyber event is the cause of a professional failure but the substance of the claim is the failure itself. Get the carve-back drafted explicitly.
Match the cyber policy’s contingent BI / failure to deliver head against your most exposed delivery deadlines. If you have hard contractual deadlines (filings, submissions, court dates), confirm cyber response.
Ensure your offsite backups are actually tested. The single most preventable factor in ransomware incidents is backup failure. Test restores every quarter.
Enforce MFA on all administrative accounts. Consider hardware-key MFA (FIDO2) for the highest-privilege accounts.
Adopt EDR (endpoint detection and response) on every endpoint. Cyber underwriters now ask about specific products; document yours.
Pre-engage your incident response panel. Make sure your team know the panel firm and the phone number. Print it.
Practise a tabletop scenario every 12 months including the planning deadline / client deliverable angle.
Negotiate the cyber policy’s BI period of indemnity upward where you have project-based revenue with long delivery cycles.
Q1. Can my practice pay the ransom directly without the insurer? Technically yes, but you sacrifice all of the cyber policy’s first-party response cover plus you may face FCA/HMRC anti-money-laundering complications and reputational risk. Don’t.
Q2. Is paying the ransom illegal? In the UK, ransom payment per se is not criminal under most circumstances, but is subject to sanctions law (OFSI), money-laundering rules (POCA 2002), and Terrorism Act 2000 considerations if the recipient has terrorist affiliations. Each ransom payment is assessed individually.
Q3. What if my backups had restored cleanly — would the cyber policy still respond? Yes, to the cost of the incident response itself, the BI for the period of unavailability, the notification cost, and the regulatory investigation. The ransom would not be paid.
Q4. Does the developer’s contractual liability cap really hold? Usually yes if expressly agreed in writing, except where: the loss is caused by fraud, the loss is for death or personal injury, or the cap is unenforceable under UCTA 1977 in a B2B context (rare). The cap is a strong defence and the PI insurer will run it.
Q5. Can I claim my own lost partner time during the incident? Generally no. Cyber BI typically pays lost gross profit, not partner time as such. Some policies include a crisis response sub-limit for executive time. Read the wording.
Q6. What’s the typical period of indemnity for cyber BI? The market norm is 90–180 days. Some policies offer 360 days. The waiting period is typically 8–12 hours.
Q7. Does it matter if the ransomware was preventable? For the indemnity, it shouldn’t (cyber policies are designed to cover negligent security failures by the insured). For the next renewal, very much yes — the underwriter will look hard at controls.
Q8. Can the developer sue the cyber insurer directly? No (the policy is a contract between the practice and the cyber insurer). The developer sues the practice; the practice claims indemnity.
UK GDPR Articles 33, 34. OFAC Advisory on the Potential Sanctions Risks for Facilitating Ransomware Payments, September 2021. OFSI guidance on sanctions and ransomware. Hadley v Baxendale (1854) 9 Exch 341. RIBA Plan of Work standard form architects’ appointment (current edition). Insurance Act 2015, section 11. LMA5402 cyber exclusion (Lloyd’s Market Association). NCSC ransomware response guidance.
Hub: Cyber vs PI — where cover ends and begins Spoke 7: Business interruption from cyber attack Spoke 8: Reputational damage post-breach Spoke 10: Broker due diligence at PI renewal
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote