A UK guide for solicitors, accountants, IFAs, consultants, architects, IT firms and any professional services business that holds two of the most important policies in its insurance programme — and yet doesn’t fully understand how they interact.
This is the hub page in a series of eleven detailed articles. If you only have sixty seconds, read the answer below. If you have an hour, read the whole guide. If you have an incident on your desk right now, jump to the decision tree, work through the questions, and call your broker.
A modern professional services firm typically buys two policies that respond to “digital” loss events: Professional Indemnity (PI) insurance and Cyber insurance. Both can respond to the same incident. Both can decline. There is a layer of overlap, a layer of gap, and a layer of confusion.
The shortest possible decomposition:
Professional Indemnity responds when a third party suffers a financial loss because of a negligent act, error or omission in the professional services you supplied. The hinge of cover is the advice or service. If your work product was defective and somebody who relied on it has lost money, PI is the home.
Cyber responds when a cyber event — unauthorised access, data theft, ransomware, denial of service, system outage, social engineering — causes loss either to you (first-party) or to a third party (third-party liability). The hinge of cover is the cyber event itself.
Where it gets interesting is the very large class of incidents where the cyber event is the cause of the professional failure. A breached email account misdirects client funds. A ransomware attack means a deadline is missed and a client loses an opportunity. A leaked database triggers both an ICO investigation (cyber territory) and a civil claim by data subjects (PI territory, if you held the data as a professional adviser). The two policies look at the same incident through different lenses, and unless you understand how they look, you’ll buy the wrong limits, miss notifications, and end up uninsured for the bit you most needed cover for.
This guide shows you exactly how that interaction works, where the five most common overlaps are, where the five most common gaps are, and what you should do at renewal to make sure your programme actually responds when it matters.
Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Professional indemnity insurance is a liability policy. It is triggered by a third party making a claim, or notifying circumstances that might give rise to a claim, alleging that you owe them money because something went wrong in the professional service you supplied.
The classic PI policy responds to:
The civil liability you incur to a client (or sometimes a non-client third party who relied on your work) arising from any negligent act, error or omission committed in the conduct of the professional business stated in the schedule. It typically includes defence costs, sometimes within the limit and sometimes in addition. It is written on a claims-made-and-notified basis, meaning the policy that responds is the policy in force when the claim is first made against you, or when you first notify circumstances that might give rise to a claim, not the policy that was in force when the underlying error happened. This single feature drives more disputes than any other clause in the market.
The professional services covered are usually defined narrowly. A solicitors’ PI policy covers the supply of legal services. An accountants’ PI policy covers accountancy, audit and tax. An IT consultancy PI policy covers the supply of IT consultancy, software development or systems integration as described in the schedule. Where you stretch beyond that description — say, an accountancy firm that has started offering generic business “strategy” consulting — you may find the activity falls outside the definition.
PI typically excludes deliberate or fraudulent acts by the insured (subject to innocent partner cover), criminal fines and penalties, bodily injury and property damage (covered by other policies), and increasingly contains either an exclusion or a sub-limit for cyber-related claims. This last point is the entire reason you are reading this guide.
For SRA-regulated solicitors, the minimum terms and conditions (MTC) impose a regulator-defined floor of cover that constrains how much insurers can exclude. For most other professions, the policy wording is contractually negotiated and the cyber treatment varies wildly.
Cyber insurance is a hybrid policy. Part of it is first-party (it pays you for your own losses) and part of it is third-party (it pays others when you’re liable to them).
The classic cyber policy responds to:
First-party heads. Incident response and forensics; legal advice on notification; breach notification costs to data subjects and regulators; credit monitoring; PR and reputation management; ransomware (the ransom itself where lawful, and the negotiation and bitcoin handling); business interruption from cyber events (your lost gross profit while systems are down, plus extra expense); digital asset restoration; in some policies cyber crime cover for funds transfer fraud and social engineering, often sub-limited.
Third-party heads. Liability to data subjects whose data you held and lost; defence and indemnity for regulatory investigations (ICO, FCA, PRA) and any civil-side fines and penalties that are insurable as a matter of law; PCI fines and assessments for card data breaches; media liability for content you published; network security liability where you’ve been the conduit through which a third party’s network was attacked.
Cyber is generally written on a claims-made basis for liability, but the first-party heads operate on an events-discovered basis — the policy in force when you discover the incident pays.
What’s important is that cyber insurance is fundamentally event-driven. You need a cyber event to trigger it. If your professional negligence happened to involve a computer but didn’t involve unauthorised access, ransomware, denial of service or a security failure, the cyber policy isn’t your home.
Now to the meat. These are the five recurring scenarios where the same incident sits inside both policies. Each is covered in much more depth in the linked spoke article.
A solicitor’s litigation team holds 8GB of bundle material on a shared folder. A partner sets folder permissions wrongly and a sensitive case file is publicly accessible for six weeks. A journalist finds it; the data subjects sue and the ICO opens a regulatory investigation.
The cyber policy looks at it as a data breach — incident response, notification costs, ICO investigation defence, civil-side damages to data subjects. The PI policy looks at it as a negligent failure in the professional supervision of confidential information — the same data subjects had a duty owed to them by the firm in its capacity as their legal adviser. Without careful drafting both policies might respond; some markets co-ordinate, others do not, and the firm ends up paying two excesses or having both insurers point at each other.
→ See Spoke 1: Solicitor data breach — cyber or PI?
A conveyancing solicitor’s email account is compromised by phishing. The criminal monitors the account for two weeks, learns the completion routine, and emails the buyer at the right moment with revised “client account” details. The buyer wires £640,000 to the fraudster.
Is this a cyber claim? Yes — the trigger was unauthorised access. Is it a PI claim? Quite possibly — the solicitor owed the buyer a duty of care in respect of the conveyancing transaction, and the firm’s failure to protect its email infrastructure caused the buyer’s loss. SRA Minimum Terms require the policy to respond to civil liability arising out of the conduct of the firm’s practice; this almost certainly qualifies. The cyber policy may carry social engineering cover but typically with a sub-limit (£100k or £250k is common). The PI policy may carry a “Part 2” social engineering carve-back. The bank may have to refund under the APP fraud Mandatory Reimbursement Scheme. Who pays first, and for how much, is a four-way puzzle.
→ See Spoke 2: Wire fraud via compromised email — who pays?
An architectural practice is hit by ransomware on a Friday. They cannot access drawings, BIM models or correspondence. They miss a planning submission deadline for a client; the client’s land option lapses; the client loses an opportunity worth £2.4m.
Cyber pays for the ransom (subject to OFAC and sanctions checks), the incident response, the data restoration, and the business interruption to the architect. PI is the home for the £2.4m claim from the client, because the architect was contracted to deliver a service by a deadline and failed. Whether the PI insurer treats the ransomware as a “cyber-related” claim and applies a sub-limit, exclusion or coinsurance feature is wording-dependent.
→ See Spoke 3: Ransomware affecting client deliverables
A marketing agency uses an image-generation model to produce campaign assets for a client. The output is found to closely resemble a copyrighted image owned by a third party. The client is sued; the client sues the agency.
PI is the obvious home — this is a professional failure in the conduct of the agency’s business. But many PI policies exclude IP infringement, and the line between “AI-assisted negligence” and “a cyber event” is increasingly blurred. Some cyber policies offer media liability cover that includes copyright infringement in content published. The question of who pays depends entirely on how the agency’s two policies are worded.
→ See Spoke 4: IP infringement using AI-generated content
A wealth manager is sued by a client for unsuitable advice. During disclosure, the client’s lawyers ask for the full advice file. The wealth manager realises the file has been stored unencrypted on a USB stick that was lost two years previously. The breach is now apparent; the ICO must be notified; data subjects must be notified.
This is the inverse of scenario 1. The PI policy is dealing with the unsuitable advice claim. The cyber policy is now dealing with the breach response. Whether the cyber policy’s retroactive date allows it to respond to a breach that materialised two years ago is the central question. Most cyber policies will not respond to breaches that occurred before the policy inception unless retroactive cover has been negotiated.
→ See Spoke 5: Data Protection Act 2018 / UK GDPR civil claim coverage
These are the losses that no insurance product reliably covers. Buyers consistently underestimate how big each one can be.
ICO fines under UK GDPR can reach the higher of £17.5m or 4% of global annual turnover. FCA fines can be similarly substantial. The general English-law principle is that criminal fines and penalties cannot be insured because to indemnify them would defeat the deterrent purpose of the penalty (Askey v Golden Wine Co Ltd [1948] 2 All ER 35; Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472). Civil-side regulatory fines are sometimes insurable depending on the regulatory regime and the policy wording.
Cyber policies will typically pay defence costs in respect of an ICO investigation; many will indemnify civil-side fines and penalties to the extent insurable as a matter of law; very few will pretend to cover a criminal penalty. PI policies will rarely indemnify regulatory fines at all. Read your wording.
After a public breach a firm typically loses clients. Some leave because they’re contractually required to (most enterprise services agreements have a breach termination right); some leave because they’re nervous; some never sign because they Google your name and find headlines.
Cyber policies offer PR and crisis communications cover, sometimes with sub-limits of £100k–£500k. This pays for the agency drafting the press release, not for the revenue you lost over the following three years. Business interruption cover usually responds only during the period of restoration of the affected systems, not during the long tail of customer churn. PI cover does not respond to reputational loss as a head of loss against the firm.
For most firms, the long-tail reputational loss after a public breach is uninsured.
Cyber BI cover responds to your loss of gross profit during the period systems are down — but the period of indemnity is usually short (often 90 to 180 days, sometimes longer), the waiting period (the cyber equivalent of an excess on time) is usually 8 to 24 hours, and the calculation of “but for the cyber event you’d have earned X” can be brutally argued. Where the cyber event also causes a professional services failure (missed deadline, abandoned project) the PI policy responds to the third-party loss but the firm’s own lost revenue is not covered by PI at all.
The gap most firms don’t see: the long-term loss of contracts that flow from a public incident, distinct from the immediate BI period.
UK exposure is currently more limited than the US — there is no UK equivalent of the Illinois Biometric Information Privacy Act with its damages-per-violation structure — but the trajectory is clear. The proposed AI regulation (the EU AI Act for any firm dealing with EU customers, the UK’s pro-innovation approach for domestic) will impose new obligations on firms deploying AI. Many existing PI policies were written before this exposure was contemplated and contain no carve-out for AI-driven advice; many cyber policies were written before generative AI exposures matured and offer no specific cover.
Buyers should ask, specifically, whether their wording responds to AI-driven decision-making errors and whether biometric data processing is contemplated.
If your software vendor is breached and the breach reaches your data through them, your cyber policy may respond — but only to your loss. You may have a claim against the vendor; the vendor’s PI or cyber may respond, but only if the vendor bought it and only up to their limit. If the vendor is uninsured, undercapitalised, or insolvent, you have a worthless claim. Many supply chain cyber losses involve dozens of downstream victims of a single vendor breach (think of the MOVEit, SolarWinds, Kaseya pattern) where each victim’s cyber policy responds only to their own portion of the loss, and the aggregate cost of the event is spread very thinly across a very long chain.
The gap: where supplier liability is the natural remedy but is not collectible.
When an incident lands on your desk and you need to decide which broker to call first, work through this tree. If you can render diagrams, the SVG version is embedded at the foot of this section.
Step 1: Was there unauthorised access, data theft, denial of service, ransomware, or social engineering? If yes → cyber policy is engaged. Continue to Step 2. If no → cyber policy probably not engaged. Skip to Step 3.
Step 2: Did the incident also cause a third-party loss attributable to your professional service? If yes → PI is also engaged. Both policies notified, both wordings reviewed, broker coordinates. If no → cyber only. Notify within the cyber policy’s notification window (often 72 hours).
Step 3: Is the third party claiming financial loss flowing from advice, work product, or service you supplied? If yes → PI claim. Notify under PI. If no → it may be a general liability matter or an uninsured loss.
Step 4 (always): Is the firm subject to a regulatory obligation to notify the ICO, FCA or another regulator? This is independent of the insurance question. The 72-hour ICO obligation (UK GDPR Article 33) runs from awareness of a personal data breach. The FCA SUP 15.3.11R obligation runs from awareness of a notifiable event. Do not let the insurance question delay the regulatory question.
┌──────────────────────────────┐
│ Incident occurs │
└──────────────┬───────────────┘
│
┌────────────────▼────────────────┐
│ Was there a cyber event? │
│ (UAR / data theft / ransomware /│
│ DoS / social engineering) │
└─────┬────────────────────┬──────┘
│ YES │ NO
▼ ▼
┌─────────────────┐ ┌────────────────────┐
│ CYBER ENGAGED │ │ Third-party loss │
│ Notify within │ │ from advice/work? │
│ cyber window │ └──────┬─────────┬──┘
└────────┬─────────┘ │ YES │ NO
│ ▼ ▼
┌─────────────▼──────────┐ ┌──────────┐ ┌──────────┐
│ Also third-party loss │ │ PI │ │ Not a │
│ from advice/work? │ │ ENGAGED │ │ standard │
└────┬─────────────┬─────┘ └──────────┘ │ PI/cyber │
│ YES │ NO │ matter │
▼ ▼ └──────────┘
┌─────────────┐ ┌────────────┐
│ BOTH │ │ CYBER only │
│ ENGAGED │ │ │
│ Notify both │ └────────────┘
└─────────────┘
For a publishable SVG version of the same diagram, the cross-link map lists the asset path. The tree intentionally over-simplifies in one place: in practice the regulatory notification clock runs in parallel to the insurance clock and is independent of which policy answers.
This is the trap that catches firms most often.
Cyber policies typically require notification as soon as practicable on becoming aware of a cyber event, and many have hard 72-hour notification windows that mirror the GDPR breach notification deadline. Some impose conditions precedent — late notification voids cover. Cyber policies are also generally written so that the policy in force on the date of discovery is the one that responds (an “events-discovered” trigger for first-party heads).
PI policies are written on a claims-made-and-notified basis governed in the UK by section 11 of the Insurance Act 2015 and well-developed claims-made principles. The trigger is the date the claim is first made against you, or the date you first notify circumstances likely to give rise to a claim. The “circumstances” formulation matters — section 11 says terms not relevant to the actual loss cannot be relied on to deny a claim, but a circumstances trigger is the trigger and missing it shifts the claim into the following year’s policy (where it may face a different excess, a different limit, or a new aggregation).
The risk: a firm focuses on the urgent cyber notification (regulator, cyber insurer) and forgets to notify the circumstances under its PI policy. Six months later when the data subject claim arrives, the PI insurer says: you knew about this six months ago, this is a notification under the previous policy year, and we (the renewal year insurer) are not on risk.
Or worse: the firm changed PI insurers in the meantime, and the previous insurer says you didn’t notify in time either.
This is the single biggest reason to treat every cyber incident as a potential PI circumstance and notify both books. The cost of a precautionary PI notification is essentially zero; the cost of a missed one can be the entire claim.
→ See Spoke 6: The notification clock problem
Once you’ve notified both, the next question is how losses aggregate.
Each policy has its own aggregation mechanism. PI policies typically aggregate by reference to one originating cause, one act, error or omission or a series of related events. Cyber policies typically aggregate by reference to one security event, one related series of events, or sometimes by reference to system affected. The two will not aggregate consistently.
The result: a single underlying incident might be treated as one claim under the cyber policy (one event-discovered) and many claims under the PI policy (one client claim per affected matter). Or vice versa. This is not just academic — limits work on aggregation, and excesses work on aggregation.
Aggregation is governed at common law by the “unifying factor” jurisprudence of Lloyds TSB v Lloyds Bank [2003] UKHL 48 and the recent line of authority including the Supreme Court’s decision in AIG Europe v Woodman [2017] UKSC 18, which held that “claims arising from one series of related acts or omissions” requires the claims to share a real-world unifying factor.
For a more thorough treatment of how aggregation works across two policies of different types, the related aggregation hub on this site walks through worked examples.
A short checklist for firms approaching the next renewal cycle:
Match retroactive dates. Your cyber policy’s retroactive date should be at least as far back as your PI policy’s, so that a breach discovered later still has retroactive cover.
Ask for an explicit no-overlap, no-gap statement from your broker. If your broker is placing both policies, ask them to write to you confirming where overlap exists, where gaps exist, and which policy is intended to respond as primary in each of the five overlap scenarios above.
Read the cyber exclusion in your PI policy. The market has been moving towards wider cyber exclusions in PI; the so-called “Lloyd’s Market Association LMA5400” series of clauses and analogous wordings can carve cyber-event-related claims out of PI cover entirely. Where this clause appears, the cyber policy must cover the third-party PI-style claim, or you are uninsured.
Check social engineering sub-limits. The cyber crime / social engineering / funds transfer fraud sub-limit is one of the most consequential numbers in your programme. The market norm is £100k–£500k; many fraud events exceed £500k. Negotiate up.
Match excesses. If the same event triggers both policies you don’t want to pay two unrelated excesses. Many programmes can be structured so that one excess applies once.
Match limits. There is no single right answer to “what limit do I need”, but if your cyber policy carries a £1m limit and your PI policy carries £5m, and the typical big claim flows through cyber first, you are under-protecting yourself in the part of the programme most likely to respond.
Get a breach response retainer in place. The cyber policy’s incident response panel usually includes the law firm, the forensic firm and the PR firm. Identify them now. Have the phone numbers in a printed playbook (because if your systems are down you can’t read a PDF on a hard drive you can’t access).
Document your AI use. If your PI proposal form asks how you use AI, answer accurately. Section 3 of the Insurance Act 2015 makes material non-disclosure a basis for proportionate remedy or avoidance, and “we use ChatGPT for client work” is becoming a material circumstance.
Document your cyber controls. Cyber insurers will not write you cover, and PI insurers will increasingly not renew you, without evidence of MFA, EDR, regular patching, encrypted backups, password discipline, and (for many) phishing simulation training. The cyber underwriter’s standard questionnaire is now thirty to fifty questions deep. Treat it as a free risk audit.
Q1. If I have both cyber and PI policies and an incident triggers both, who pays first? There is no single market answer. Where both policies respond, the policy with the wider initial cover for the relevant head of loss usually leads. Most programmes will have an “other insurance” clause — read both. Where the cyber policy is primary for the first-party costs and the PI policy is primary for the third-party liability, brokers typically coordinate to avoid two excesses being paid. The mechanism is often called underwriting agreed primary.
Q2. Can I have just one of the two policies if I’m a small firm? For SRA-regulated solicitors, the SRA MTC provides PI cover by regulatory mandate, but doesn’t require cyber. For unregulated professions, both should be considered. The historic answer “PI is enough because it has a broad civil liability head” has become much less safe in the last five years as PI insurers have started excluding cyber events. Most professional services firms now buy both.
Q3. What’s the difference between cyber insurance and crime insurance for funds transfer fraud? Crime insurance (a separate product) covers theft by employees, third-party theft, computer fraud, funds transfer fraud and forgery. Cyber insurance often also covers funds transfer fraud and social engineering, but typically with a smaller sub-limit. For firms with high client-account exposure (solicitors, wealth managers), buying both can be appropriate.
Q4. Does my cyber policy cover the ransom itself? Most cyber policies will pay the ransom subject to two conditions: (a) it is lawful to do so under the applicable sanctions regime — the OFAC, OFSI and other lists must be checked, and the ransomware operator’s affiliation must be assessed; and (b) the policy has not been triggered to its limit by the wider incident response cost. Payment of a ransom does not in itself breach the Terrorism Act 2000 in most cases but a fact-specific review is essential. The market practice is that the cyber insurer’s panel firm performs the OFAC and sanctions analysis before any payment.
Q5. If I’m a regulated firm, does the ICO investigation cost come out of my cyber policy or my PI policy? Cyber. Most cyber policies offer a specific “regulatory investigation costs” head of cover, sometimes labelled “ICO investigation defence costs”. PI policies typically exclude regulatory investigations as such (they cover defence of claims, and a regulatory investigation is not a claim in the strict sense). However, if the ICO investigation runs in parallel to a civil claim by data subjects, the PI policy may pay the defence of the civil claim while the cyber policy pays the regulatory side.
Q6. Are fines from the ICO insurable? Civil-side fines may be insurable as a matter of law where they are not criminal in character. The ICO’s monetary penalty notices under UK GDPR are administrative penalties, and the case law on insurability is unsettled. Most cyber policies will indemnify ICO fines to the extent insurable as a matter of law. The policy is in effect saying: we’ll pay if a court says we can. For criminal fines (e.g. under the Computer Misuse Act 1990 if a director is convicted) there is no insurability.
Q7. What does “claims-made-and-notified” actually mean for cyber breaches discovered years later? PI claims-made-and-notified means the policy in force when the claim is made (or circumstances notified) responds, not the policy in force when the underlying error occurred. For a cyber breach where the underlying access happened in 2024 but the data subject claim is made in 2027, the 2027 PI policy responds — if it contains no retroactive date excluding pre-inception events. Cyber policy retroactive cover is a separately negotiated feature; don’t assume it.
Q8. Does cyber cover apply when I’m the conduit through which my client gets attacked? Often yes, under the “network security liability” head. If you, as an IT consultancy, were responsible for the network design that allowed your client to be compromised, the third-party liability head of your cyber policy is typically the home for the client’s claim. Your PI policy may also respond if the claim is framed as professional negligence. The two heads do similar work.
Q9. What’s the typical cyber policy notification window? The standard market is “as soon as reasonably practicable, in any event within X days” where X varies between 30 and 90. Many cyber policies have a hard 72-hour reporting requirement for personal data breaches to align with UK GDPR Article 33. Read the wording — late notification can be a condition precedent.
Q10. Can the same event affect two PI policy years? Yes if the act, error or omission and the claim straddle a renewal. Aggregation across PI years typically pulls all related matters into the policy in force when the first circumstance was notified. The Insurance Act 2015 reform to s.11 prevents insurers from refusing claims on the basis of immaterial terms but doesn’t change the trigger date.
Q11. What about the supply chain — if my SaaS vendor is breached, who pays my loss? Your cyber policy will typically respond to your own first-party loss (BI, incident response, data restoration). Your supplier’s PI or cyber may respond to its customers’ losses, including yours, but only to the limits the supplier purchased. The remainder is uninsured. Contractual remedies against the supplier may not be financially realisable if the supplier is small or has limited-liability clauses.
Q12. Are deepfake / AI fraud incidents covered? This is a rapidly evolving market. Some cyber policies have introduced specific cover for deepfake-impersonation fraud against the insured; many have not. The funds transfer fraud head may respond to a deepfake-induced wire fraud, but the wording usually requires the transfer to be made by an employee acting in good faith based on a fraudulent instruction — that’s a fact-pattern fit, not a guarantee. Ask explicitly.
Q13. If my cyber broker and my PI broker are different, who coordinates? In our view a single broker with sight of both wordings is significantly preferable. Where two brokers are involved, one must take the lead at the point of an incident, and there is real friction at that point. We strongly recommend consolidating cyber and PI placement with a single broker who can sign a co-ordinated cover statement.
Q14. Does my D&O policy come into this? Yes in some scenarios. A directors’ and officers’ liability policy responds to directorial exposure — actions of the board, including failure to implement appropriate cyber governance. Recent shareholder actions following public breaches in the UK and US have started reaching D&O. The interaction is generally a separate question from the cyber/PI interaction discussed here, but for larger firms the three-policy interaction is now standard.
Q15. Where do I read more?
Each of the ten spoke articles linked from this hub takes one scenario in depth. The cross-link map at 00-cross-link-map.md shows the entire structure.
The spokes drill into specific scenarios with worked numerical examples, the regulatory framework, the case law where relevant, and a practical buyer takeaway.
The aggregation hub: how series-clauses and originating-cause clauses operate across a programme. The Insurance Act 2015 case-law walkthrough: fair presentation, proportionate remedies, condition-precedent reform. The proposal-form guides: how to answer the cyber, AI and breach-history questions accurately.
UK GDPR and Data Protection Act 2018, especially Articles 33 and 82 of the UK GDPR and Schedule 1 of the DPA 2018. Lloyd v Google LLC [2021] UKSC 50 (representative actions and damages for loss of control). Vidal-Hall and others v Google Inc [2015] EWCA Civ 311 (misuse of private information; distress damages). AIG Europe Ltd v Woodman [2017] UKSC 18 (aggregation; series clauses). Lloyds TSB General Insurance Holdings Ltd v Lloyds Bank Group Insurance Co Ltd [2003] UKHL 48 (aggregation; unifying factor). Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472 (uninsurability of penalties). Insurance Act 2015, sections 3 (fair presentation), 11 (terms not relevant to the actual loss), and the Insurance Conduct of Business rules. FCA SYSC 4.1 (organisational requirements) and SUP 15.3 (notification obligations). PRA “Operational resilience: Impact tolerances for important business services” (March 2021) and subsequent supervisory communications including the PRA Dear CEO letter of August 2022. ICO enforcement decisions and guidance on personal data breach notification. Information Commissioner’s monetary penalty notices and the published register. SRA Minimum Terms and Conditions for Solicitors’ Professional Indemnity Insurance. Lloyd’s Market Association cyber-related exclusion clauses including the LMA5400 series.
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote