Commercial Insurance Overview for Professional Firms

A professional firm’s insurance programme is not a PI policy with extras bolted on; it is a stack of distinct covers, each of which responds to a different category of loss, and most of which are required by law or regulator.

PI sits at the centre and gets the attention. But for a typical twenty-person professional services firm — solicitors, accountants, surveyors, architects, consultants — the protection that actually carries the business across a bad year often comes from one of the policies sitting around it. Public liability, employers’ liability, directors and officers, cyber, crime, and office contents each have a defined job to do. This guide explains how they fit together, what is compulsory, what is optional but commercially essential, and what an integrated programme should look like for a mid-sized professional firm.

What this means in practice

Picture the firm. Twenty fee-earners and support staff, a Tier 1 city centre office of 4,000 sq ft, fee income of £6m, a board of three executive directors and two non-executive directors, around £8m of work-in-progress on the balance sheet, and a £400,000 IT investment in the last three years including a cloud-hosted practice management system. The firm is incorporated as an LLP.

That profile generates exposure across at least seven distinct insurance categories:

• Professional indemnity (PI) — civil liability for negligent professional services. Regulator-compulsory for all SRA, RICS, ICAEW, ARB, ACCA, CIOT firms; FCA-mandated for brokers and IFAs.
• Public liability (PL) — third-party bodily injury and property damage arising from the firm’s operations, on premises and elsewhere. Not compulsory but commercially essential.
• Employers’ liability (EL) — statutory cover for employee injury and disease. Compulsory under the Employers’ Liability (Compulsory Insurance) Act 1969 at a minimum of £5m per claim (market standard £10m).
• Directors and officers liability (D&O) — protects directors personally for claims against them in their capacity as directors. Relevant for the Companies Act 2006 statutory duties.
• Cyber insurance — breach response, ransomware, business interruption from cyber events, third-party data liability.
• Crime / fidelity — internal fraud, theft of money, social engineering loss.
• Office contents and business interruption — physical property damage and revenue loss from an insured peril at the premises.

Some firms add legal expenses, key person, and management liability extensions. A few add specie cover for items held on the premises (probate-held valuables, original engineering models). The structure varies but the categories above are the spine.

How the cover usually responds

Each policy responds to a defined category of loss. The mistake is to assume overlap; in practice the policies are designed not to overlap, and where they appear to, the wordings contain “other insurance” clauses that allocate the loss to the most specific cover.

PI responds to civil liability arising from the provision of professional services. It is the firm’s largest single insurance spend in almost every case and the cover the regulator requires. It does not respond to bodily injury, premises damage, employee claims, or director duty breaches.

PL responds to third-party bodily injury or property damage caused by the firm in the course of its activities. A visitor tripping in reception, a file room flood damaging the office next door, a marketing event injuring a guest — these are PL claims. PL does not respond to professional negligence, employee injury, or director claims.

EL is compulsory under the Employers’ Liability (Compulsory Insurance) Act 1969 for any business with one or more employees. The statute requires a minimum £5m per claim and a current certificate of insurance to be displayed (electronic display is permitted). The HSE enforces. EL responds to employee bodily injury, disease, or death arising out of and in the course of employment, including industrial disease claims with very long tails.

D&O responds to claims against directors personally arising from their conduct as directors. Under Companies Act 2006, sections 170 to 177, directors owe statutory duties to the company including the duty to promote the success of the company (s.172) and the duty to exercise reasonable care, skill and diligence (s.174). Breach exposes the director personally to claims from the company, shareholders, regulators, or insolvency practitioners. D&O typically also covers entity securities claims and provides defence costs cover for regulatory investigations.

Cyber responds to a category of loss that the other policies actively exclude. PI excludes most pure cyber losses where there is no professional services failure; PL excludes most data-related claims; crime excludes cyber business interruption. A standalone cyber policy responds to ransomware, breach response costs, third-party data liability, regulatory defence, and business interruption from a cyber event.

Crime / fidelity responds to direct financial loss from theft, fraud, and (where the wording is written for it) social engineering payment fraud — for example, where staff are duped into wiring funds to a fraudulent account by way of authorised push payment. Wordings vary materially on social engineering.

Office contents and BI responds to physical damage to the firm’s contents and the revenue loss from inability to trade following an insured peril (fire, flood, escape of water, malicious damage).

Insurance Act 2015 applies across all commercial covers. The duty of fair presentation under section 3 is wide; section 11 protects insureds where breach of a term is unrelated to the actual loss.

Common mistakes

• Assuming PI covers a cyber breach because client data was lost. PI responds to professional services failures, not to data losses arising from the firm’s own systems being attacked.
• Carrying the statutory minimum £5m on EL without considering disease claims, which can land decades after employment ends and which require historical EL records to be retrievable.
• Buying D&O as a tick-box and not reviewing the wording on regulatory defence costs or investigation cover, which is where most claims actually start.
• Setting cyber limits below the cost of a ransomware event. Recovery costs for a mid-sized firm now routinely exceed £250,000 even before any business interruption loss.
• Allowing renewal dates to fragment across the programme. Renewals on the same date make the duty of fair presentation easier to manage and avoid mid-year gaps.
• Failing to address social engineering specifically in the crime wording. Many crime policies exclude or sub-limit it.

Worked example

Take a twenty-person consultancy practice, fee income £6m, incorporated as a limited company. Over an eighteen-month period the firm experiences:

• A ransomware attack via a phishing email. Files are encrypted and exfiltrated. Breach response, forensics, regulator notifications under UK GDPR, client notifications, and an extortion negotiation cost £180,000. Business interruption while systems are restored costs a further £75,000. The cyber policy responds.
• A subcontractor employee falls in the office and sustains a back injury. The claim is initially pursued against the firm. The PL policy responds.
• The firm’s own bookkeeper diverts £45,000 of client expense reimbursements over six months. The crime policy responds.
• A former employee brings a constructive dismissal claim that escalates into a regulatory complaint to the firm’s professional body. The D&O policy responds to defence costs of the regulatory investigation; the employment practices liability extension responds to the dismissal claim itself.
• A client sues for £400,000 alleging negligent strategic advice on an investment that failed. The PI policy responds.

No single policy could have covered the full picture. The point is not that the firm needs more cover — it is that the cover needs to be coordinated, and renewals managed, so that no loss falls in the gap between two policies.

What to do at renewal

1. Map the programme on a single page. List each cover, the insurer, the limit, the excess, the renewal date, the broker contact, and the last review date.
2. Align renewal dates where possible. Common renewal makes proposal preparation and fair presentation more efficient.
3. Reconsider limits against current exposure, not last year’s renewal. EL minimum £5m statutory is rarely sufficient; £10m is market standard.
4. For D&O, confirm the wording responds to regulatory investigations not just civil proceedings.
5. For cyber, confirm sub-limits on ransomware extortion, breach response, and business interruption are adequate.
6. For crime, confirm social engineering is covered, not excluded, and at an adequate sub-limit.
7. Disclose every material circumstance under Insurance Act 2015 section 3 — claims, circumstances, regulatory enquiries, board changes, mergers.

Apex’s view

Apex’s view: Most firms are over-insured on the things that rarely happen and under-insured on the things that happen routinely. The programme that comes through our door for review almost always has too much office contents cover, an EL limit nobody has touched since 2015, and a cyber sub-limit that will not cover a single ransomware incident. The fix is unglamorous: a programme review every two years, with a written summary, signed off by the board. We do this for clients and it almost always changes the spend allocation rather than the spend total.

See also

• PI insurance for solicitors: the buyer’s guide
• Selling or merging a professional practice: the PI angle
• What happens if you’re refused business insurance
• Cyber insurance
• Employers’ liability insurance

Sources

1. Employers’ Liability (Compulsory Insurance) Act 1969
2. Companies Act 2006, sections 170 to 177
3. Insurance Act 2015, sections 3, 8, and 11
4. Financial Services and Markets Act 2000
5. FCA Handbook, MIPRU 3.2