The Cyber and PI Overlap for Professional Firms

The gap between where PI ends and cyber begins is no longer a technical question for the insurance manager — it is the most common reason professional firms find a claim partially uninsured.

A regulated UK firm has been told for years that its professional indemnity policy is the bedrock of its protection. That is still broadly true. But the modern claim against a professional firm rarely fits neatly into one policy. A fraudulent email diverting client funds, a ransomware attack that delays a deliverable, a data breach affecting client personal data — these incidents trigger questions in both the PI wording and the cyber wording, and where the firm has only one of the two, the exposure that falls into the gap is usually substantial. This guide explains the overlap, the gap, and the case for buying cyber separately rather than relying on PI to do both jobs.

What this means in practice

A traditional PI policy responds to civil liability arising from the firm’s professional services. Its core insuring clause is built around negligence, breach of contract, breach of duty, and similar civil wrongs in the conduct of the business. It typically responds well to design errors, advice errors, missed deadlines, conflict of interest, and fee disputes. It does not, in most wordings, respond well to first-party loss: the cost of restoring the firm’s own systems, the cost of forensic investigation into the firm’s own breach, business interruption to the firm’s own revenue, or regulatory penalties imposed on the firm.

A cyber policy is built the other way round. It covers the firm’s own first-party costs — incident response, forensics, system restoration, business interruption, ransomware payment in some wordings — and adds third-party liability for data privacy breaches, regulatory investigation costs, and notification obligations. It does not typically cover the underlying professional negligence claim that may flow from the disrupted service.

The overlap is real. Social engineering fraud — where a criminal impersonates a client or supplier and instructs a transfer — sits in the seam. So does client money mis-direction. So does the professional negligence claim that follows a ransomware-induced missed deadline. So does the data protection claim brought by an individual whose personal data was exposed in a breach of the firm’s systems.

The regulatory backdrop matters. The Data Protection Act 2018 and the UK GDPR impose obligations on controllers and processors to keep personal data secure (Article 5 principles, Article 32 security of processing), to notify the Information Commissioner of qualifying breaches within 72 hours (Article 33), and in some cases to notify affected individuals (Article 34). Fines under the regime can reach the higher of £17.5m or 4% of global turnover for the most serious breaches. Individuals can also pursue civil claims for distress and material damage. Most of these costs do not sit comfortably inside a standard PI wording.

How the cover usually responds

A standard professional indemnity wording will respond to a third-party claim alleging that the firm’s professional service was deficient — and that includes a service deficient because of a cyber incident the firm should have prevented. If a ransomware attack causes a missed filing deadline and a client suffers loss, the resulting negligence claim is usually within the PI insuring clause. But the cost of investigating and remediating the ransomware itself, the cost of legal advice to the firm on its notification obligations, and the regulatory fine if one is imposed, generally are not.

Cyber wordings vary widely but typically include: incident response coordination, forensic IT investigation, legal advice on regulatory notification, public relations response, business interruption to the firm’s own operations, system restoration costs, ransomware extortion (subject to the firm’s sanctions screening obligations), and third-party liability for data breaches including defence costs for ICO investigations. The better wordings now also include social engineering fraud and funds transfer fraud as named-perils within sublimits.

Social engineering fraud is the most common claim type we see falling into the gap. A client emails what appears to be revised banking details. The firm pays. The original invoice was hijacked. PI insurers will usually decline on the basis that the loss is not a civil liability owed to a third party but a direct loss to the firm itself or its client — and that no professional service was negligently performed in transferring funds in good faith. Cyber wordings with named social engineering cover are designed precisely for this scenario.

Section 3 of the Insurance Act 2015 applies equally to both placements. Material circumstances must be disclosed on both proposals — and a cyber incident notified to PI is a material circumstance on the cyber renewal, and vice versa. Section 11 limits an insurer’s ability to rely on terms unrelated to the actual loss, which can matter where a firm has imperfect IT hygiene but the breach in question is unrelated to that imperfection.

For regulated intermediaries, FCA Handbook MIPRU 3.2 sets minimum PI requirements, and the FCA’s SYSC sourcebook addresses operational resilience and the management of cyber risk. Neither is a substitute for purchasing the right tower of cover; both raise the expectation that the firm has thought about it.

Common mistakes

• Assuming that the cyber endorsement on a PI policy is the same as a standalone cyber policy. It almost never is — the sublimits are typically a fraction of what a dedicated cyber wording provides.
• Treating social engineering fraud as a PI matter. Most PI wordings exclude it; most cyber wordings cover it as a named peril with a sublimit. The two are not interchangeable.
• Forgetting that the Data Protection Act 2018 and UK GDPR impose direct regulatory obligations on the firm that are separate from third-party civil liability. ICO investigation costs alone can run to six figures before any fine is imposed.
• Failing to notify under both policies when an incident touches both. The PI insurer needs to know if a missed deliverable is brewing; the cyber insurer needs to know the moment the breach is detected. Silos on the broker side cause silos in cover.
• Buying low-limit cyber as a box-ticking exercise. The standard £250,000 cyber sublimit inside a PI policy is rarely enough for a serious ransomware incident at a mid-sized firm.

Worked example

Consider a 25-partner accountancy practice with £8,000,000 fee income and a £5,000,000 PI limit. A criminal impersonates a long-standing client by email and instructs a partner to remit £180,000 of refunded VAT to a new bank account. The transfer goes through before the fraud is detected.

The firm notifies its PI insurer. The PI insurer declines coverage on the basis that the loss is not a civil liability owed to a third party arising from the conduct of professional business — the funds were the firm’s own client account funds, transferred in response to a fraudulent instruction.

The firm also holds a standalone cyber policy with £2,000,000 of cover and a £250,000 social engineering fraud sublimit. The cyber insurer responds. After investigation and recovery efforts that retrieve £40,000 from the receiving bank, the net loss of £140,000 is settled under the social engineering sublimit. The forensic investigation and legal advice on regulatory notification are paid in addition under the incident response cover. Without the cyber policy, the entire £140,000 would have fallen on the partnership.

What to do at renewal

1. Map every plausible incident scenario across the two policies. For each, identify which policy responds first, which responds at all, and what sits in the gap.
2. Read the cyber endorsement on the PI policy, if any, against the standalone cyber wording side by side. The sublimits and exclusions will be markedly different.
3. Confirm the social engineering and funds transfer fraud sublimits on the cyber policy. These are rarely the same as the policy aggregate; they are typically capped at a fraction of it.
4. Check that the firm’s notification process triggers both insurers simultaneously where an incident touches both. Internal protocols should name the brokers for both policies.
5. Review the firm’s GDPR and Data Protection Act 2018 compliance posture. Cyber underwriters expect documented data mapping, breach response procedures, and a tested incident response plan.
6. Ensure that the cyber policy’s business interruption trigger matches the firm’s actual operations — many wordings require a system outage exceeding a stated waiting period.

Apex’s view

Apex’s view: The single most common claim we now see partially uninsured at professional firms is social engineering fraud sitting in the gap between PI and cyber. Firms have been told for years that “PI covers everything”; it does not, and the cyber endorsement bolted onto a PI policy is usually a poor substitute for a standalone wording. For any professional firm holding client money, handling significant volumes of personal data, or running deliverables on cloud systems — which is now most of the market — standalone cyber alongside PI is no longer optional. The cost of buying cyber properly is finite. The cost of finding out at notification that the policy does not respond is not.

See also

• PI insurance for architects: the buyer’s guide
• Cyber insurance
• Professional indemnity insurance
• Architects sector
• IT professionals sector

Sources

1. Data Protection Act 2018
2. UK GDPR (Retained Regulation (EU) 2016/679), Articles 5, 32, 33 and 34
3. Insurance Act 2015, sections 3, 8 and 11
4. FCA Handbook, MIPRU 3.2 and SYSC
5. Financial Services and Markets Act 2000