A mid-sized software consultancy in Bristol is engaged to migrate a regional retailer from a legacy on-premise stock-and-finance system to a cloud-hosted platform. The statement of work runs to forty pages, the fees are six figures, the timeline is six months. Nine months in, the cutover slips, the first three days of trading on the new platform see stock counts misaligned across two hundred SKUs, the retailer loses an estimated £340,000 in margin to overselling and emergency manual reconciliation, and the relationship breaks down. Four months later the consultancy receives a letter before action: the retailer alleges negligence in the migration plan, breach of contract on the timeline, and claims for the lost margin, the additional consultancy fees paid to bring in a remediation firm, and the cost of the eighteen months of professional time the retailer's own team had to redirect.
That letter is not, in commercial reality, unusual. UK software development, IT consultancy and managed-service engagements are increasingly business-critical, increasingly entangled with the client's own revenue and data, and increasingly the subject of formal disputes when something material goes wrong. The product that decides whether a dispute of this kind becomes a manageable cost of doing business or an event that closes the firm is Professional Indemnity Insurance — PI, sometimes called PII, sometimes (in the technology market specifically) tech E&O for "errors and omissions".
This guide is for directors, founders and operations leads at UK IT consultancies, software development houses, system integrators, managed service providers and independent contractors. It explains what PI actually covers for a tech firm, where it sits alongside cyber and data-breach cover, what claims look like in practice, what underwriters look at, and how to think about limits, excess and run-off. It runs longer than the typical broker brochure because the detail genuinely affects whether a policy responds to the claim you eventually receive.
The regulatory backdrop — and why "no formal regulator" doesn't mean no rules
Unlike accountants, solicitors, architects or surveyors, UK IT professionals do not have a single statutory regulator setting compulsory Professional Indemnity requirements. There is no equivalent of the Solicitors Regulation Authority Minimum Terms, no ARB criteria for architects, no ICAEW PII Regulations. BCS, The Chartered Institute for IT, has a Code of Conduct for its members but does not mandate a PI limit. Trade bodies such as techUK and the Federation of Small Businesses encourage cover but do not set it as a membership condition.
That absence sometimes leads founders to conclude that PI is optional. In practice it is not — the obligation just sits in different places.
First, the client's master services agreement. The single most common reason a UK technology firm buys PI is that its enterprise clients require it as a condition of contracting. A typical MSA from a large corporate, public sector body or financial services client will require the supplier to maintain Professional Indemnity Insurance for a stated minimum limit — most commonly £1m to £5m, sometimes £10m or more for higher-value engagements — for the duration of the contract and for a tail period (commonly six years) after termination. The contract usually also requires a separate cyber liability policy and an employers' liability policy where the supplier has UK staff. Failing the insurance schedule of an MSA is the single most common reason a software firm cannot complete a procurement process with a serious client.
Second, English contract law and the law of tort. A supplier of professional services owes its client a contractual duty (typically expressly stated in the MSA and SOW, and impliedly under the Supply of Goods and Services Act 1982 to perform with reasonable skill and care) and a parallel duty in tort. A claim for breach of either can be brought up to six years after the cause of action arose for ordinary contracts and twelve years where the contract is executed as a deed. PI exists precisely to respond to that exposure.
Third, the Insurance Distribution Directive (IDD) and FCA Conduct of Business rules. These do not regulate the IT firm itself, but they regulate how brokers (Apex among them) must place and explain the cover. They also apply to any IT firm that itself sells or distributes insurance products as part of its services — an embedded-insurance fintech, for example — in which case the FCA may regulate the firm in addition to its general contractual position.
Fourth, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. A consultancy or developer handling personal data on behalf of a client typically becomes a processor under the legislation; a managed service provider may become a controller. The Information Commissioner's Office (ICO) can impose monetary penalties of up to the higher of £17.5m or 4% of global turnover for serious infringements. PI does not pay ICO fines, but PI and cyber policies in combination typically respond to the costs of investigating and remediating a breach and to civil claims brought by data subjects under section 168 of the Data Protection Act 2018.
Fifth, the Building Safety Act 2022 and sector-specific overlays. IT firms working with regulated industries (financial services through FCA-authorised clients, defence through MOD framework agreements, healthcare through NHS Digital and DSPT, payment systems under PSR oversight) inherit those clients' regulatory expectations contractually, which usually flow through into mandatory insurance and audit clauses.
The right way to think about it is that the IT profession is not regulated for PI in the same prescriptive way as the chartered professions, but the commercial and legal environment makes PI effectively mandatory for any firm of meaningful size working with serious clients.
What IT Professional Indemnity insurance actually covers
PI for technology firms responds to civil claims made against the firm by a client or third party alleging financial loss caused by a wrongful act in the firm's professional services. "Wrongful act" is the policy term and is normally defined to include negligence, error, omission, misleading statement, breach of professional duty and (importantly for technology) breach of contract in respect of the professional services.
For an IT consultancy or software developer, the envelope of "professional services" is typically broad. A well-written tech PI policy will respond to:
Allegations of negligent design, development, testing or implementation of software. Errors and omissions in coding, configuration or deployment. Failure to deliver to specification — within the parameters of contractual cover. Defective integration with other systems. Negligent advice on technology selection, architecture or vendor choice. Mistakes in data migration. Failures in IT project management. Negligent training or knowledge transfer. Failure to spot issues a reasonable IT professional should have spotted.
A modern tech PI policy will also typically include cover that the older "pure" PI wordings did not. The most important of these crossovers are intellectual property infringement, defamation and disparagement in published content, and breach of confidence. IP infringement cover is particularly relevant: if your code base is alleged to incorporate copyrighted material owned by a third party — for example, an open-source library used outside the terms of its licence — the IP infringement extension in a tech PI policy is what responds. Whether and how that cover extends to AI-generated code is a live and unsettled question that we return to below.
What PI does not cover is equally important. It does not respond to deliberate or fraudulent acts. It does not pay regulatory fines or penalties. It does not pay the firm's own contractual liquidated damages where those are deemed punitive rather than compensatory (some policies cover liquidated damages on a "civil liability" basis, others exclude them — read the wording). It does not pay for the firm's own remedial work to put right a defective deliverable (the "rework exclusion") unless the policy specifically extends to mitigation costs. And it does not pay for losses arising from acts or omissions outside the professional services definition — for example, an employment dispute would not be a PI matter.
Common sources of claim against IT firms
Working from anonymised industry data and broker market reports, the recurring categories of claim against UK IT consultancies and software firms cluster into a small number of patterns.
Project overruns and scope disputes. The largest category by frequency. The supplier delivers later than agreed, or delivers something that the client argues does not meet the agreed scope, or finds itself in continuous change-request territory while the underlying contract clock continues to run. When the relationship breaks down, the client typically claims for the cost of bringing in a remediation firm, the cost of internal staff time, the cost of business interruption, and in some cases the cost of the original engagement itself.
System failures and outages. Software the firm built or maintains fails in production, taking down a client's e-commerce site, payments system, internal ERP or critical workflow. The claim is for the lost revenue, the operational cost of running manually during the outage, and where personal data is exposed, the cost of breach notification and remediation. The boundary between PI and cyber here is one of the most-tested areas of the technology insurance market, and we treat it in detail in our companion guide on PI versus cyber cover for software development.
Data loss and corruption. Migration that loses or duplicates records. Backup processes that turn out not to have worked. Database rebuilds that drop fields. The claim is typically a mix of reconstruction cost (paid by PI under "loss of documents" or equivalent extensions) and consequential loss to the client's business.
Intellectual property infringement. A client product is alleged to infringe a third party's patent, copyright or trademark, and the infringement is traced to the developer's contribution. Open-source licence non-compliance — most commonly GPL-family copyleft licences flowing through into proprietary distributions — sits in the same bucket and is increasingly the subject of formal claims. Generative AI introduces a further wrinkle: where production code includes meaningful contributions from large language model assistants, the question of who owns the output and what licence terms attach is being tested in courts globally.
GDPR and data protection exposure. A breach exposing client or end-user personal data triggers ICO notification within 72 hours, sometimes affected-individual notification, and frequently civil claims under Article 82 of the UK GDPR and section 168 DPA 2018. PI typically responds to defence of the civil claims; cyber typically responds to the breach response costs and any ransomware extortion; the ICO fine itself is uninsurable as a matter of public policy.
Cyber-incident-derived claims against the IT supplier. Where the IT supplier is alleged to have caused or contributed to a cyber incident at the client — for example through negligent configuration of a firewall, failure to patch a known vulnerability, weak default credentials in a delivered system, or inadequate access controls — the client's resulting losses can become the supplier's PI claim. This is now one of the more rapidly increasing categories of tech PI loss in the UK market.
Breach of warranty or service level agreement. The MSA contains SLAs around availability, response times or remediation; the supplier misses them; liquidated damages or service credits are invoked; downstream losses follow. Whether PI responds depends on whether the wording is structured as compensation for breach (typically covered) or as a service credit / penalty (typically not).
Disputes over deliverables and acceptance testing. The client refuses to sign off acceptance; the supplier argues acceptance criteria have been met; fees are withheld; counterclaims escalate.
How PI overlaps with — and differs from — cyber and tech E&O
This is the question that causes the most confusion. The short version: in a modern technology insurance programme, PI / tech E&O cover and cyber cover are typically separate but complementary policies, frequently bought from the same insurer on combined wordings, and the question is where the lines fall.
Professional Indemnity / tech E&O responds to civil claims against the firm alleging financial loss caused by the firm's professional services. The trigger is a claim, real or threatened, by a third party. The cover pays defence costs and damages.
Cyber liability insurance responds to the firm's own first-party costs and third-party liability arising from a cyber incident affecting the firm itself or its clients' systems under the firm's control. The trigger is the incident, not the claim. The cover typically pays for forensic investigation, breach notification, credit monitoring, ransomware response (subject to regulatory and sanctions considerations), business interruption to the firm itself, system restoration, and crisis-management PR; it also covers third-party liability where data subjects, regulators or commercial counterparties bring claims arising from the incident.
The overlap area is where things get interesting. If the firm's negligent professional services cause a cyber incident at a client which then causes a third-party claim, both policies are potentially in play. Modern markets handle this in one of three ways: with a combined "tech E&O and cyber" wording from a single insurer that contains the carve-up internally; with separate policies from the same insurer designed to nest cleanly; or with separate policies from different insurers where the broker's job is to ensure there is no gap and no double-recovery problem.
For a UK software firm working with regulated clients, holding only PI without cyber is increasingly hard to justify. Holding only cyber without PI leaves the much larger civil-liability exposure uncovered. The detailed mapping is the subject of our software development PI versus cyber cover cluster article.
Cover limits, excess and how to think about them
The "any one claim" limit and the "in the aggregate" limit are the two numbers that determine how much your policy will actually pay. A £2m any one claim, £4m in the aggregate policy means each individual claim is covered up to £2m and the total of all claims in the policy year is covered up to £4m. A £2m in the aggregate policy means the total of all claims in the year is capped at £2m. The wording matters more than the headline number.
How much cover an IT firm should buy is driven by three factors: the contractual minima imposed by the firm's clients (which often set the floor), the worst-case financial exposure on the firm's largest live engagements (which should set the ceiling), and the affordability of the premium at different layers (which sets the practical answer in the middle).
A representative pattern across the UK market in 2026:
A two- to five-person development consultancy doing fixed-fee work for SME clients with engagement values under £100,000 typically buys £1m to £2m of cover, frequently combined with a £1m or £2m cyber layer. A mid-sized firm of fifteen to fifty consultants serving enterprise clients on multi-year retainers typically buys £2m to £5m of cover, sometimes with a primary layer plus an excess layer above. Firms with public sector framework engagements (G-Cloud, DOS, CCS frameworks) commonly need £5m to £10m of cover to meet framework conditions. Firms working with regulated financial services clients commonly need £10m or more, sometimes structured as a tower with multiple layers.
The excess (or deductible) is what you pay before the insurer pays. Typical excesses run from £1,000 to £25,000 for smaller firms and from £25,000 to £100,000 for larger firms. A higher excess reduces premium but absorbs the cost of small claims internally — which is fine if your contract terms and quality controls mean small claims are infrequent, less fine if you are exposed to a high volume of low-value disputes.
Aggregation matters. If you are likely to face a series of related claims arising from the same root cause — a defect in a piece of software you've deployed to multiple clients, for example — you need to understand whether your policy treats these as one claim (good for you, because one limit and one excess) or as multiple separate claims (bad for you in respect of the excess, good in respect of the limit). The wording of the aggregation clause is the relevant detail.
Run-off cover — the often-forgotten obligation
If your IT firm winds down, is sold, or substantially changes its activities, the liability for work already done does not vanish. PI is written on a claims-made basis, which means the policy that responds to a claim is the policy in force at the date the claim is notified, not the policy in force at the date the work was done. Once you stop trading and stop paying premiums, your last policy is the last policy that will ever respond to anything — unless you have bought run-off cover.
There is no UK statutory minimum run-off period for IT professionals (unlike for solicitors, where it is six years, or for accountants under ICAEW's PII Regulations). The practical standard in the technology market is six years, matching the limitation period for breach of contract under English law; clients with MSAs requiring tail cover commonly require six years and occasionally twelve years where the original contract was executed as a deed. Run-off is normally priced as a single up-front premium calculated as a multiple of your last working premium — commonly 100% to 250% of the last annual premium spread across the run-off period.
Selling the business does not automatically extinguish your run-off obligation. The sale and purchase agreement has to deal with it explicitly: who buys the run-off, who pays for it, who notifies pre-completion circumstances, and how the warranties and indemnities sit alongside it. This is a recurring area where IT founders selling out get caught short — the cost of a six-year run-off layer is often a non-trivial deduction from sale proceeds, and discovering it the week before completion is unwelcome.
The role of contract terms versus PI
PI does not exist in isolation; it sits behind the contract terms the firm has agreed with its clients. A well-drafted MSA limits the supplier's liability — commonly to the fees paid in the preceding twelve months, sometimes to a fixed cap, sometimes to a multiple of fees — and excludes consequential and indirect losses, loss of profit, loss of opportunity and other categories of damage. Where these caps and exclusions are enforceable, they limit how much the supplier can be required to pay regardless of the policy limit.
Conversely, a poorly-drafted contract — or no contract at all — leaves the supplier exposed to the full common-law measure of damages, which can be many multiples of the engagement fees. The interaction between contractual liability caps and PI cover is fundamental: PI responds to your legal liability, so the contract terms shape the size of the liability before the insurance question even arises.
Two contract provisions are worth particular attention. The first is the liability cap: a cap that is too low can render insurance redundant on a large claim (you can't claim more from the insurer than you legally owe the client) and a cap that is uncapped — increasingly common in MSA drafting around personal data and IP infringement — can expose the firm to losses well beyond the policy limit. The second is the fitness-for-purpose warranty: traditional English construction-and-engineering case law (notably Greaves & Co v Baynham Meikle and the various Supply of Goods and Services Act 1982 cases) treats a fitness-for-purpose obligation as more onerous than reasonable skill and care, and most PI policies cover liability arising from negligence but exclude liability arising from a contractual warranty of fitness for purpose. A software contract that warrants the software will be "fit for the client's intended purpose" — without the qualifying skill-and-care language — can put a firm outside cover for the very liability the contract creates.
We help clients with the MSA-review side of the picture as well as the policy placement, because the two interact at every renewal.
How an IT firm chooses cover
There is no single right answer, but the structured way to approach the question is to work through four layers in order.
First, what do your contracts require? Pull the insurance schedules from your top five MSAs, identify the highest PI limit any client requires, and treat that as the contractual floor. If you cannot meet a client's insurance schedule you cannot legitimately sign the contract. Then check whether each contract also requires cyber, employers' liability, public liability, run-off, and named-insured or noted-interest extensions.
Second, what is your worst-case engagement exposure? Look at your three largest live engagements. What is the maximum financial loss to the client (in revenue, in business interruption, in reconstruction cost, in regulatory exposure) if your delivery fails in the worst plausible way? Your aggregate cover should comfortably exceed that worst-case figure, with allowance for defence costs which can readily run to six figures on a contested matter.
Third, what is the structure of cover that fits? A single £5m limit might or might not be the right answer compared with a £2m primary plus a £3m excess layer. Different structures attract different premiums and have different cost dynamics on a large claim. A broker who places only one insurer's product cannot give you a meaningful comparison; an independent broker can.
Fourth, what is the right balance of premium, excess and self-retention? A higher excess reduces premium but pushes more of the small-claim cost onto the firm. For a firm with strong contract terms, clean delivery history and a low expected frequency of small disputes, a higher excess is usually economic; for a firm with a longer tail of customer disputes and weaker contract terms, a lower excess is usually worth the premium.
What Apex does as a broker
Apex Insurance Brokers Limited is an independent FCA-authorised insurance broker. We are not tied to any one insurer, we are not part of a network with quotas, and we do not run our own policy wording or our own underwriting decisions. We act as the broker for our clients, which under FCA Conduct of Business rules means we represent the client's interests in the negotiation with the insurance market.
For an IT firm that means we take the renewal information, present it to the insurers we think will price the particular profile sensibly, negotiate the terms, explain the differences in wording between the quotes that come back, and document the decision so that it stands up to your own internal compliance review and to your clients' insurance-schedule checks. We do not promise a specific price or a specific insurer — those depend on the underwriter's view of your individual risk — and we do not have any quota arrangement that would skew our recommendation.
What we are required to do, and do, is act fairly, with integrity, and with reasonable skill and care, and explain how we are remunerated. That information is on our Terms of Business page, and the route for raising any concern about our service is on our Complaints page. Our Privacy notice explains how we handle personal data in the course of placing your cover.
If your renewal is within ninety days, or if you have an MSA in front of you with an insurance schedule you need to meet, the right next step is a conversation. The first call costs nothing and does not commit you to anything — see our IT professionals sector page or contact us directly.
Frequently asked questions
Do UK IT professionals legally have to hold Professional Indemnity Insurance?
There is no UK statute that requires IT consultancies, software developers or contractors to hold Professional Indemnity Insurance in the way that, for example, solicitors and architects are required to. There is no equivalent prescriptive regulator. However, in commercial practice PI is effectively mandatory for any firm of meaningful size: enterprise client MSAs, public sector framework agreements (including G-Cloud and Digital Outcomes and Specialists), and most large procurement processes will require PI cover at a stated minimum limit. UK contract and tort law also expose a supplier of professional services to civil claims for negligent performance, and PI is the product that responds to those claims.
What is the difference between PI and tech E&O?
In the UK market the two terms are used largely interchangeably to describe Professional Indemnity cover written for technology firms. "Tech E&O" — technology errors and omissions — is the US-origin terminology that has come into UK use as more global insurers have written the product on combined wordings. A modern UK tech PI / tech E&O policy will normally cover the same envelope of risks: professional negligence, errors and omissions, breach of contract in respect of professional services, intellectual property infringement, breach of confidence, and (where bundled) cyber liability. The differences lie in the precise wording of individual policies rather than between the two labels.
Is cyber insurance the same as Professional Indemnity?
No. The two products respond to different risks and are typically held side by side. PI / tech E&O responds to third-party civil claims against the firm alleging financial loss from professional services. Cyber liability responds to the firm's own first-party costs of a cyber incident (forensic investigation, breach notification, ransomware response, system restoration, business interruption to the firm) and to third-party liability arising from the incident. Where a software firm's negligence causes a cyber incident at a client, both policies may respond, and the way they nest matters. We cover this in detail in our PI vs cyber cover for software development article.
How much PI cover should an IT consultancy hold?
The commercial floor is the highest insurance requirement in your client contracts. The practical ceiling is the worst-case financial loss you could plausibly cause across your largest live engagements. A small SME-focused development shop might sit comfortably at £1m to £2m of cover; a mid-sized enterprise consultancy typically at £2m to £5m; firms on public sector frameworks commonly at £5m to £10m; firms working with regulated financial services clients frequently above that. The "any one claim" versus "in the aggregate" structure matters as much as the headline number, and the right answer depends on the wording of your contracts as much as on the size of your firm.
Does PI cover claims arising from AI-generated code or large language model use?
This is currently a live and evolving question. Most UK tech PI wordings written in 2025 and 2026 do not have an express exclusion for AI-generated output, but several insurers have introduced clarifying endorsements addressing the position. The risk areas that matter are intellectual property infringement (where the output is alleged to reproduce copyrighted training data), warranties of originality (where the supplier represents that deliverables are original work), and errors flowing from undetected AI hallucinations in production code. Firms making material use of generative AI in delivery should declare it at renewal so the wording and any endorsements respond as intended; this is one of the points your broker should walk you through specifically.
Do I need run-off cover after closing or selling my IT business?
Almost always, yes. PI is written on a claims-made basis, which means the policy responds only if it is in force when the claim is notified — not when the work was done. Once you stop trading and stop paying premiums, claims can still arise for several years afterwards under English contract and tort law (six years for ordinary contracts, twelve years for contracts executed as deeds). Run-off cover keeps a PI policy live for a defined tail period to respond to those late-arising claims. There is no statutory minimum for IT firms but the practical standard is six years, and many MSAs require it as a contractual commitment surviving termination.
What does PI not cover for an IT firm?
The principal exclusions across the market are: deliberate or fraudulent acts; the firm's own remedial work to put right a defective deliverable (the "rework" exclusion, unless an extension is bought); regulatory fines and penalties (uninsurable as a matter of public policy in respect of ICO fines under UK GDPR); contractual liabilities the firm has assumed beyond its general legal duty (including fitness-for-purpose warranties not qualified by skill and care); first-party cyber incident costs (which sit on the cyber policy); bodily injury and property damage (which sit on public liability); and employment-related claims (which sit on employers' liability or D&O). The detailed exclusions vary between wordings — read the policy.
How long do I have to notify a circumstance to my PI insurer?
Claims-made policies require notification of any circumstance that may give rise to a claim as soon as practicable after the firm becomes aware of it, and at the latest before the end of the current policy period. Late notification, or non-notification carried into a renewed policy, is the single most common reason a claim fails to be covered. The threshold for "circumstance" is low — a complaint letter, a refusal to pay an invoice with reasons attached, a project being formally paused for review — and the safe rule is to notify when in doubt. Notification does not commit the firm to anything but it preserves cover.
Related guides
- Software development PI vs cyber cover — where the line falls
- IT contractor PI insurance and IR35 context
- IT professionals sector page — speak to a broker
About Apex Insurance Brokers
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Last reviewed: May 2026.
This guide is general information about Professional Indemnity Insurance for UK IT professionals and is not advice tailored to any individual firm's circumstances. For advice on your own placement, please contact us.
FAQPage JSON-LD (hand-rolled — add via Yoast Custom Field or theme injection)
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Do UK IT professionals legally have to hold Professional Indemnity Insurance?",
"acceptedAnswer": {
"@type": "Answer",
"text": "There is no UK statute that mandates Professional Indemnity Insurance for IT consultancies, software developers or contractors in the way that solicitors and architects are regulated. In commercial practice, however, PI is effectively mandatory: enterprise client MSAs, public sector framework agreements, and most large procurement processes require PI cover at a stated minimum limit. UK contract and tort law also expose suppliers of professional services to civil claims for negligent performance, and PI is the product that responds to those claims."
}
},
{
"@type": "Question",
"name": "What is the difference between PI and tech E&O?",
"acceptedAnswer": {
"@type": "Answer",
"text": "In the UK market the two terms are used largely interchangeably to describe Professional Indemnity cover written for technology firms. Tech E&O — technology errors and omissions — is US-origin terminology that has come into UK use as global insurers offer combined wordings. A modern UK tech PI policy will normally cover professional negligence, errors and omissions, breach of contract in respect of professional services, intellectual property infringement, and (where bundled) cyber liability. Differences lie in the precise wording of individual policies rather than between the two labels."
}
},
{
"@type": "Question",
"name": "Is cyber insurance the same as Professional Indemnity?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. PI responds to third-party civil claims alleging financial loss from professional services. Cyber liability responds to the firm's own first-party costs of a cyber incident — forensic investigation, breach notification, ransomware response, system restoration, business interruption — and to third-party liability arising from the incident. Where a software firm's negligence causes a cyber incident at a client, both policies may respond, and the way they nest matters."
}
},
{
"@type": "Question",
"name": "How much PI cover should an IT consultancy hold?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The commercial floor is the highest insurance requirement in your client contracts. The practical ceiling is the worst-case financial loss you could plausibly cause across your largest engagements. A small development shop typically sits at £1m to £2m of cover; mid-sized enterprise consultancies at £2m to £5m; firms on public sector frameworks commonly at £5m to £10m; firms working with regulated financial services clients frequently above that. The 'any one claim' versus 'aggregate' structure matters as much as the headline number."
}
},
{
"@type": "Question",
"name": "Does PI cover claims arising from AI-generated code or large language model use?",
"acceptedAnswer": {
"@type": "Answer",
"text": "This is a live and evolving question. Most UK tech PI wordings written in 2025 and 2026 do not have an express exclusion for AI-generated output, but several insurers have introduced clarifying endorsements. The risk areas are intellectual property infringement, warranties of originality, and errors flowing from undetected AI hallucinations in production code. Firms making material use of generative AI in delivery should declare it at renewal so the wording and any endorsements respond as intended."
}
},
{
"@type": "Question",
"name": "Do I need run-off cover after closing or selling my IT business?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Almost always, yes. PI is written on a claims-made basis, meaning the policy responds only if it is in force when the claim is notified, not when the work was done. Once you stop trading and stop paying premiums, claims can still arise under English contract and tort law for six years for ordinary contracts and twelve years for deeds. There is no statutory minimum for IT firms but six years is the practical standard, and many MSAs require it contractually."
}
},
{
"@type": "Question",
"name": "What does PI not cover for an IT firm?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Principal exclusions across the market include deliberate or fraudulent acts; the firm's own remedial work to put right a defective deliverable (the rework exclusion); regulatory fines and penalties including ICO fines under UK GDPR; contractual liabilities beyond general legal duty including fitness-for-purpose warranties not qualified by skill and care; first-party cyber incident costs which sit on the cyber policy; bodily injury and property damage which sit on public liability; and employment-related claims. Detailed exclusions vary between wordings."
}
},
{
"@type": "Question",
"name": "How long do I have to notify a circumstance to my PI insurer?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Claims-made policies require notification of any circumstance that may give rise to a claim as soon as practicable after the firm becomes aware of it, and at the latest before the end of the current policy period. Late notification is the single most common reason a claim fails to be covered. The threshold for 'circumstance' is low — a complaint letter, a refusal to pay an invoice with reasons attached, a project being paused for review — and the safe rule is to notify when in doubt."
}
}
]
}