FCA FRN 724952  ·  Co. No. 07014570  ·  Bristol
Cluster article · Architects

IT & Tech Consultancy Professional Indemnity FAQ — UK 2026

This FAQ is for founders, directors and operations leads at UK IT consultancies, software development houses, SaaS providers, managed service providers and tech advisory firms. It covers the questions we are most often asked about Tech PI: where the cover overlaps with cyber, what client contracts typically demand, how data protection breaches are handled, and the IP infringement exposure that comes with bespoke development. The answers reflect the position under UK law and FCA / ICO rules as at May 2026.

Unlike solicitors or surveyors, IT consultants are not generally subject to a single statutory or regulator-mandated PI requirement. Cover is driven by client contracts, public-sector frameworks and commercial sense rather than by rule book. The market is large and competitive, but the wordings vary widely and several common gaps catch IT firms out at claim — particularly the boundary between PI and cyber. For tailored guidance contact Apex Insurance Brokers on 0117 325 0027 or info@apexinsurancebrokers.co.uk. For the general PI position see our main PI FAQ hub.

Do IT consultants legally need PI insurance?

There is no general statutory requirement for IT consultants in the UK to hold PI. The British Computer Society (BCS) recommends PI but does not mandate it as a condition of Chartered IT Professional status. The practical position is that PI is almost always required: client contracts routinely demand it (typically £1m to £5m, sometimes £10m for enterprise work); public-sector frameworks specify it (G-Cloud and most central government frameworks require £1m minimum); and the consequences of operating without it on a contract that requires it are breach of contract and personal exposure to the firm’s owners.

How does IT PI relate to cyber insurance?

They cover different things and are best held in combination. PI responds when a client sues you for financial loss caused by your professional services — your software has a bug, your delivery missed a deadline, your advice was wrong. Cyber responds to your own losses from a cyber event affecting your business (ransomware, business interruption, regulatory investigation, breach notification costs) and to third-party claims arising from breach of data protection law. A single incident — a security flaw in your delivered software that causes a client data breach — can trigger both policies. Modern brokers structure them to dovetail.

What about a data breach at a client caused by my software?

A data breach affecting a client (the client’s customers’ data being exposed) caused by a flaw in software you delivered can give rise to claims under both PI and cyber. PI would typically respond to the client’s claim against you for the financial loss it has suffered (regulatory fines it has paid, breach notification costs, reputation damage, remediation). Cyber might respond to your defence costs of regulatory investigation against you (ICO action targeting the developer), and to certain first-party costs. The exact split depends on both wordings and on how the claim is framed; broker structuring matters.

What does a standard IT consultancy PI policy cover?

Most IT PI policies respond to claims arising from: software design and development errors; configuration and integration mistakes; delivery delays causing client loss; data conversion or migration errors; security weaknesses in delivered software; negligent advice on technology strategy or architecture; managed service provider failures (where MSP work is declared); and (sometimes) IP infringement of third-party rights. Many wordings include explicit “technology” extensions covering software-as-a-service, application service provider work, and electronic publishing. The breadth varies — IT-specialist wordings are usually broader than generic professional indemnity wordings.

Does PI cover contract delivery disputes?

It depends on the framing. A client claim that the consultant negligently failed to deliver agreed functionality, missed a deadline due to negligent project management, or delivered software with material defects that cost the client money is typically within PI. A pure contract dispute about scope — “you delivered what we agreed but it isn’t what we now want” — is more likely a commercial dispute outside the policy. The dividing line often turns on whether the claim alleges negligence or merely breach of contract. Insurers vary in their treatment; broader “civil liability” wordings cover both.

What is the GDPR / UK GDPR exposure for IT firms?

IT consultants and software developers can be both Data Controllers (for their own employee and client contact data) and Data Processors (when processing personal data on behalf of clients). Both roles attract obligations and potential liability under the UK GDPR and Data Protection Act 2018. Direct ICO fines for data protection breaches are uninsurable in the UK (public policy). Claims from clients or data subjects for damages caused by data protection failures may be insurable under PI, cyber or both depending on wording. The ICO has indicated more vigorous enforcement against processors in recent years.

Does PI cover IP infringement?

Sometimes — and the position varies materially between wordings. Better IT PI policies include cover for unintentional infringement of third-party intellectual property rights (copyright, patent, trade mark, design) arising from the professional services. Less generous wordings exclude IP infringement entirely or sub-limit it. Software development and creative work is particularly exposed — the developer who unwittingly incorporates GPL-licensed code into a proprietary deliverable, the consultant whose architectural approach mirrors a patented method. Specialist Media and IP Liability cover is available for high-exposure work; for many firms, IP cover within the PI policy is the practical solution if the wording is checked.

Does PI cover open source licensing disputes?

The legal exposure from open source licence violations (particularly copyleft licences like GPL) is real — a client whose delivered software contains misused open-source components can be forced to release proprietary code or face injunction. Whether PI responds depends on the wording: better IT PI policies cover “unintentional” IP infringement which would catch most open source disputes; tighter wordings may exclude. Firms doing significant software development should hold contemporaneous evidence of open-source compliance processes and check their PI wording’s response to “third party IP” claims at every renewal.

What about SaaS providers — does standard PI work?

SaaS providers face a specific risk profile: ongoing service delivery to many customers, exposure to availability claims, data residency issues, and a subscription revenue model that magnifies the impact of mass incidents. Standard IT PI covers SaaS work but the wording should be checked for: service-availability commitments; multi-customer aggregation provisions; data handling exclusions; and the “professional services” definition’s inclusion of “hosting” or “managed services” activity. Some specialist tech wordings include explicit SaaS extensions. Generic PI wordings can leave SaaS providers exposed.

How does PI deal with AI-related delivery work?

The PI market is still developing its approach to AI delivery work — particularly bespoke implementation of large language models, machine learning pipelines, and generative AI integration. Most wordings respond to claims arising from AI delivery on the same basis as other software work — negligent implementation, defective integration, missed delivery. Specific issues to check: whether the wording covers training data IP infringement; whether it responds to claims arising from “hallucination” or biased AI outputs; and whether the consultant’s role in client-side prompt engineering or governance carries specific exposure. New questions appear regularly.

Does PI cover managed service provider (MSP) work?

Yes, MSP work — outsourced IT operations, monitoring, patching, helpdesk, infrastructure management — is generally within IT PI cover provided the policy’s “professional services” definition includes it. The exposure can be significant: a single MSP failure can affect every client simultaneously (the 2024 CrowdStrike incident is illustrative). Aggregation provisions matter — whether one MSP event giving rise to claims from twenty clients is one claim (one limit) or twenty claims (twenty limits). MSPs should specifically discuss aggregation with their broker.

What about social engineering and “fake invoice” fraud?

Social engineering fraud — where staff are deceived into transferring money or data to a fraudster — is rarely covered by PI (which excludes insured dishonesty and rarely responds to first-party losses). It is sometimes covered by cyber policies with a specific social engineering extension, more commonly by Crime cover with a fraudulent instruction extension. The exposure is significant for IT consultants who handle client payments or have access to client finance systems. The cover gap is one of the most common surprise discoveries at claim.

Does PI cover contract liquidated damages?

Liquidated damages clauses in IT contracts — typically a fixed sum per day of delay or per missed service level — present a specific PI issue. PI policies cover compensatory damages for negligent acts; whether they cover liquidated damages depends on the wording and whether the LDs are a genuine pre-estimate of loss or a penalty. Some PI wordings explicitly exclude liquidated damages or penalty clauses; others cover them if the LDs reflect actual loss. Tech firms accepting LDs in contracts should confirm wording response at proposal.

What does the FCA expect from IT firms supplying financial services clients?

IT firms supplying FCA-regulated financial services clients don’t themselves become regulated, but they may be subject to FCA expectations on outsourcing and third-party risk under SYSC and the operational resilience regime. Clients in financial services routinely impose contractual requirements on their IT suppliers — minimum PI, cyber cover, business continuity, security standards (often Cyber Essentials or ISO 27001). PI cover specifically responding to financial services-client claims should be confirmed; some policies sub-limit or exclude work for financial institutions.

How are public sector framework PI requirements set?

UK government frameworks — G-Cloud, Digital Outcomes and Specialists, NHS Shared Business Services and the various Crown Commercial Service catalogues — specify minimum PI cover as a condition of supplier listing. £1m is the most common floor; larger contracts can require £5m to £10m. Some frameworks require specific wording features (defence costs in addition, no aggregation provisions). Firms tendering for public-sector work should check the specific framework’s requirements before quoting cover levels; promising £5m when you hold £1m is a misrepresentation that can void supplier status.

What about API integrations and third-party platform work?

IT consultants integrating client systems with third-party platforms (payment providers, social platforms, marketplace APIs, ERP systems) face specific exposures: changes to the third-party API that break the integration; security or rate-limiting issues; commercial breakdown in the consultant’s relationship with the third-party. PI cover responds to negligence-based claims from clients arising from integration failures. Specific platform changes (eg Twitter/X API restrictions in 2023) can generate sudden waves of remediation work that occasionally develops into claims; insurers ask about platform dependency at proposal.

Does PI cover bespoke software written for a client?

Yes — bespoke development is the heartland of IT PI cover. Claims typically arise from: software not meeting specification; security vulnerabilities; performance issues; incompatibility with client systems; integration failures; data corruption during migration; delay or non-delivery. The wording’s response to “consequential” or “indirect” losses matters — a client’s business interruption resulting from defective software can be the largest head of claim, and not all wordings respond to pure economic loss without injury or damage.

How does PI cover hosted / cloud infrastructure work?

Cloud and hosted infrastructure work — provisioning, configuration, management of AWS, Azure, GCP environments — is generally within IT PI cover. Specific exposures include misconfigured security groups exposing client data, inadequate backup configuration leading to data loss, and over-provisioning resulting in budget overrun claims. Cloud cost-management claims have grown as enterprise clients have become more cost-conscious. Some PI wordings sub-limit or exclude cloud-platform failures themselves (which are usually the cloud provider’s liability, not the consultant’s).

What is “performance failure” or “service-level” exposure?

Many IT contracts include service-level commitments — uptime targets, response times, throughput guarantees. Failure to meet SLAs can trigger contractual remedies (service credits, termination rights, claims for loss). PI cover for SLA failure depends on whether the failure was negligent and on the wording’s response to service-credit and similar liquidated remedies. Some wordings explicitly cover SLA-driven claims; some exclude. IT firms operating SLA-heavy contracts should specifically check the wording’s response to performance-based claims.

How long does run-off cover need to last for IT firms?

There is no regulator-mandated run-off period for IT consultancy. The basic Limitation Act 1980 period of six years for contract and negligence claims provides a default; software work giving rise to latent defects can extend this in practice. Most IT firms should hold six years of run-off as a minimum if they cease trading or sell. Run-off premium is normally charged at decreasing rates across the period. The need for run-off is often raised late — typically at a sale negotiation — and the broker should be involved early.

What questions do PI underwriters ask IT firms at proposal?

Expect: corporate structure and principals; total fee income split by service line (bespoke development, SaaS, MSP, consulting, training, hosting); client sectors (especially financial services, healthcare, public sector, regulated industries); largest single contract value; contractual terms typically accepted (uncapped liability? liquidated damages? IP indemnities?); client geography and US/EU exposure; data handling and ICO position; cyber controls (Cyber Essentials, ISO 27001, internal pen-testing); claims and circumstances in the last five years; any open-source licensing issues; AI / ML delivery work.

Should I notify a circumstance even if no claim has been made?

Yes, where the circumstances reasonably could give rise to a claim. The classic IT circumstances are: a client raising concern about delivered software; a missed delivery date with client dissatisfaction; a security vulnerability discovered in delivered work; a data subject access request that may relate to your processing; a contract being terminated for cause by the client; a client complaint about service performance. Notification preserves cover under the current policy. The Insurance Act 2015’s duty of fair presentation also requires honest disclosure at proposal of known issues.

What about IR35 and contractor PI?

Individual IT contractors providing services through personal service companies are typically required to hold PI by the end client or recruitment agency. The cover requirements vary — £1m to £5m is common. The contractor’s own personal exposure if no PI is held can be significant — limited company structure does not protect against personal liability for negligent professional services. Contractors should hold PI in their personal service company’s name and confirm the wording covers the type of work being done.

Does PI cover claims about AI model training data?

This is an emerging area with limited claims history. A client whose AI model is alleged to have been trained on improperly sourced data (copyright-protected works without licence, personal data processed without lawful basis) may seek to recover against the consultant who built the model. Whether PI responds depends on the wording’s IP infringement and data protection extensions. The major US litigation around generative AI training data (OpenAI, Anthropic, Stability AI cases as at 2026) is being closely watched by insurers. Firms doing model training work should specifically discuss the cover position with the broker.

What should I do if a client threatens to sue me?

Three steps in order: stop responding to the client without taking advice; the same week, send the threat in writing to your broker or insurer’s claims team with a brief factual summary; secure the underlying project files, code repositories and email correspondence; do not attempt to settle or do “make good” work without insurer consent. The temptation to fix the technical issue or accept a fee write-off to keep the relationship is the most expensive mistake IT firms make. Most PI policies require notification before defence steps are taken; informal settlements before notification can be excluded from cover.

About Apex Insurance Brokers

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Trading address: c/o QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ. Registered office: c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT. Email info@apexinsurancebrokers.co.uk, telephone 0117 325 0027. Last reviewed: May 2026.

Related guides

Author: Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, firm reference number 724952. This guide is general information about Professional Indemnity Insurance and is not advice tailored to any individual practice. Cover and terms are always subject to underwriter assessment and the policy wording. For advice on your firm's PI placement, talk to a named broker.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.
★ 4.0 on Trustpilot (verified)|Listed on the ARB PI broker list|FCA FRN 724952