A PI cyber and PII extension is a defined add-on to a professional indemnity policy that picks up certain cyber and personal data breach liabilities arising from the firm’s professional services. It is not a substitute for a standalone cyber policy. It typically responds to third-party liability for a breach of personal information held in the course of professional work, subject to a sub-limit, and may include limited first-party response costs. The boundary between PI cyber/PII extensions and full cyber policies is the most commonly misunderstood area in UK PI cover.
What a PI cyber and PII extension means in PI insurance
UK PI policies historically excluded cyber-related losses through a broad cyber exclusion (see cyber exclusion PI explained) that took out malware, hacking, system failure, and data breach exposures. The cyber and PII extension is a partial carve-back: it puts a defined slice of cyber/PII liability back inside the PI policy where the loss arises from the firm’s delivery of professional services.
Typical wording will respond to:
- Third-party liability for breach of personal data held by the firm in the course of professional work — for example, a solicitor’s case file containing client personal data being inadvertently emailed to the wrong party.
- Liability for damages awarded against the firm under the Data Protection Act 2018 / UK GDPR for unauthorised disclosure of personal data.
- Legal defence costs of regulatory or civil proceedings arising from the breach.
- In some wordings, limited first-party costs of breach response: notification, credit monitoring, IT forensics, public relations.
What the extension typically does not respond to:
- Ransomware and extortion payments. Standalone cyber policies cover these; PI extensions almost never do.
- Business interruption from cyber incidents. Loss of the firm’s own revenue is a first-party loss; PI is primarily third-party.
- System restoration costs. Rebuilding IT systems is a first-party exposure outside the PI extension.
- Network security failure liabilities that do not arise from professional services.
- Cyber crime — funds transfer fraud. Standalone cyber covers this; PI extensions generally do not.
The extension fills a specific gap: the personal data breach arising from professional work. Outside that gap, standalone cyber cover is needed.
How a PI cyber and PII extension works in practice
A typical UK PI cyber/PII extension is structured as:
- Sub-limit. A defined sum — common UK sub-limits run £100,000 to £1m — sitting inside or outside the main PI limit.
- Trigger. Activated by a breach of personal data, unauthorised access to the firm’s systems containing personal data, or a regulatory inquiry following such a breach.
- Causation requirement. The loss must arise from the firm’s professional services. A breach affecting only internal HR data is not within the typical extension.
- Notification requirements. A specific cyber notification timeline often applies, sometimes shorter than the headline notification clock for ordinary PI matters. The UK GDPR 72-hour ICO notification deadline runs independently and is not extended by the policy.
- Cooperation conditions. The insurer typically requires reasonable cyber hygiene — patching, MFA, backup, staff training — as a contractual standard.
The sub-limit interacts with the main PI limit in two ways. Where the cyber sub-limit is “inside” the main PI limit, indemnity paid under the extension reduces the main limit available for non-cyber PI claims in the same year. Where it is “outside”, the sub-limit is additional. Read the schedule.
Standalone cyber policies — full cyber, technology errors and omissions, and cyber crime — are written on a separate basis with materially higher limits, broader first-party cover, and dedicated breach-response panels. The PI extension exists as a backstop for the data-breach element of professional service work; it is not a substitute for proper cyber cover where the firm’s exposure justifies it.
Worked UK example: cyber extension in action
Consider a UK accountancy firm. A staff member falls for a phishing email and unknowingly grants access to a shared client drive. The intruder downloads client tax returns containing personal data and sells the records on the dark web. Affected clients sue the firm under UK GDPR for distress and damages; the ICO opens an inquiry and ultimately imposes a £180,000 administrative fine.
Under the firm’s PI policy with a £500,000 cyber/PII extension sub-limit (outside the main £2m PI limit), the response is:
- Civil damages to affected clients are paid under the extension up to £500,000, plus legal defence costs.
- Investigation costs of responding to the ICO inquiry are paid under the extension, subject to consent and to the sub-limit being available.
- The ICO fine of £180,000 is not paid. Fines remain excluded under the standard fines-and-penalties exclusion (see fines and penalties PI exclusion).
- First-party costs — IT forensics, customer notification mailings, credit monitoring offers, PR support — depend on the wording. Some PI cyber/PII extensions include limited first-party response cover; many do not. Standalone cyber would respond more broadly.
- Business interruption — if the firm’s systems were taken offline for two weeks during forensic response — is not within the PI extension. Standalone cyber would respond.
The same scenario under a properly placed standalone cyber policy would pay the BI loss, the breach response costs, and would coordinate with the PI policy on the civil damages so the firm has no gap.
When the cyber/PII extension matters most
Three situations make the extension valuable:
Firms with low cyber exposure relative to professional service exposure. A small solicitor’s practice or a small accountancy firm that holds modest personal data may find a PI cyber/PII extension is sufficient for the data-breach element of its risk. Above a certain size, standalone cyber is needed.
Co-ordination with primary PI claims. A breach that also involves a professional-service error — for example, advice given on the back of compromised data, or files lost in a ransomware event that drives a missed deadline — sits more cleanly under PI if the extension is in place, because there is no inter-policy dispute about whether PI or cyber should respond.
Smaller-budget cover programs. Firms that cannot justify the premium of standalone cyber sometimes take the PI extension as a stop-gap. The risk of that approach is that it leaves first-party loss, ransomware, BI, and cyber crime entirely uninsured, which is rarely a sensible position for any modern firm.
The extension is not appropriate as a substitute for standalone cyber where the firm holds sensitive personal data at scale, operates a digital service delivery model, or has any meaningful BI exposure to cyber events.
Common variations and market wording
UK PI cyber/PII extensions vary widely:
- “Liability arising from the breach of personal data”. Narrow wording — third-party liability only. No first-party response costs.
- “Breach of personal data and unauthorised disclosure of confidential information”. Broader — picks up commercial confidential information as well as personal data, which is material for solicitors and accountants holding client trade secrets.
- “Including first-party breach response costs up to [sub-limit]”. Some modern PI wordings include a sub-sub-limit for forensics, notification, and credit monitoring. Typically £50,000–£250,000 against an overall extension sub-limit of £500,000–£1m.
- “Including regulatory defence costs”. Coverage for the cost of responding to ICO inquiries. Increasingly standard but still not universal.
- “Excluding ransomware demands”. A standard carve-out — ransom payments are not paid, even where the wording covers consequent third-party liability.
- “Cyber crime sub-limit”. Some wordings include a small sub-limit for funds-transfer fraud and social engineering, often £50,000 or less, well below standalone cyber market levels.
The schedule and policy wording must be read in conjunction. Brokers should circulate a clear comparison showing what the PI cyber/PII extension does and does not pick up, against what a standalone cyber policy would respond to.
Related concepts
- Cyber exclusion PI explained — the parent exclusion that the cyber/PII extension carves back.
- Loss of documents extension PI — overlaps with cyber where electronic documents are lost.
- Dishonesty extension PI — relevant where the cyber breach involves a dishonest insider.
- Defence costs inside vs outside limit — how cyber extension costs interact with the limit.
Frequently asked questions
Does a PI cyber and PII extension replace a standalone cyber policy?
No. The extension covers a defined slice of cyber/PII liability — primarily third-party data breach liability arising from professional services. It does not cover ransomware payments, business interruption, system restoration, or funds-transfer fraud at standalone-policy levels. Firms with meaningful cyber exposure need a standalone cyber policy in addition to PI.
What is “PII” in this context?
PII stands for personally identifiable information, which in UK law largely overlaps with “personal data” under the UK GDPR. The PI cyber/PII extension responds to liability for unauthorised disclosure or breach of personal data held by the firm in the course of its professional services.
Does the PI cyber extension pay ICO fines?
No. The standard fines-and-penalties exclusion in UK PI wordings excludes fines, administrative penalties, and punitive amounts. ICO administrative fines fall within that exclusion. The extension typically pays civil damages and defence costs but not the fine itself.
Does the extension cover ransomware?
Almost never. The extension covers third-party liability arising from a breach but does not pay the ransom demand. First-party breach response costs may be partially covered in some wordings; ransom payments are not. Standalone cyber policies cover ransom payments subject to their own conditions and applicable law.
What is the difference between the PI cyber/PII extension and a cyber endorsement?
Terminology varies. “Extension” and “endorsement” are often used interchangeably to describe an add-on. What matters is what the wording says: trigger, sub-limit, inside or outside the main limit, first-party vs third-party coverage, and whether regulatory defence is included. Read the schedule rather than relying on the label.
Do I need both PI cyber/PII extension and standalone cyber?
Many firms benefit from both. The PI extension responds to data breaches arising from professional services; the standalone cyber policy responds to the broader cyber exposure (BI, first-party, ransomware, cyber crime). The two need to be coordinated to avoid duplication, gap, or arguments over which insurer leads. The broker should map cover on one document.
Is the PI cyber/PII extension subject to the standard policy deductible?
Usually yes, though some wordings apply a separate cyber deductible that is higher or lower than the standard PI deductible. First-party response costs may have their own sub-deductible. The schedule sets out the position.
Does the PI cyber extension respond to a breach of confidential commercial information?
Some wordings extend to “confidential information” beyond personal data, picking up commercial trade-secret style data. This is more common for solicitors and accountants and is worth checking on placement. Narrower PII-only wordings will not respond to a pure confidential-information breach.
{
"@context": "https://schema.org",
"@type": "Article",
"headline": "PI cyber and PII extension: what it covers and where standalone cyber wins",
"description": "A PI cyber and PII extension covers some cyber and data breach liabilities within a PI policy. UK scope, sub-limits, gaps, and where standalone cyber cover is needed.",
"author": {
"@type": "Organization",
"name": "Apex Insurance Brokers Ltd",
"url": "https://www.apexinsurancebrokers.co.uk/"
},
"publisher": {
"@type": "Organization",
"name": "Apex Insurance Brokers Ltd"
},
"datePublished": "2026-05-29",
"dateModified": "2026-05-29",
"inLanguage": "en-GB"
}
{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "PI cyber and PII extension",
"description": "A defined extension within a professional indemnity policy that responds to certain cyber and personal data breach liabilities arising from the firm's professional services, subject to a sub-limit and excluding ransomware, business interruption, and first-party cyber loss outside specified narrow categories.",
"inDefinedTermSet": {
"@type": "DefinedTermSet",
"name": "Apex Insurance Brokers Glossary",
"url": "https://www.apexinsurancebrokers.co.uk/glossary/"
}
}
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Does a PI cyber and PII extension replace a standalone cyber policy?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. The extension covers a defined slice of cyber/PII liability — primarily third-party data breach liability arising from professional services. It does not cover ransomware payments, business interruption, system restoration, or funds-transfer fraud at standalone-policy levels. Firms with meaningful cyber exposure need standalone cyber in addition to PI."
}
},
{
"@type": "Question",
"name": "What is PII in this context?",
"acceptedAnswer": {
"@type": "Answer",
"text": "PII stands for personally identifiable information, which largely overlaps with personal data under the UK GDPR. The extension responds to liability for unauthorised disclosure or breach of personal data held by the firm in the course of its professional services."
}
},
{
"@type": "Question",
"name": "Does the PI cyber extension pay ICO fines?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Fines, administrative penalties, and punitive amounts are excluded under the standard fines-and-penalties exclusion in UK PI wordings. ICO administrative fines fall within that exclusion. The extension pays civil damages and defence costs but not the fine itself."
}
},
{
"@type": "Question",
"name": "Does the extension cover ransomware?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Almost never. The extension covers third-party liability arising from a breach but does not pay the ransom demand. Standalone cyber policies cover ransom payments subject to their own conditions and applicable law."
}
},
{
"@type": "Question",
"name": "What is the difference between a PI cyber extension and a cyber endorsement?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Terminology varies and the words are often used interchangeably. What matters is what the wording says — trigger, sub-limit, inside or outside the main limit, first-party vs third-party, and whether regulatory defence is included. Read the schedule rather than relying on the label."
}
},
{
"@type": "Question",
"name": "Do I need both PI cyber/PII extension and standalone cyber?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Many firms benefit from both. The PI extension responds to data breaches from professional services; the standalone cyber policy covers the broader cyber exposure (BI, first-party, ransomware, cyber crime). The two need coordination to avoid duplication or gap. Brokers should map cover on one document."
}
},
{
"@type": "Question",
"name": "Is the PI cyber/PII extension subject to the standard policy deductible?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Usually yes, though some wordings apply a separate cyber deductible that is higher or lower than the standard PI deductible. First-party response costs may have their own sub-deductible. The schedule sets out the position."
}
},
{
"@type": "Question",
"name": "Does the extension respond to a breach of confidential commercial information?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Some wordings extend to confidential information beyond personal data, picking up commercial trade-secret style data. This is more common for solicitors and accountants and is worth checking on placement. Narrower PII-only wordings will not respond to a pure confidential-information breach."
}
}
]
}
About Apex Insurance Brokers Ltd
Apex Insurance Brokers Ltd is a Bristol-based insurance broker authorised and regulated by the Financial Conduct Authority (firm reference number 724952). The company is registered in England and Wales under Companies House number 07014570. Contact: info@apexinsurancebrokers.co.uk | 0117 325 0027.
Last reviewed: May 2026 by Apex Insurance Brokers Ltd.
Important: this article is general information, not advice on your specific circumstances. For advice on PI insurance for your firm, contact us on 0117 325 0027 or info@apexinsurancebrokers.co.uk.