PI/Cyber Overlap, GDPR Exposure, and AI-Generated Code Risk
A buyer’s guide for directors, founders and operations leads at UK IT consultancies, software houses, system integrators, managed service providers and independent contractors.
Published May 2026 by Apex Insurance Brokers Limited. FCA firm reference 724952. Companies House 07014570.
The UK IT Consultant’s Guide to Professional Indemnity Insurance 2026
Version 1.0 — May 2026
Apex Insurance Brokers Limited Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ Registered office: c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT info@apexinsurancebrokers.co.uk | 0117 325 0027 apexinsurancebrokers.co.uk
Authorised and regulated by the Financial Conduct Authority. FRN 724952. Companies House registration 07014570.
Design note: full-bleed dark navy cover; circuit/topology pattern in 30% white overlay; title in 48pt display serif, subtitle in 18pt grotesque. Apex monogram bottom-left, FRN bottom-right.
The UK technology services market in 2026 looks different from the one most current PI policies were originally written for. A typical mid-sized consultancy now ships software that integrates with the client’s payments stack, holds personal data on the client’s customers, hooks into machine-learning pipelines whose outputs the client relies on commercially, and is delivered partly by humans, partly by AI assistants whose authorship and licensing status remain unsettled in law. The contract behind that engagement is increasingly a heavyweight Master Services Agreement with insurance schedules, audit rights, data-protection annexes and indemnities for IP infringement that did not appear in the equivalent contracts five years ago.
In that environment, the question is not whether to buy Professional Indemnity Insurance — the question is whether the cover you are buying responds to the claims you are actually exposed to. This guide is written to help you answer that question.
It is written from a broker’s perspective. We do not underwrite, we do not have a quota with any one insurer, and we are not selling a particular product. We place cover for IT firms across the UK market and we see, year after year, where policies respond well and where they fall down. That experience is what this guide tries to compress into something you can read on a Tuesday evening and act on.
It is not legal advice and it is not a substitute for reading your own policy wording. It is a senior broker explaining how to think about the cover, what to look for in a quote, and where the contemporary risks — GDPR routing, the PI/cyber boundary, AI-generated code, IR35-driven entity questions — actually sit.
— The Apex broking team
Design note: foreword in a wider measure than body text, set in italic small caps lead-in; pull-quote box (“the question is not whether to buy PI…”) in amber sidebar.
Unlike accountants, solicitors, architects or surveyors, UK IT professionals have no single statutory regulator setting compulsory Professional Indemnity requirements. There is no equivalent of the Solicitors Regulation Authority Minimum Terms, no Architects Registration Board (ARB) criteria, no Institute of Chartered Accountants in England and Wales (ICAEW) Professional Indemnity Insurance Regulations. BCS, The Chartered Institute for IT, publishes a Code of Conduct for its members but does not mandate a PI limit. Trade bodies such as techUK and the Federation of Small Businesses encourage cover but do not impose it as a membership condition.
That absence sometimes leads founders to conclude PI is optional. In commercial practice, the obligation just sits in different places.
The first and most binding is the client’s Master Services Agreement (MSA). The single most common reason a UK technology firm buys PI is that enterprise clients require it as a condition of contracting. A typical MSA from a large corporate, public sector body or financial services client will require the supplier to maintain Professional Indemnity Insurance for a stated minimum limit — commonly £1m to £5m, sometimes £10m or more for higher-value engagements — for the duration of the contract and for a tail period (commonly six years) after termination. The same contract will usually require a separate cyber liability policy and an employers’ liability policy where the supplier has UK staff. Failing the insurance schedule of a serious MSA is one of the most common reasons a competent software firm cannot complete a procurement process.
The second is English contract law and the law of tort. A supplier of professional services owes its client a contractual duty (typically expressly stated in the MSA and Statement of Work, and impliedly under the Supply of Goods and Services Act 1982 to perform with reasonable skill and care) and a parallel duty in tort. A claim for breach of either can be brought up to six years after the cause of action arose for ordinary contracts, and twelve years where the contract is executed as a deed. PI exists precisely to respond to that exposure.
The third is the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. A consultancy or developer handling personal data on behalf of a client typically becomes a processor; a managed service provider may become a controller. The Information Commissioner’s Office (ICO) can impose monetary penalties of up to the higher of £17.5m or 4% of global turnover for serious infringements. PI does not pay ICO fines, but the combination of PI and cyber typically responds to investigation and remediation costs and to civil claims brought by data subjects under section 168 of the Data Protection Act 2018.
The fourth is sector overlay. IT firms working with regulated industries — financial services through FCA-authorised clients, defence through Ministry of Defence framework agreements, healthcare through NHS Digital and the Data Security and Protection Toolkit, payment systems under Payment Systems Regulator (PSR) oversight — inherit those clients’ regulatory expectations through their contracts. That usually flows through into mandatory insurance and audit clauses.
The fifth is the Insurance Distribution Directive (IDD) and FCA Conduct of Business rules, which regulate how brokers (Apex among them) must place and explain cover. They also apply directly to any IT firm that itself sells or distributes insurance products as part of its services — an embedded-insurance fintech, for example — in which case the FCA may regulate the firm in addition to its general contractual position.
The right way to think about it: the IT profession is not regulated for PI in the same prescriptive way as the chartered professions, but the commercial and legal environment makes PI effectively mandatory for any firm of meaningful size working with serious clients.
Design note: page 4 ladder diagram — five rungs labelled Contract, Tort, UK GDPR, IDD, Sector Overlay — with one-line annotation on each rung.
PI for technology firms responds to civil claims made against the firm by a client or third party alleging financial loss caused by a wrongful act in the firm’s professional services. “Wrongful act” is the policy term and is normally defined to include negligence, error, omission, misleading statement, breach of professional duty and — importantly for technology — breach of contract in respect of the professional services.
For an IT consultancy or software developer, the envelope of “professional services” is typically broad. A well-written tech PI policy will respond to allegations of negligent design, development, testing or implementation of software; errors and omissions in coding, configuration or deployment; failure to deliver to specification within the parameters of contractual cover; defective integration with other systems; negligent advice on technology selection, architecture or vendor choice; mistakes in data migration; failures in IT project management; negligent training or knowledge transfer; and failure to spot issues a reasonable IT professional should have spotted.
A modern tech PI policy will also typically include cover that older “pure” PI wordings did not. The most important crossovers are intellectual property infringement, defamation and disparagement in published content, and breach of confidence. IP infringement cover is particularly relevant: if your code base is alleged to incorporate copyrighted material owned by a third party — for example, an open-source library used outside the terms of its licence — the IP infringement extension in a tech PI policy is what responds. Whether and how that cover extends to AI-generated code is a live and unsettled question we return to below.
What PI does not cover is equally important. It does not respond to deliberate or fraudulent acts. It does not pay regulatory fines or penalties. It does not pay the firm’s own contractual liquidated damages where those are deemed punitive rather than compensatory (some policies cover liquidated damages on a “civil liability” basis, others exclude them — read the wording). It does not pay for the firm’s own remedial work to put right a defective deliverable (the “rework exclusion”) unless the policy specifically extends to mitigation costs. And it does not pay for losses arising from acts or omissions outside the professional services definition — an employment dispute, for example, would not be a PI matter.
This is the question that causes more confusion than any other in the UK technology insurance market.
Professional Indemnity / tech E&O responds to civil claims against the firm alleging financial loss caused by the firm’s professional services. The trigger is a claim, real or threatened, by a third party. The cover pays defence costs and damages.
Cyber liability insurance responds to the firm’s own first-party costs and third-party liability arising from a cyber incident affecting the firm itself or its clients’ systems under the firm’s control. The trigger is the incident, not the claim. The cover typically pays for forensic investigation, breach notification, credit monitoring, ransomware response (subject to regulatory and sanctions considerations), business interruption to the firm itself, system restoration, and crisis-management PR; it also covers third-party liability where data subjects, regulators or commercial counterparties bring claims arising from the incident.
The overlap is where things get interesting. If the firm’s negligent professional services cause a cyber incident at a client, which then causes a third-party claim, both policies are potentially in play. Modern markets handle this in one of three ways: with a combined “tech E&O and cyber” wording from a single insurer that contains the carve-up internally; with separate policies from the same insurer designed to nest cleanly; or with separate policies from different insurers, where the broker’s job is to ensure no gap and no double-recovery problem.
For a UK software firm working with regulated clients, holding only PI without cyber is increasingly hard to justify. Holding only cyber without PI leaves the much larger civil-liability exposure uncovered.
The cleanest way to think about it:
The ICO fine itself is uninsurable as a matter of public policy. Neither PI nor cyber will pay it.
The cost of the breach response — forensics, notification, call-centre, credit monitoring — sits squarely on the cyber policy. PI does not typically respond.
A civil claim by an affected data subject under Article 82 UK GDPR or section 168 DPA 2018 sits, in the first instance, on cyber where the policy is structured to include third-party data liability; many modern cyber policies provide this primary cover. Where the claim alleges that the firm’s professional services (its work for the client) caused the breach, the PI policy is the natural defence vehicle and the two policies need to be coordinated.
A claim from a client alleging that the firm’s negligent professional services exposed the client’s data, regardless of whether a regulator becomes involved, sits primarily on PI as a professional negligence matter, with the cyber policy potentially supplying ancillary cover for the incident-response costs the client passes through.
This is why having the same insurer (or at least the same broker) across both lines materially simplifies a real claim.
Design note: page 6 Venn diagram — three overlapping circles labelled PI / Tech E&O / Cyber, with the contested zones (data breach causing client claim; AI-generated code IP claim) labelled in the overlap.
The single most-asked question of the past eighteen months. There are three open issues.
The first is authorship and licensing of the output. UK copyright law currently recognises a category of “computer-generated works” under section 9(3) of the Copyright, Designs and Patents Act 1988, attributing authorship to the person who made the arrangements necessary for the creation. That provision predates large language models and its application to AI-assisted code is not yet settled by case law in the UK. International litigation, including ongoing class actions in the United States, is testing whether AI providers can be held liable for outputs that reproduce training-data code without licence compliance.
The second is flow-through risk. If your developers use an AI assistant that reproduces a snippet from a GPL-licensed training source, and that snippet ends up in your client’s proprietary distribution, the resulting open-source-licence compliance claim is real money. The IP infringement extension in your PI policy is the natural respondent. Some insurers are now explicitly addressing this — either by clarifying the extension to confirm it covers AI-assisted code on the same basis as developer-written code, or, less helpfully, by inserting AI-output exclusions. Read the wording.
The third is warranty exposure in MSAs. Increasingly, client contracts require the supplier to warrant that the deliverables are free of third-party IP infringement and were not generated by AI tools, or to warrant that any AI use was disclosed. A warranty given outside the policy’s “civil liability” or “professional services” trigger can fall outside cover. The right answer is to align the contract drafting, the AI use disclosure to clients, and the policy wording at renewal — all three together.
We are not currently aware of any UK case law that conclusively decides whether AI-generated code attracts the same IP infringement liability profile as human-written code. The prudent assumption is that it does, and the prudent insurance position is to confirm with your broker that your IP infringement extension is not silently AI-excluded.
The “any one claim” limit and the “in the aggregate” limit are the two numbers that determine how much your policy will actually pay. A £2m any-one-claim, £4m in-the-aggregate policy means each individual claim is covered up to £2m and the total of all claims in the policy year is covered up to £4m. A £2m in-the-aggregate policy means the total of all claims in the year is capped at £2m. The wording matters more than the headline number.
How much cover an IT firm should buy is driven by three factors: the contractual minima imposed by clients (which often set the floor), the worst-case financial exposure on the firm’s largest live engagements (which should set the ceiling), and the affordability of the premium at different layers (which sets the practical answer in the middle).
A representative pattern across the UK market in 2026:
A two- to five-person development consultancy doing fixed-fee work for small and medium-sized enterprise clients with engagement values under £100,000 typically buys £1m to £2m of cover, frequently combined with a £1m or £2m cyber layer. A mid-sized firm of fifteen to fifty consultants serving enterprise clients on multi-year retainers typically buys £2m to £5m of cover, sometimes with a primary layer plus an excess layer above. Firms with public sector framework engagements (G-Cloud, Digital Outcomes and Specialists, Crown Commercial Service frameworks) commonly need £5m to £10m of cover to meet framework conditions. Firms working with regulated financial services clients commonly need £10m or more, sometimes structured as a tower with multiple layers.
The excess (or deductible) is what you pay before the insurer pays. Typical excesses run from £1,000 to £25,000 for smaller firms and from £25,000 to £100,000 for larger firms. A higher excess reduces premium but absorbs the cost of small claims internally — which is fine if your contract terms and quality controls mean small claims are infrequent, less fine if you are exposed to a high volume of low-value disputes.
Aggregation matters. If you are likely to face a series of related claims arising from the same root cause — a defect in a piece of software you have deployed to multiple clients, for example — you need to understand whether your policy treats those as one claim (good for you, because one limit and one excess) or as multiple separate claims (worse on excess, better on limit). The wording of the aggregation clause is the relevant detail.
A concrete example. A managed service provider with twenty clients on a shared backup configuration discovers, after a routine audit, that a quarter of those clients’ backups have been silently failing for nine months. Eight clients suffer some recoverable data loss; three suffer material loss. The eventual claims arise from one configuration error but are notified by different clients on different dates. Whether the eleven notifications attract one excess and one limit, or eleven excesses and the policy’s per-claim limit applied serially, depends entirely on the aggregation clause. Pre-2020 wordings frequently aggregated narrowly (one originating cause = one claim); some 2024-vintage wordings have widened the definition; some markets have moved the other way. The conversation to have with your broker at renewal is which way your wording cuts.
The IR35 framework — the off-payroll working rules in Chapter 10 of ITEPA 2003, as amended in 2017 and 2021 — does not directly change a contractor’s PI exposure, but it materially affects who buys the cover.
A personal service company contractor working on an outside-IR35 engagement remains contractually responsible to its end client for the professional services rendered, and the PI policy should sit with the personal service company. An umbrella-employed contractor on an inside-IR35 engagement is, for tax purposes, treated as employed by the umbrella — but the contractual position with the end client may still allocate professional liability through the agency chain, and many umbrella arrangements explicitly do not provide PI for the assignee’s professional output. Many statement-of-work-based contracts placed by consultancies similarly leave the supplier on the hook.
The questions to settle before signing are: who is the contracting entity that owes the professional duty to the end client; does that entity hold its own PI; and does the policy limit and wording meet the end client’s insurance schedule. We see contractors caught short on each of these — most commonly where an umbrella switch mid-engagement breaks the continuity of the PI placement and a claim notified post-switch falls between two policies.
Design note: page 7 limits explainer block with the worked example as a two-row mini-table; second sidebar on IR35 / who-owns-the-policy as an amber callout.
A typical PI quote document for an IT firm runs to ten to twenty pages. Most readers skim the schedule, agree the premium and forget the rest. The pages that matter most are usually the ones least read.
The schedule sets out the named insured, the cover period, the limit (any-one-claim and in-the-aggregate), the excess, the premium, the insurer and the policy reference. Check the named insured exactly matches your trading entity, and any group entities or trading-as names you need covered are listed as additional insureds. A misspelled or omitted entity is the single most common reason a claim is initially queried.
The declarations are the information you provided to the underwriter — turnover, fee split by activity, largest contract, claims history, key clients. The policy responds on the basis that the declarations are accurate; an unintentional understatement of turnover or activity can sometimes lead to averaging (proportional reduction of the claim payment) and a deliberate misrepresentation can void the policy. If something has changed materially since you completed the proposal — a new line of activity, a new geography, a new key client, a major change of senior personnel — tell the broker.
The definitions section is dry reading and disproportionately important. The definitions of “professional services”, “wrongful act”, “claim”, “loss”, “computer system” (for combined wordings), “AI tools” (in some 2025-vintage wordings) and “documents” between them describe the perimeter of the cover. A narrow “professional services” definition that excludes parts of what you actually do is the most common silent gap.
The insuring clauses describe what triggers the cover. Look for whether defence costs sit inside the limit (“costs-inclusive” or “costs-in-limit”) or in addition to the limit (“costs in addition”). Both are reasonable structures; costs in addition is generally preferable but commands a higher premium.
The exclusions are where the contested ground lives. Standard exclusions you should expect: deliberate or fraudulent acts; insolvency of the insured; bodily injury and property damage (those sit on public liability); fines and penalties; pollution; war and nuclear; cyber-physical attacks in some legacy wordings. Less standard but worth flagging: broad AI-output exclusions; broad infrastructure-as-a-service exclusions for managed service providers; supply-chain exclusions; contractual liability exclusions that go beyond carving out non-negligent warranties.
The conditions describe what you must do to keep the cover live — notify circumstances, cooperate with the insurer, not admit liability without consent, observe sub-limits, observe territorial limits. Each of these is enforceable and routine non-compliance is a frequent loss-adjusting friction point at claim time.
Finally, the endorsements. Endorsements modify the main wording for the specific risk. They are easy to miss — they sit at the back of the document — and they routinely contain the most important provisions: AI-use disclosure conditions, sub-limits on data privacy or IP, narrowed territorial limits, specific named-client extensions.
Design note: page 8 quote-anatomy diagram — labelled sections of an example schedule, with arrows out to one-line plain-English explanations.
If your IT firm winds down, is sold, or substantially changes its activities, the liability for work already done does not vanish. PI is written on a claims-made basis, which means the policy that responds to a claim is the policy in force at the date the claim is notified, not the date the work was done. Once you stop trading and stop paying premiums, your last policy is the last policy that will ever respond to anything — unless you have bought run-off cover.
There is no UK statutory minimum run-off period for IT professionals (unlike for solicitors, where it is six years, or for accountants regulated by ICAEW, where it is structured around the limitation period). The practical standard in the technology market is six years, matching the limitation period for breach of contract under English law; clients with MSAs requiring tail cover commonly require six years and occasionally twelve years where the original contract was executed as a deed. Run-off is normally priced as a single up-front premium calculated as a multiple of your last working premium — commonly in the region of 1.0× to 2.5× of the last annual premium, spread across the run-off period.
Selling the business does not automatically extinguish your run-off obligation. The sale and purchase agreement has to deal with it explicitly: who buys the run-off, who pays for it, who notifies pre-completion circumstances, and how the warranties and indemnities sit alongside it. This is a recurring area where IT founders selling out are caught short — the cost of a six-year run-off layer is often a non-trivial deduction from sale proceeds, and discovering it the week before completion is unwelcome.
Three common run-off mistakes we see in the IT market. The first is failing to buy run-off at all, on the assumption that “we’re not being sued, so we don’t need it” — a misreading of how claims-made cover works. The second is buying a single-year run-off and renewing year-by-year, which is usually more expensive than a multi-year up-front placement and creates a hard cliff if the firm forgets to renew. The third is buying run-off without confirming the insurer is still in the market for run-off business; some insurers reduce or withdraw from run-off at intervals, and a placement made on the assumption of cheap renewal can be expensive to reposition.
A renewal is not a tickbox. It is the annual opportunity to reset the cover against what the firm now actually does, which is rarely identical to what it did last year.
The renewal process, done properly, starts ninety days before the renewal date. The broker requests the proposal information, you provide updated turnover, fee splits, largest contracts and claims history, the broker presents the renewal to the existing insurer and to a small number of alternative markets the broker considers competitive on that profile, and the resulting quotes are compared and explained. The conversation that actually adds value is the comparison: not “the premium is up 8%, sign here”, but “here are three structures, here is what each one covers, here is where each one is silent, and here is the recommendation”.
The five questions every IT firm should put to its broker at renewal:
What has changed in our activities since last renewal, and does the proposal accurately describe what we now do? Underwriters price on the basis of the declarations; activity drift is the most common cause of a coverage dispute at claim time.
Have we taken on any new contracts whose insurance schedule we now need to meet? An MSA signed mid-year that requires a £5m limit when the firm holds £2m is a coverage gap until the limit is increased.
Have there been any incidents, complaints or circumstances that might give rise to a claim? Even if no claim has been made, “circumstances” under the policy must be notified to preserve cover under the policy in force when they arose.
What is the position on AI use? If the firm now uses AI assistants in its development workflow, is that disclosed, and does the policy wording respond to AI-assisted work product?
Are the cyber and PI policies aligned? If they sit with different insurers, the broker should be able to map where each responds and where the boundary lies.
A clean renewal pack — proposal form, updated declarations, claims history, current MSAs with insurance schedules — placed ninety days out usually produces a better outcome than a rushed pack placed two weeks out. Underwriters reward predictability.
The first 48 hours after a claim or potential claim arrives matter disproportionately.
The triggering events worth taking seriously: a formal letter of claim or letter before action; a solicitor’s letter on behalf of a client or third party; a regulator’s notification (ICO most commonly for tech firms); a significant complaint that has escalated past account management; a serious incident that has caused or is likely to cause loss to a client; or any circumstance that a reasonable IT professional would expect to give rise to a claim. All of these are notifiable.
The single most important rule: notify your broker immediately. Notification preserves cover under the policy in force when the circumstance arose, even if the formal claim is not made until a later policy year. Late notification is a textbook reason for cover to be queried.
The second rule: do not admit liability or agree any settlement without the insurer’s consent. Modern wordings allow the insured to do everything reasonable to mitigate, including immediate technical remediation and client communication, but an unconditional admission can prejudice cover. Take advice from the broker and the insurer’s panel solicitors before responding.
The third rule: preserve evidence. Code repositories, configuration history, deployment logs, change tickets, email and chat records, the relevant contracts and statements of work, internal review notes, post-incident reports. The defence of an IT claim almost always turns on the documentary record of what was done, when, by whom and under what instruction.
The typical timeline:
Within 48 hours of notification, the broker logs the matter with the insurer, the insurer acknowledges and either accepts cover, accepts cover under reservation, or queries cover. Within two to four weeks, panel solicitors are appointed (the insurer typically nominates from a panel, though the insured can usually request a specific firm subject to insurer agreement). Investigation, disclosure and pleadings then run on the timetable of the underlying matter — for a contested commercial dispute, that can be many months. Settlement discussions or mediation often follow once the technical and legal picture is clear. Litigation, if it comes to it, runs on the court’s timetable.
Throughout the process, the broker’s job is to remain the conduit between the insured, the insurer, the loss adjuster (where appointed) and panel solicitors, and to ensure the insured understands what is happening and why.
Design note: page 10 timeline strip — five stations (Notify → Acknowledge → Defence → Negotiate → Resolve) with indicative duration markers above and a one-line description below each.
The PI market for UK technology firms is served by a mix of generalist brokers, technology-specialist brokers and direct online portals. Each has a different cost-and-service profile.
A direct online portal is the cheapest entry point. It is suitable for very small firms with simple activities, low-value contracts, no public sector exposure and no need for an MSA-driven coverage check. The trade-off is that there is no human to read the proposal back to you, to flag a definition that may not respond, or to be on the end of the phone when a claim hits.
A generalist broker can place tech PI but usually as one product among many. The placement is competent; the depth of conversation about the wording is variable. For firms whose activities sit cleanly within a standard wording, this is often fine; for firms with anything unusual — AI tooling, regulated-client work, public sector frameworks, IP-heavy product work — the conversation typically does not go deep enough.
A technology-specialist or independent broker with meaningful tech experience is the right answer for most mid-sized and growing IT firms. The broker spends most of their time on tech placements, knows the wordings in the market, knows where each insurer’s appetite sits, and is able to read an MSA insurance schedule and translate it into a coverage requirement.
Apex sits in the third group. We are independent (not tied to any one insurer, not part of a network with quotas), we are FCA-authorised (FRN 724952), and we place across a panel of UK and London Market insurers active in technology PI and cyber. We are not the largest broker in the market and we do not try to be; we work with a manageable client base where we can be on the phone within a reasonable time when a claim hits.
The four questions to ask any broker you are considering:
How many tech PI placements does your firm handle a year, and at what limit range? You want a broker who is regularly in the market for placements of your size or larger.
Which insurers are you currently placing tech PI with for firms like ours, and why those? A broker who can only name one or two markets is not giving you a market view.
Can we see a sample wording before binding, and can you walk us through the points you think matter for our profile? A broker who will not do this is not the right broker.
Who handles claims, and what is the process when one comes in? You want a named claims contact and a clear escalation path, not a portal.
“We don’t need PI because our contracts cap our liability.”
A liability cap limits how much the client can claim, not how much it costs to defend the claim. Defence costs on a contested commercial claim routinely run to six figures even if the eventual liability is much smaller. PI pays both. A capped liability without PI still leaves you funding the defence.
“PI and cyber cover the same thing.”
They overlap in narrow places and are otherwise quite different. PI responds to civil claims for financial loss arising from your professional services; cyber responds to incidents affecting computer systems and the consequences of those incidents. See section 4.
“AI-generated code is the insurer’s problem, not ours.”
It is currently both. The insurer’s wording determines whether AI-assisted output is treated like developer-written output; the firm’s disclosure determines whether the proposal was answered honestly; the client’s contract often allocates the risk back to the supplier through warranties. All three need to align.
“We’re too small for anyone to sue.”
Frequency is lower for small firms; severity is not. A two-person consultancy that mis-migrates a £15m turnover client’s order data can face a claim that is many multiples of the consultancy’s own annual revenue. The decision to sue is usually driven by the client’s loss, not the supplier’s size.
“Buying more cover is always better.”
Up to a point. Cover should be calibrated to the worst-case engagement exposure and the contractual minima. Stacking £10m of cover when the largest contract is £40,000 and the contractual minimum is £1m is buying premium for no underlying purpose.
“Run-off doesn’t matter, we’ll just keep renewing.”
Until you don’t — because you sell, retire, or restructure. Run-off needs to be planned for at the point of any transaction, ideally during heads-of-terms, not on the day of completion.
“Our umbrella covers our PI.”
For most umbrella arrangements covering inside-IR35 contractors, the umbrella’s insurance protects the umbrella, not the assignee’s professional output. Read the umbrella’s policy summary. The contractor frequently still needs its own cover.
“The cheapest quote is the right quote.”
Sometimes. Often not. The cheapest quote is the right quote only if the wording matches the more expensive ones; a £900 saving on a policy that excludes 30% of what you do is not a saving.
Design note: page 12 myths panel — two-column “Heard / Actually” cards in a tinted band; eight rows.
If your PI renewal is within ninety days, or you have an MSA in front of you with an insurance schedule you need to meet, or you are not sure whether your current cover responds to the way you actually work in 2026, the right next step is a conversation.
The first call costs nothing and does not commit you to anything. We will ask about your activities, your contracts, your claims history and your current cover. If we think we can place a better outcome for you, we will tell you what we would propose and roughly what timeframe and cost would look like. If we think your current arrangement is competitive, we will tell you that too.
Contact us:
Apex Insurance Brokers Limited Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ Registered office: c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT Telephone: 0117 325 0027 Email: info@apexinsurancebrokers.co.uk Web: apexinsurancebrokers.co.uk
Apex Insurance Brokers Limited is an independent insurance broker based in Bristol, serving UK businesses across professional, technology and trade sectors. We are authorised and regulated by the Financial Conduct Authority (firm reference number 724952) and registered at Companies House (registration 07014570). We are not tied to any one insurer and we do not operate as part of a network with quota arrangements that would skew our recommendations.
As an FCA-regulated broker we act for our clients in the negotiation with the insurance market. We are required to act fairly, with integrity, and with reasonable skill and care, and to explain how we are remunerated. Details are on our Terms of Business page; our complaints procedure is on our Complaints page; our privacy notice explains how we handle personal data.
This guide is general information for UK IT professionals and their advisers. It is not legal advice, regulatory advice or a substitute for reading the policy wording you are offered. Specific advice on your firm’s position should be taken from a regulated broker on the basis of your actual circumstances.
Design note: full-width band, two columns. Left column: contact block. Right column: About block. FCA / Companies House line as small caps footer across the full width.
Regulators and bodies
Information Commissioner’s Office — ico.org.uk Financial Conduct Authority Register — register.fca.org.uk National Cyber Security Centre — ncsc.gov.uk BCS, The Chartered Institute for IT — bcs.org techUK — techuk.org Crown Commercial Service (G-Cloud, DOS) — crowncommercial.gov.uk
Legislation and guidance
UK General Data Protection Regulation — legislation.gov.uk Data Protection Act 2018 — legislation.gov.uk Supply of Goods and Services Act 1982 — legislation.gov.uk Copyright, Designs and Patents Act 1988, s.9(3) — legislation.gov.uk Off-payroll working rules (Chapter 10, ITEPA 2003) — gov.uk
Apex Insurance Brokers related guidance
IT professionals sector page — apexinsurancebrokers.co.uk/sectors/it-professionals/ Software development PI vs cyber cover — apexinsurancebrokers.co.uk/software-development-pi-vs-cyber-cover/ IT contractor PI in IR35 context — apexinsurancebrokers.co.uk/it-contractor-pi-insurance-ir35-context/ What is Professional Indemnity Insurance — apexinsurancebrokers.co.uk/what-is-professional-indemnity-insurance-uk-guide-2026/ Aggregate vs each-and-every claim limit — apexinsurancebrokers.co.uk/aggregate-vs-each-and-every-claim-limit-explained/ PI insurance glossary — apexinsurancebrokers.co.uk/pi-insurance-glossary/
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority. FCA firm reference number 724952. Registered in England and Wales, company number 07014570. Registered office c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT. Trading address QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ.
Version 1.0 — May 2026. This guide is for general information only and is not legal or regulatory advice. Take specific advice on your firm’s position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote