Consultant PI · Deep dive

PI vs cyber insurance for UK consultants

Reviewed by Matthew Bartlett, Director, Apex Insurance Brokers Limited (FCA FRN 724952) · Published 14 July 2026

One of the most persistent misunderstandings in professional indemnity purchasing: consultants assuming PI covers their cyber-breach exposure, or that cyber covers professional advice errors. In fact, PI and cyber are distinct products responding to distinct triggers. This page sets out the boundary and where the two overlap.

The two products in one sentence each

PI — third-party professional liability

PI covers the consultant's legal liability for professional errors, negligent advice, or delivery failures causing client (or third-party) financial loss.

Cyber — first-party breach response

Cyber covers the consultant's own costs when their systems are compromised: forensic investigation, notification, remediation, business interruption, cyber extortion, and (with extensions) regulatory-defence costs.

What triggers each product

PI triggers

Cyber triggers

Overlap scenarios

The claim quantum question

PI claim quantum

Determined by client's loss. Can reach millions for large corporate clients or long-tail exposure. Cover-limit selection follows client-contract requirements and worst-case exposure.

Cyber claim quantum

First-party costs vary by breach scope. Notification typically low-hundreds-of-thousands. Business interruption depends on client base. Extortion payments vary but average around £250k-£1m for successful attacks on SME consultancies. Regulatory-defence costs can be substantial.

Small consultancies often carry £1m PI + £250k cyber. Larger consultancies with significant data-handling £5m PI + £2m cyber.

Wording tests at renewal

  1. Confirm PI wording covers data-handling activity. Some standard PI wordings restrict this.
  2. Confirm cyber wording covers relevant activity types: SaaS-service consultants need different wording from advisory-only.
  3. Confirm regulatory-defence scope in cyber. ICO defence costs are typically covered; some wordings exclude PECR (marketing communications) violations.
  4. Test aggregation across PI and cyber where a single event triggers both. Some wordings coordinate; some don't.
  5. Confirm run-off treatment for both products where consultant retires or firm closes.

The gap consultants most commonly leave

The most common gap: consultant with only PI. Client data breach occurs. PI defends the client claim but doesn't pay any of the first-party breach-response costs (forensic, notification, business interruption). Firm reserves are exhausted before defence is fully paid.

Second-most-common gap: consultant with only cyber. Client sues over failed advice unrelated to the cyber event. Cyber doesn't respond — that's PI territory. Consultant faces personal-quantum exposure.

Frequently asked

Can PI cover ransomware attacks on my own systems?
No. Ransomware and first-party breach-response is cyber territory. PI covers third-party claims, not the consultant's own costs of dealing with a breach.
Can cyber cover professional advice errors?
No. Cyber covers first-party breach costs and (with extensions) some regulatory-defence. It does not cover client claims over advice errors — that's PI territory.
Do I need both PI and cyber?
Most consultants handling any material data need both. The two products cover fundamentally different exposures.
What limit should I carry on each?
Depends on activity. Small consultancy: £1m PI + £250k cyber. Delivery/development firm: £5m PI + £1m-£2m cyber. Data-heavy consultancy: £10m+ combined.
Is regulatory-fine defence covered under either?
Standard cyber covers the legal defence costs for ICO enforcement. Regulatory fines themselves are uninsurable in UK law. PI does not cover regulatory-fine defence typically.
Do I need cyber if I don't hold personal data?
Consultants without material data handling can operate with PI-only. But business-interruption risk from any cyber event (email outage, system compromise) may still justify basic cyber cover.

Related reading