PI vs cyber insurance for UK consultants
One of the most persistent misunderstandings in professional indemnity purchasing: consultants assuming PI covers their cyber-breach exposure, or that cyber covers professional advice errors. In fact, PI and cyber are distinct products responding to distinct triggers. This page sets out the boundary and where the two overlap.
The two products in one sentence each
PI — third-party professional liability
PI covers the consultant's legal liability for professional errors, negligent advice, or delivery failures causing client (or third-party) financial loss.
Cyber — first-party breach response
Cyber covers the consultant's own costs when their systems are compromised: forensic investigation, notification, remediation, business interruption, cyber extortion, and (with extensions) regulatory-defence costs.
What triggers each product
PI triggers
- Client sues over failed project delivery.
- Client sues over defective advice.
- Client sues over data-handling error causing them to face ICO or subject claims.
- Third party sues over consultant's IP infringement.
- Client sues over breach of confidentiality.
Cyber triggers
- Ransomware attack on consultant's systems.
- Data breach of consultant's customer database.
- Business interruption from cyber event.
- Extortion demand for encrypted data.
- Notification costs after breach.
- Forensic investigation costs.
Overlap scenarios
- Consultant's data breach exposes client data — cyber covers first-party costs, PI defends client's claim against consultant.
- GDPR breach involving personal data — cyber covers notification/forensic; PI defends data-subject civil claims.
- Ransomware on consultant's systems that also affects client — both products triggered.
The claim quantum question
PI claim quantum
Determined by client's loss. Can reach millions for large corporate clients or long-tail exposure. Cover-limit selection follows client-contract requirements and worst-case exposure.
Cyber claim quantum
First-party costs vary by breach scope. Notification typically low-hundreds-of-thousands. Business interruption depends on client base. Extortion payments vary but average around £250k-£1m for successful attacks on SME consultancies. Regulatory-defence costs can be substantial.
Small consultancies often carry £1m PI + £250k cyber. Larger consultancies with significant data-handling £5m PI + £2m cyber.
Wording tests at renewal
- Confirm PI wording covers data-handling activity. Some standard PI wordings restrict this.
- Confirm cyber wording covers relevant activity types: SaaS-service consultants need different wording from advisory-only.
- Confirm regulatory-defence scope in cyber. ICO defence costs are typically covered; some wordings exclude PECR (marketing communications) violations.
- Test aggregation across PI and cyber where a single event triggers both. Some wordings coordinate; some don't.
- Confirm run-off treatment for both products where consultant retires or firm closes.
The gap consultants most commonly leave
The most common gap: consultant with only PI. Client data breach occurs. PI defends the client claim but doesn't pay any of the first-party breach-response costs (forensic, notification, business interruption). Firm reserves are exhausted before defence is fully paid.
Second-most-common gap: consultant with only cyber. Client sues over failed advice unrelated to the cyber event. Cyber doesn't respond — that's PI territory. Consultant faces personal-quantum exposure.