Professional Indemnity vs Cyber Insurance: A Deep Comparison

Cyber risk does not respect the boundaries of traditional insurance products. A ransomware attack on a consultancy can simultaneously cause a system outage (first-party cost), a delay in client deliverables (potential contractual breach), an unauthorised disclosure of client data (regulatory and contractual exposure) and an allegation that the consultancy's advice to its clients was negligent in the period leading up to the breach. Different elements of the same event may belong on different policies — or, in some cases, on neither, depending on how each is worded.

Professional Indemnity (PI) insurance and Cyber insurance are the two lines most often discussed in this context. They are different products with different purposes, but they have a meaningful overlap zone, and many wordings in both markets have been drafted specifically with that overlap in mind — often to allocate, sometimes to exclude.

This article sets out the mechanical differences between PI and Cyber, the structural features of each, the zones where they overlap or compete, and the placement questions that arise when both lines are held.

What this comparison is about

The comparison is mechanical. It does not recommend that any firm should or should not buy either line, nor does it suggest that holding both is universally appropriate. Different firms have different exposures: a low-tech sole trader with no data of consequence may face limited cyber exposure; a managed service provider with enterprise customers faces substantial cyber exposure and a substantial professional services exposure that overlaps with it.

The article addresses what each policy is designed to respond to, where the wordings have evolved to allocate cyber risk between the two lines, and what questions arise on placement and renewal.

A note on policy-line comparisons

Cyber insurance is a comparatively young product line that has evolved rapidly. Wordings still vary significantly between insurers, even for the same kind of firm. PI wordings, while more stable, have evolved over the past decade to address cyber exposures — often by exclusion, sometimes by carve-back or extension.

The result is that the boundary between PI and Cyber is fact-specific and wording-specific. Two firms in the same sector with the same exposure could find that their PI and Cyber policies allocate a given claim quite differently because of the wording each policy uses.

This article describes typical market features. The actual cover under any specific policy is determined by its schedule, insuring clauses and exclusions.

What PI covers

Who is typically insured

The firm — company, LLP or partnership — and partners, directors and employees acting in the course of professional services.

What triggers the policy

A third-party claim alleging civil liability arising from the conduct of the insured's professional services. Negligence, breach of duty, breach of contract, dishonesty of employees, libel, slander and IP infringement are commonly covered, subject to specific wording.

Defence costs

Commonly in addition to the limit of indemnity; some wordings include defence costs within the limit.

Trigger basis

Claims-made and notified, with a retroactive date.

Typical limits and aggregation

Limits commonly "any one claim" and/or "in the aggregate".

Common extensions

Loss of documents, dishonesty of employees, court attendance compensation, run-off cover. Some PI wordings include carved-back cover for narrow cyber-related professional negligence.

Common exclusions relevant to cyber

Most modern PI wordings include some form of cyber exclusion or restriction. The scope varies widely:

• Some exclude only first-party cyber costs (forensics, notification, business interruption) — preserving cover for third-party professional negligence claims arising from cyber events.
• Some exclude broader categories of cyber-related loss, including third-party claims arising from data breach.
• Some carve back cover for "negligent advice that resulted in a cyber event" — preserving the core PI function while excluding the firm's own first-party costs.
• Some apply sub-limits to cyber-related exposures.

The breadth of cyber exclusion is one of the most important wording questions on modern PI placements.

What Cyber covers

Cyber insurance is structured around two broad categories: first-party costs (the insured's own costs) and third-party liability (claims against the insured by others).

First-party covers

• Incident response and forensics — costs of engaging an incident response team, forensic investigators and legal counsel to determine the nature and scope of the incident.
• Notification costs — costs of notifying affected individuals, regulators and other stakeholders, including call centre operations where applicable.
• Credit and identity monitoring — costs of providing affected individuals with monitoring services.
• Business interruption — loss of revenue or profit (and additional operating costs) arising from a covered cyber event that disrupts the insured's systems. Indemnity periods, waiting periods and trigger events vary widely.
• Cyber extortion and ransom — costs of responding to extortion threats, including, in some jurisdictions and subject to sanctions and legal constraints, payment of ransoms.
• System and data restoration — costs of restoring data and re-securing systems following an incident.
• Crisis communication and PR — costs of managing communications with stakeholders during and after an incident.
• Regulatory fines — where insurable as a matter of law and policy wording; UK and EU regulatory fines are not always insurable.

Third-party covers

• Network security and privacy liability — claims by third parties for losses arising from a cyber event affecting the insured (data breach claims, contractual claims for system outage, claims arising from malware originating from the insured's network).
• Regulatory defence and investigation costs — costs of responding to regulator inquiries arising from cyber events.
• Media liability — claims arising from content published by the insured, where bundled into the cyber policy.
• PCI fines and assessments — fines and assessments by payment card schemes, subject to wording.

Who is typically insured

The firm and its subsidiaries (typically), with employees, directors and officers included to the extent acting in the course of the firm's business. Some policies extend to third parties hosting data on behalf of the insured.

Trigger basis

Cyber is typically claims-made and notified for third-party liability sections, with first-party sections triggered by an "incident" or "event" occurring during the policy period. Notification language and definitions of "incident" vary.

Typical limits and aggregation

Most cyber policies have an aggregate limit, with sub-limits for specific covers (business interruption, regulatory fines, cyber extortion, PCI assessments).

Common exclusions

War and cyber war (with definitions that have tightened significantly in recent years), nation-state attacks (carve-outs in some markets), bodily injury, property damage, prior known incidents, infrastructure outages outside the insured's control, and professional services in some wordings.

Where they overlap

The overlap zone between PI and Cyber is significant and increasingly subject to wording engineering by both markets. Common overlap scenarios include:

• Negligent professional advice causing a client cyber event — A consultant gives IT or security advice; the client relies on it and suffers a cyber incident. The client sues the consultant. PI may respond (subject to cyber exclusions); cyber may respond (subject to professional services exclusions). The wording of both policies determines allocation.
• Data breach exposing client confidential information — A professional services firm suffers a data breach exposing client documents. Affected clients sue. PI may respond (subject to cyber exclusions); cyber may respond. First-party notification, forensics and BI costs would typically sit on cyber.
• System outage delaying client deliverables — A consultancy's systems are down for two weeks following a ransomware attack. Client deliverables are delayed; some clients claim losses. Cyber BI responds to first-party loss; cyber third-party liability may respond to client claims; PI may or may not respond to "failure to deliver" claims depending on wording (delay alone is often not a PI trigger absent negligence).
• Negligent IT advice causing client data breach — An IT consultancy advises a client on security architecture; a breach follows; the client sues. This is the clearest professional services exposure and is most commonly the territory of PI (or cyber-aware PI for IT firms), though general cyber policies for the consultancy may also respond.
• Wrongful collection or use of personal data — A marketing consultancy is alleged to have advised a client to process data unlawfully. The advice is the PI exposure; the underlying processing exposure is the client's.

The market response to this overlap has been:

• PI wordings excluding cyber but carving back cover for professional advice that has a cyber consequence;
• Cyber wordings excluding professional services but carving back cover for cyber incidents affecting professional firms; and
• Specialist "tech E&O / Cyber" hybrid wordings for IT and technology firms, designed to address both lines on a single schedule.

Where they differ in trigger and mechanics

• Nature of cover — PI is third-party only; Cyber is both first-party and third-party.
• Trigger basis — PI is claims-made; Cyber third-party sections are typically claims-made; Cyber first-party sections are triggered by an incident occurring within the policy period.
• Claimant — PI claimants are clients (and others owed a professional duty); Cyber third-party claimants may include clients, individuals affected by data breach, regulators, payment card schemes and other parties.
• First-party costs — PI generally does not respond to the insured's own costs; Cyber is built around first-party costs.
• Sub-limits — Cyber typically applies sub-limits to most first-party covers; PI typically has fewer internal sub-limits.
• Regulatory exposure — Cyber addresses regulator inquiries and (where insurable) fines; PI generally addresses regulator action only where it arises from the underlying professional service.

Comparison table — objective policy mechanics

| Dimension | Professional Indemnity (PI) | Cyber | | --- | --- | --- | | Trigger basis | Claims-made and notified | Claims-made (third-party); incident-based (first-party) | | Cover scope | Third-party financial loss from professional services | First-party costs + third-party cyber liability | | Who is the insured | The firm; partners, directors, employees in services | The firm; subsidiaries; employees | | Who typically brings the claim | Clients (and others owed a professional duty) | Clients, individuals affected by data incidents, regulators, card schemes | | Defence costs | Commonly in addition to limit | Typically in addition to limit, with cap sub-limits | | Limit structure | Any one claim and/or in the aggregate | Aggregate with sub-limits | | First-party costs | Generally none | Forensics, notification, BI, restoration, extortion, PR | | Regulatory fines | Limited; defence costs sometimes | Defence costs; insurable fines where law permits | | Common exclusions | Bodily injury, property damage, fraud, insolvency, fines, increasing cyber | War/cyber war, prior known incidents, infrastructure outages, professional services (sometimes) | | Run-off cover | Commonly required on cessation | Less commonly required separately |

Common scenarios — which policy responds

Scenario 1 — Ransomware attack on consultancy laptops. A management consultancy is hit by ransomware that encrypts its laptops and file shares. The firm engages incident responders, restores systems from backup, notifies clients of the incident and loses two weeks of billable work. Cyber responds to the first-party costs (incident response, restoration) and to BI (lost revenue, subject to waiting period). PI is generally not engaged because there is no third-party claim alleging negligent professional service.

Scenario 2 — Negligent IT advice causing client data breach. An IT consultancy advises a client on network architecture. A vulnerability the consultancy failed to identify is later exploited, leading to a client data breach. The client sues the consultancy for the cost of the breach. PI is the policy most directly engaged for the third-party claim (subject to any cyber exclusion in the PI). The consultancy's own cyber policy may also be engaged if the wording responds to claims arising from professional services. Coordination between the two policies is fact-specific.

Scenario 3 — Data breach at a law firm exposes confidential client information. A law firm suffers a cyber incident exposing client matter files. Affected clients sue the firm. Cyber responds to first-party costs (forensics, notification, regulatory defence, BI). PI may respond to client civil-liability claims (subject to any cyber exclusion); cyber third-party liability may also respond. The order of payments and allocation between policies is determined by their wordings.

Scenario 4 — Failure to deliver consulting work on time due to cyber outage. A consulting firm's systems are down for a fortnight following a cyber incident. Clients claim losses arising from delay. Cyber BI responds to the firm's first-party loss. Cyber third-party liability may respond to client claims arising from the outage. PI generally does not respond to "failure to deliver" claims absent an underlying allegation of professional negligence — delay alone is rarely a PI trigger.

Scenario 5 — Wrongful processing of personal data on client advice. A consultancy advises a client on marketing data practices. The client follows the advice; a regulator investigates; the client incurs penalties; the client sues the consultancy. PI may respond to the third-party claim against the consultancy (subject to specific exclusions for wrongful collection of data, which some wordings contain). Cyber may respond depending on whether the underlying incident is treated as a cyber event in the policy's definitions.

Scenario 6 — Phishing-induced fraudulent funds transfer. A consultancy's finance team is tricked by a business email compromise into transferring funds to a fraudulent account. Crime/social engineering cover is the primary line for this loss. Cyber policies sometimes include sub-limited social engineering cover; PI generally does not respond.

Scenario 7 — Third-party service provider outage. The consultancy's cloud provider suffers an outage; the consultancy cannot deliver services to clients. Cyber BI may respond to dependent business interruption (subject to specific wording — many cyber policies sub-limit or exclude dependent BI). PI generally does not respond to delay claims absent professional negligence.

When firms typically buy both

Firms whose services involve significant handling of client data, IT advice, cloud services, software development or any activity that exposes both client information and the firm's own systems commonly hold both. IT consultancies, MSPs, accountants, solicitors, healthcare providers and many other professional firms increasingly hold both.

When one alone may suffice

A pure-advice firm with minimal data holdings and limited IT exposure may face limited first-party cyber exposure; if there is no professional service to clients, PI is not the question. The decision is fact-specific.

Practical structuring considerations

• Cyber exclusion in PI — The breadth of the cyber exclusion on the PI policy materially affects what cover remains for cyber-related professional negligence.
• Professional services exclusion in Cyber — The mirror question: how broadly does the cyber policy exclude professional services?
• Order of payments and primary/excess language — Where both policies could respond, the wordings determine which is primary.
• Sub-limits within Cyber — BI, regulatory fines, social engineering, dependent BI and cyber extortion frequently carry sub-limits well below the headline aggregate.
• Waiting periods on BI — Cyber BI typically has a waiting period (8, 12, 24 hours) before cover engages.
• Aggregate erosion — Cyber aggregates can be eroded quickly by a single significant incident; reinstatement is sometimes available.
• Definitions — "Computer system", "data", "personal information" and "incident" are defined terms; their scope shapes cover materially.
• Sanctions and ransom — Ransom payments are subject to legal and sanctions constraints; cyber policies address this in varying ways.
• Specialist tech E&O / cyber hybrid — For IT firms, hybrid wordings address both lines on a single schedule and avoid the allocation question.

What to ask before placing or renewing

1. What is the scope of the cyber exclusion on the PI policy? Are negligent professional services with a cyber consequence carved back? 2. What is the scope of the professional services exclusion on the cyber policy? Are claims arising from professional services carved back? 3. Where both policies could respond, what is the order of payments and how is allocation determined? 4. What sub-limits apply on the cyber policy, and are they adequate for the firm's exposure? 5. What is the BI waiting period and indemnity period on the cyber policy? 6. How are dependent business interruption and supply-chain cyber events treated? 7. How is "incident" or "cyber event" defined, and does the definition capture the relevant exposures? 8. What is the position on cyber extortion and ransom payments, and on regulator fines where insurable? 9. Are war/cyber war exclusions narrowly drafted, and what carve-backs exist? 10. For IT and tech firms, is a hybrid Tech E&O / Cyber wording a better fit than separate placements?

How a broker helps coordinate

A broker placing both lines reviews the wordings together — assessing the breadth of cyber exclusions in PI, the breadth of professional services exclusions in Cyber, and the allocation language between the policies. Sub-limits, definitions and waiting periods are reviewed against the firm's exposure profile. Where appropriate, hybrid wordings or specific endorsements can close gaps. Apex Insurance Brokers Limited arranges both PI and Cyber for UK firms; the right structure depends on the firm's data holdings, services, supply chain, contractual obligations and risk appetite.

FAQ

Does my PI policy cover cyber? Most modern PI policies include some form of cyber exclusion or restriction. The scope varies — some exclude only first-party costs; some exclude broader cyber liability. The wording of the specific PI determines what remains in cover for cyber-related professional negligence.

Does my Cyber policy cover professional negligence? Cyber policies vary on this point. Many exclude professional services; some carve back cover for cyber-related professional negligence. For IT and tech firms, hybrid Tech E&O / Cyber wordings are designed specifically to address this overlap.

What is first-party cyber cover? First-party cover responds to the insured's own costs following a cyber incident — forensics, notification, business interruption, data restoration, crisis communications and (subject to wording and law) cyber extortion or ransom.

What is third-party cyber liability? Third-party cyber liability responds to claims by others (clients, individuals affected by data breach, regulators, card schemes) arising from a cyber incident affecting the insured.

Are regulatory fines insurable? Some fines are insurable where the law permits and the wording responds; others are not. UK GDPR fines specifically are not always insurable as a matter of law and public policy. Cyber policies typically cover the defence and investigation costs even where the fine itself is not insurable.

Is business interruption covered on Cyber the same as BI on a property policy? No. Cyber BI responds to losses arising from a cyber event affecting the insured's systems. Property BI responds to losses arising from physical damage. The two are separate.

What is dependent BI? Dependent BI responds to losses arising from a cyber incident at a third party on whom the insured depends (for example a cloud provider). Cyber policies treat dependent BI in varying ways; many sub-limit or exclude.

Should I have a hybrid Tech E&O / Cyber for an IT firm? For firms whose professional services and cyber exposures are tightly bound (IT consultancies, MSPs, software developers), hybrid wordings can avoid allocation gaps. Whether such a structure is right depends on the firm's specific services and counterparties.

FAQ JSON-LD

---

Related guides

• Professional Indemnity Insurance overview
• Cyber Insurance overview
• PI vs Cyber vs Commercial Combined — choosing policies
• Does my professional body require PI insurance?
• Contact Apex Insurance Brokers

---

About Apex Insurance Brokers — Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Last reviewed: May 2026.