A professional services business of any size eventually arrives at the same question: how many separate insurance policies do we actually need, and what does each one cover? The market answer used to be simple — a PI policy plus a public liability policy and (if the business had premises and stock) a commercial combined policy. Cyber was niche; data-breach exposure was small. That picture has shifted significantly over the last decade.
This guide compares the three main policies a professional services business typically holds — Professional Indemnity (PI), cyber, and commercial combined — and shows where they overlap, where they leave gaps, and where firms most often under- or over-insure. It is aimed at owners, finance managers and operations leads with cover-buying responsibility who want to understand the portfolio, not specialist insurance buyers.
For PI specifically, see our Professional Indemnity Insurance overview. For the broker-vs-direct question across all three classes, see Should I use a PI broker or buy direct?.
What each policy actually does
The three policies sit alongside each other but cover materially different things.
Professional Indemnity (PI)
Covers: legal liability arising from the firm's professional services — alleged negligence, error or omission in the advice, design, certification or work product. Typically includes defence costs, damages, and certain extensions (dishonesty of employees, intellectual property, defamation, mitigation costs).
Basis: claims-made — the policy in force when the claim is notified responds, regardless of when the work was done. The retroactive date matters.
Triggers: a third party alleging financial loss caused by the firm's professional work.
Typical limit: £100k to £5m+ per claim depending on profession, fee income, and regulator requirements.
Who needs it: any business giving professional advice, designing, certifying, or providing a deliverable where a client could allege the work caused financial loss. Many professions have mandatory PI under their regulator (see Does my professional body require PI insurance?).
Cyber insurance
Covers: the financial consequences of a cyber incident affecting the firm. Typically includes: first-party costs (incident response, forensics, system restoration, business interruption from a cyber event), third-party liability (claims from customers whose data was compromised, regulatory investigation costs), notification costs (GDPR / DPA 2018 notification obligations), ransom payments where lawful, and crisis management.
Basis: usually written on an "occurrence" or "claims-made" basis depending on the policy; many UK cyber policies are claims-made for liability sections and occurrence for first-party sections.
Triggers: a cyber event — typically defined as a security breach, ransomware attack, malware infection, data breach, business email compromise, system outage caused by attack, or social engineering fraud.
Typical limit: £100k to £5m for SME-scale firms; higher for larger or data-heavy firms.
Who needs it: any business that processes personal data, depends on IT systems to operate, holds client funds digitally, or could suffer business interruption from a cyber incident. The threshold for "needing" cyber is now very low.
Commercial combined
Covers: a packaged set of property and liability covers for the business as an operating entity. Typically includes:
- Public liability — bodily injury or property damage to third parties from the firm's operations (e.g. a visitor injured at the office).
- Employers' liability — injury to employees in the course of employment (statutorily required for almost all UK employers).
- Property — buildings, contents, stock, IT equipment.
- Business interruption — loss of revenue from an insured event preventing the business operating.
- Money — cash on premises or in transit.
- Goods in transit, all-risks cover for portable equipment, etc.
Each section is an optional component; commercial combined is the wrapper that puts them in one policy.
Basis: occurrence — the policy in force when the incident occurs responds.
Triggers: the specific insured event in each section.
Typical limit: varies by section. Public liability commonly £2m, £5m or £10m; employers' liability £10m (statutory minimum £5m); property cover sized to insured property value.
Who needs it: any business with premises, employees, equipment, or visitors. The employers' liability section is legally required for almost all UK employers.
Where the three policies overlap — and where they don't
The common confusion is that the three policies overlap less than people assume. Specifically:
A data breach that exposes a client's information. Cyber covers the breach response, the notification, the regulatory cost. PI may also respond if the client alleges the breach caused them financial loss from the firm's professional handling of the data (a professional negligence claim that happened to manifest as a cyber incident). Commercial combined does not respond — the public liability section is for bodily injury and property damage, not data loss.
A ransomware attack that disrupts the firm. Cyber covers the incident response, business interruption from the cyber event, ransom (where lawful), system restoration. Commercial combined business interruption may not respond — most commercial combined BI sections require a "damage" trigger, and digital-only disruption without physical damage is typically excluded. PI does not respond.
A defective piece of advice that produces a client loss. PI covers the professional negligence claim. Cyber and commercial combined do not.
An employee dishonestly diverting client funds. PI typically has a dishonesty extension for the firm (subject to limit and conditions). Commercial combined money/theft sections may respond to certain fraud scenarios. Cyber may respond if the fraud was via social engineering or a business email compromise.
A burst pipe damaging the office. Commercial combined property section. PI and cyber do not respond.
A client suing for breach of contract. PI usually responds to the extent the breach is also a negligent act or omission. Pure contractual liability outside the scope of negligence (e.g. failure to deliver on time without negligence) may not be covered by PI. Cyber and commercial combined do not respond.
The headline: each policy has its own trigger, and most events fall cleanly into one policy. The overlaps are mostly in specific data and dishonesty scenarios, where two policies can respond and the question is which pays first.
The "other insurance" clause — which policy pays first
When two policies could both respond, most policies contain an "other insurance" clause saying the policy is excess to any other available cover. If both policies say this, the resolution comes from market convention and from the specific wording.
A common worked example: a small consultancy suffers a business email compromise where an employee is tricked into making a fraudulent payment to a third party. The PI policy's dishonesty extension might respond; the cyber policy's social engineering section might respond; and the consultancy may even have a crime / fidelity policy.
In our experience the best practice is to notify all potentially responsive policies and let the insurers sort out the priority between themselves. Withholding notification from one policy because you "think" another will pay can void cover under the unnotified policy. Notify broadly and resolve coverage priority afterwards.
Common under-insurance pitfalls
These are the patterns we see most often where firms are under-insured relative to their actual exposure.
Cyber under-insurance
The most common under-insurance is cyber. Many small professional firms have no cyber cover, on the basis that "we don't hold sensitive data" or "we're too small to be a target". Both assumptions are usually wrong:
- Even a small consultancy holds client data — addresses, financial details, project records — that triggers GDPR / Data Protection Act 2018 notification obligations if breached.
- Ransomware operators target small firms precisely because larger firms have stronger defences.
- Business email compromise (BEC) — where attackers impersonate a supplier or director to redirect payments — affects firms of all sizes and produces real losses.
- Notification costs alone — forensics, legal review, regulator engagement, customer notification — typically run to tens of thousands of pounds for even a small breach.
Firms with no cyber cover and meaningful client data are usually under-insured.
PI limit too low for actual project size
Many firms carry a PI limit set years ago when projects were smaller. As project values have grown, the limit has not been reviewed. A practice doing £1m projects with a £500k PI limit is exposed to the gap on any total-loss claim.
Business interruption sized for damage events only
Commercial combined BI is usually written for property-damage triggers — fire, flood, storm. Modern BI exposures include cyber events, supply-chain disruption, and pandemic-style external shocks, most of which are not covered by standard BI. Firms that view their BI cover as comprehensive often have material exposure to non-damage interruption.
No run-off planning
This is more of a sequencing issue than an under-insurance one, but it produces the same outcome. Firms that close down or get acquired without arranging PI run-off leave past work uninsured. Six years of run-off (or longer for deed-based work) costs money and needs to be in the planning.
Public liability limits at minimum
Many small firms carry £1m public liability when modern client contracts require £5m or £10m. The cover is in place; the limit is insufficient to meet client procurement requirements, creating a compliance gap rather than a coverage gap.
Common over-insurance pitfalls
The opposite pattern — paying for cover that doesn't really add value:
Cyber cover with a low aggregate sub-limit
Some cyber policies sold to small businesses carry attractive headline limits (£500k, £1m) but with sub-limits on the most important sections — ransom, notification, regulatory defence — of £25k or £50k. The headline cover is theatre; the real cover is small. Read the sub-limits before assuming you have £1m of cyber cover.
Public liability stack across multiple policies
A firm with separate motor, employers' liability, and commercial combined policies sometimes has overlapping public liability sections — paying for £5m, £5m and £2m of cover that effectively all responds to the same event. Consolidation typically saves premium without reducing cover.
Property cover at gross book value, not replacement value
Property is insured at "reinstatement cost" — what it would cost to replace today. Firms sometimes insure at book value (after depreciation), under-insuring on claims; or at original purchase price, over-insuring for premium. The right basis is reinstatement.
Buying PI cover well above regulator minimum without thought
A small consultancy below the regulator minimums sometimes buys £5m of cover because "it sounds professional". The cover costs real money. If the firm's largest contract has a £500k cap on the firm's liability, £5m of cover is over-provisioned. Size cover to actual contractual and project exposure, not to aspiration.
Putting it together — sizing a portfolio
A practical framework for sizing a portfolio of PI, cyber and commercial combined:
Step 1 — Identify regulator and contract requirements. What is your professional body's minimum PI? What do your standing client contracts require for PI, employers' liability, public liability? These are floor figures.
Step 2 — Identify your worst-case scenarios. What is the largest professional negligence claim that could realistically arise from your work — a complete write-off of your largest project? What is the largest cyber event that could affect you — what would it cost to recover from ransomware and notify all your contacts? What is the largest property loss — what is in your office?
Step 3 — Size each policy to the higher of the regulator/contract floor and your worst-case scenario. Add a margin where the worst case is uncertain.
Step 4 — Review the wording, not just the limit. A high limit on poorly-worded cover is worth less than a moderate limit on responsive cover. The wording on cyber and PI particularly should be reviewed annually.
Step 5 — Review annually as the business grows. Limits set three years ago for a smaller firm are usually too low now. Renewal is the moment to revisit, not just to renew the same.
How Apex helps
We arrange all three policy classes — PI, cyber, and commercial combined — for professional services businesses. Our role is to help size each policy to actual exposure, to coordinate the three policies so they respond consistently rather than gap, and to keep the limits and wordings current with the business as it grows. We do not push specific cyber products and we are happy to say where the cyber market does not yet offer good value for a particular firm.
For a portfolio review or initial conversation, the contact page is the right starting point.
Frequently asked questions
Do I need PI and cyber, or does one cover the other?
You usually need both. PI covers professional negligence claims; cyber covers cyber events. The overlap is narrow — typically only where a cyber event produces a professional negligence claim (e.g. mishandling of client data alleged as a professional failure). Treating one as a substitute for the other leaves a real gap.
Does my commercial combined business interruption cover ransomware?
Almost certainly not. Most commercial combined BI sections require a "damage" trigger — typically physical damage to insured property. A ransomware attack without physical damage is not a triggering event. Cyber BI is the appropriate cover for this. Read your BI section's "damage" definition to confirm.
Is employers' liability included in commercial combined?
It is usually one of the sections in a commercial combined policy. UK employers are required by law to hold employers' liability insurance with a minimum £5m limit (most policies are written at £10m). If your commercial combined policy does not include employers' liability and you have employees, you need to address the gap immediately.
What is the minimum cyber limit I should buy?
For a small professional services firm with under £1m turnover, cyber cover of £250k–£500k is a common starting point. The figure should reflect what a worst-case incident would cost — incident response, notification, business interruption, regulatory defence and any third-party claims. Higher data volumes and regulated sectors warrant higher limits.
Can I cancel my public liability policy if I have PI?
No. They cover different things. Public liability covers bodily injury and property damage to third parties from your operations (e.g. a visitor tripping at your office). PI covers financial loss from your professional advice or work product. Most client contracts require both.
If a single event triggers PI and cyber, which policy do I claim under?
Notify both. The insurers will determine priority between themselves under the policies' "other insurance" clauses. Failing to notify one of two responsive policies can void cover under the unnotified policy. Notify broadly; resolve priority afterwards.
Do I need separate professional indemnity if I have errors and omissions cover?
"Errors and omissions" (E&O) is the same product as professional indemnity in the UK — different naming, same cover. In the US the term "E&O" is more common; in the UK "PI" predominates. If you have one, you have the other under a different name.
Should I buy these policies as a bundle or separately?
There are bundled "professional services" packages on the market that combine PI, cyber and basic commercial combined. They can be cost-effective for small firms but the cover on each section is sometimes thinner than separately-placed equivalents. Compare carefully on wording, not just price. For firms above approximately £500k turnover, separately-placed cover is often more flexible.
FAQ schema (JSON-LD)
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Do I need PI and cyber, or does one cover the other?",
"acceptedAnswer": {
"@type": "Answer",
"text": "You usually need both. PI covers professional negligence claims; cyber covers cyber events. The overlap is narrow — typically only where a cyber event produces a professional negligence claim. Treating one as a substitute for the other leaves a real gap."
}
},
{
"@type": "Question",
"name": "Does my commercial combined business interruption cover ransomware?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Almost certainly not. Most commercial combined BI sections require a damage trigger — typically physical damage to insured property. A ransomware attack without physical damage is not a triggering event. Cyber BI is the appropriate cover for this."
}
},
{
"@type": "Question",
"name": "Is employers' liability included in commercial combined?",
"acceptedAnswer": {
"@type": "Answer",
"text": "It is usually one of the sections in a commercial combined policy. UK employers are required by law to hold employers' liability insurance with a minimum £5m limit. If your commercial combined policy does not include employers' liability and you have employees, you need to address the gap immediately."
}
},
{
"@type": "Question",
"name": "What is the minimum cyber limit I should buy?",
"acceptedAnswer": {
"@type": "Answer",
"text": "For a small professional services firm with under £1m turnover, cyber cover of £250k–£500k is a common starting point. The figure should reflect what a worst-case incident would cost — incident response, notification, business interruption, regulatory defence and any third-party claims."
}
},
{
"@type": "Question",
"name": "Can I cancel my public liability policy if I have PI?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. They cover different things. Public liability covers bodily injury and property damage to third parties from your operations. PI covers financial loss from your professional advice or work product. Most client contracts require both."
}
},
{
"@type": "Question",
"name": "If a single event triggers PI and cyber, which policy do I claim under?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Notify both. The insurers will determine priority between themselves under the policies' other insurance clauses. Failing to notify one of two responsive policies can void cover under the unnotified policy."
}
},
{
"@type": "Question",
"name": "Do I need separate professional indemnity if I have errors and omissions cover?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Errors and omissions (E&O) is the same product as professional indemnity in the UK — different naming, same cover. If you have one, you have the other under a different name."
}
},
{
"@type": "Question",
"name": "Should I buy these policies as a bundle or separately?",
"acceptedAnswer": {
"@type": "Answer",
"text": "There are bundled professional services packages combining PI, cyber and basic commercial combined. They can be cost-effective for small firms but cover on each section is sometimes thinner than separately-placed equivalents. Compare carefully on wording, not just price."
}
}
]
}
Related guides
- Professional Indemnity Insurance overview
- Cyber Insurance overview
- Business Insurance overview
- Should I use a PI broker or buy direct?
- Contact Apex Insurance Brokers
About Apex Insurance Brokers — Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Last reviewed: May 2026.