Topic: where cyber insurance and professional indemnity meet, where they leave gaps, and how SME buyers should read the question. Spokesperson: Matt Bartlett, Director, Apex Insurance Brokers Limited.
This briefing covers the most misunderstood area in 2026 SME commercial insurance — the boundary between cyber cover and PI cover, the way both wordings respond to a cyber event in a professional firm, and the practical gaps that show up at claims. The briefing is broker-side and operational.
Apex’s view is that for any professional firm — solicitors, IFAs, accountants, surveyors, IT consultancies, designers — cyber and PI need to be read as one risk at every renewal, not as two separate products. The wordings vary widely across the market on how they handle the overlap, and the assumption that the two covers between them respond to a cyber loss does not always hold.
A cyber event at a professional firm in 2026 typically engages three potential exposures. The first is the firm’s own loss — restoration of systems, lost income, ransom payment, breach response costs, regulatory notifications. The second is the firm’s liability to clients and third parties — for losses the clients incur because the firm’s systems failed, because data was compromised, because services were disrupted, or because the firm gave advice or work product that turned out to be compromised. The third is the firm’s regulatory exposure — fines, investigation costs, and the reputational dimension.
The first exposure sits primarily with a cyber policy. The second exposure can sit with either a cyber policy or a PI policy, depending on wording. The third has a mix of coverage, depending on the regulator and the specific cost type.
The market problem is that buyers and parts of the broker market read these as cleanly divided. They are not. Cyber wordings vary on liability cover and on advisory/consulting work. PI wordings vary on cyber-related exclusions, on data-breach cover, on the definition of professional services and on the interaction with cyber events that arise out of professional work product. Without a careful read of both wordings against each other at every renewal, gaps appear.
“Cyber and PI sit closer together than the standard market wordings let on. Buyers and brokers should be reading both as one risk in 2026, not two.”
“The most common gap we see is the SME professional firm with a cyber policy and a PI policy that the firm assumes between them respond to a cyber loss. They sometimes do. They often don’t.”
“The cyber-PI question is the single most misunderstood area in 2026 SME insurance. Brokers who are not reading both wordings against each other at every renewal are leaving their clients exposed.”
“Most cyber wordings will respond to the firm’s own loss. Most PI wordings will respond to client claims arising from professional work product. The grey area is the cyber event that becomes a client claim — and that is where 2026 losses are landing.”
“For an IT consultancy in 2026, the cyber-PI question is the renewal. The wording structure that decides which cover responds to which loss is the placement, not an afterthought.”
“The work the broker does at placement on the cyber-PI overlap is what determines whether a 2026 client claim is paid in full, paid partially, or contested.”
Apex places both cyber and PI cover for the firm’s professional services book — solicitors, IFAs, accountants, surveyors, IT consultancies, designers, consultants — and reads both wordings against each other at every renewal.
Apex publishes guidance for clients on the cyber-PI overlap, available on the firm’s website.
The cyber and PI markets are separate products with separate underwriters at the major UK insurers, and the wordings are developed independently. That is a structural reason the wordings drift apart on the overlap question.
The Information Commissioner’s Office is the principal UK regulator for personal data breaches. The FCA, SRA, ICAEW and other professional regulators are the principal UK regulators for the professional services dimension. The cost types engaged by a regulatory response depend on which regulator and which dimension.
Apex will not name a specific insurer’s wording in critical terms without the insurer’s right of reply.
Apex will not name a specific client claim or describe a specific incident.
Apex will not predict the outcome of pending cyber-related litigation.
Apex will not provide legal opinion on the regulatory dimension — legal opinion sits with law firms.
For IT consultancies and managed service providers, where the firm’s own cyber exposure and the firm’s liability to clients for cyber-related losses are continuous. A managed service provider whose own systems are compromised and who is supplying services to clients out of those systems faces both the firm’s own loss and the client liability simultaneously. The cyber policy and the PI policy both potentially engage, and the wording detail of each determines which loss sits where.
For professional firms in general — solicitors, IFAs, accountants, surveyors — the overlap is acute on the question of client data, client communications and work product. A breach that exposes client data is potentially a PI matter (the firm has failed in its duty to protect the client’s confidential information) and a cyber matter (the firm has suffered a breach event with its own restoration and response costs). Where the firm’s PI wording excludes or limits cyber-related losses, and where the firm’s cyber wording excludes or limits losses arising from advisory or consulting work, the gap can be substantial.
The cyber policy with a tight cap on third-party liability cover paired with a PI policy with a cyber-related exclusion that is broader than the client realises. The combined effect is a substantial gap on cyber events that produce client liability — the cyber policy caps the cover, the PI policy excludes it, and the firm carries the difference uninsured.
The second most common gap is the PI policy with a “circumstance” notification regime that does not align with the cyber policy’s incident notification regime. A cyber event that produces a notification on the cyber side may also be a notifiable circumstance on the PI side, and missing one or the other can prejudice cover under both. The broker’s job is to align the two notification approaches at placement.
The third is the cyber policy with a definition of “covered services” that does not match the firm’s actual scope of work. An IT consultancy whose cyber policy covers managed services but not bespoke development, or a professional firm whose cyber policy covers a defined system but not the cloud platform the firm has migrated to, sits with cover that does not respond to the actual loss exposure.
Materially. The market has not converged on a standard wording for the cyber-PI overlap. Some PI insurers (a handful) explicitly endorse cyber cover into the PI wording for relevant sectors. Most exclude it in varying ways, with the exclusion ranging from narrow (only direct cyber attack losses excluded) to broad (any loss arising from any cyber event excluded). On the cyber side, the variation in third-party liability cover is even wider — from named-event triggers only, to broad liability cover for any cyber-related claim, with cost type variation underneath that.
The practical effect is that the placement of cyber and PI together cannot be done by comparing premiums. The wordings have to be read line-by-line against each other.
Most SME buyers are not. The buyer who has both a cyber policy and a PI policy assumes the two between them cover the cyber-related liability of the firm. The assumption is often wrong, and it is wrong in ways the buyer cannot diagnose by reading either policy schedule. The buyer needs the broker — or in larger firms, the in-house risk function — to do the cross-read.
That is a real and current SME broker responsibility. The broker who places only one of the two products, or who places both but does not read them against each other, is leaving the client unprotected on the most material 2026 SME risk.
Three questions. The first is: how do my cyber and PI policies respond to a cyber event that produces a client claim — which policy goes first, which goes second, and is there a gap between them?
The second is: how do the notification regimes align — if I have a cyber event today, how many notifications do I need to make, on what timelines, and to whom?
The third is: what is the regulatory cost type cover under both policies — fines, investigation costs, breach notification costs, customer remediation costs — and where do the gaps sit?
A broker who can answer all three crisply at every renewal is doing the work. A broker who cannot answer them, or who answers them in generic terms, is not.
Slowly, on the cyber side — broader and more consistent third-party liability cover at the SME end, more uniform incident notification regimes, a settling of the definitional language. On the PI side, less so — the PI cyber-related exclusions are still varied across the major UK PI carriers, and the differences are material at the wording level. Apex’s working view is that the standardisation question will take several more years to resolve on the PI side.
A cross-read at every renewal across the firm’s cyber and PI book. The cross-read sits in the proposal-form refresh process — the broker takes both wordings into the renewal conversation, surfaces the gaps explicitly to the client, and structures the placement to close the gaps where the market will close them. Where the gaps cannot be closed (because the wordings do not reach), the broker names the residual exposure to the client in writing so the client can decide how to manage it.
A guide for clients on the cyber-PI overlap, on the firm’s website. Sector cluster pages for IT consultancies and managed service providers covering the cyber-PI question. Proposal-form library entries covering the cyber and PI forms together. Plain-English briefing notes on the notification regimes and on the regulatory cost types.
The best cyber-PI pieces specify the cost type — they distinguish between the firm’s own loss, third-party liability, regulatory fines, breach notification costs, customer remediation, and reputational loss. A piece that talks about “cyber cover” or “PI cover” as monolithic categories misses the structure.
The best pieces name a specific sector and follow the loss through both wordings — for an IT consultancy, for a solicitor, for an accountant. Sector specificity earns reader attention because the wordings vary by sector.
The best pieces are honest about the gap problem without descending into scare-marketing. The honest narrative is that the gap is real, brokers are working on it, the market is slowly converging, and the SME buyer needs to be having the conversation with their broker at every renewal.
For media enquiries: Matt Bartlett, Director — matthew.bartlett@apexinsurancebrokers.co.uk — 0117 325 0027. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ.
Last reviewed: June 2026.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote