Ransomware · Professional firms
Ransomware and UK professional firms
Reviewed by Matthew Bartlett, Director, Apex Insurance Brokers Limited (FCA FRN 724952) · Published 15 July 2026
Ransomware attacks on UK professional firms have become routine. The interaction between PI, cyber, and business interruption cover matters — and most firms miss part of it.
What ransomware costs a professional firm
- Ransom payment (if paid) — often £50k-£500k+.
- Forensic investigation and remediation — typically £100k+.
- Business interruption — lost fees, staff time, deferred billings.
- Client notification and remediation obligations.
- ICO reporting and potential fines.
- Legal and PR support.
PI vs cyber — where the boundaries lie
PI generally covers professional error resulting in third-party financial loss — a ransomware event may not qualify unless client data was compromised and negligence caused it.
Cyber cover picks up: ransom, forensics, business interruption, breach notification, ICO defence, PR crisis management.
Overlap where client data compromised through professional negligence — both policies may respond.
Standalone cyber cover is materially cheaper than the combined potential loss.
ICO reporting obligations
- Personal data breach: 72-hour notification requirement to ICO.
- High-risk breach: also notify data subjects.
- Failure to notify: penalties up to £8.7m or 2% global turnover.
- Preserve evidence — forensics matters for both cyber claim and ICO defence.
Practical steps
- Do not pay ransom without insurer consent and legal advice.
- Preserve forensic evidence — do not restore from backup until preserved.
- Notify cyber insurer within 24 hours; PI insurer within notification-clause deadline.
- Instruct panel breach counsel where cyber policy provides.
- Comply with ICO 72-hour clock — do not delay to complete investigation.
Frequently asked
Should we buy cyber if we already have PI?
Yes. PI rarely covers ransom, forensics, business interruption, or ICO defence adequately.
Is it legal to pay a ransom?
Generally yes in UK law, though OFAC sanctions considerations apply if the attacker is on a US sanctions list. Legal advice is essential.
How much cyber cover is standard?
£250k-£2m for professional firms. Higher for firms handling regulated client data or client money.
What if we self-insure the ransom?
Consider: forensics, business interruption, ICO defence and client remediation costs are often larger than the ransom itself.
Does the insurer decide whether we pay?
Insurers usually reserve the right to decline ransom-payment cover if the payment doesn't meet policy conditions. Broker involvement essential.
What about attorney-client privilege?
Communications with breach counsel typically privileged. Log-file forensics may not be. Legal advice matters early.
Related
- Cyber insurance for professional firms
- GDPR ICO fines and PI implications
- Cyber-PI overlap under SRA MTC
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. Registered in England and Wales, company number 07014570.