Ransomware · Professional firms

Ransomware and UK professional firms

Reviewed by Matthew Bartlett, Director, Apex Insurance Brokers Limited (FCA FRN 724952) · Published 15 July 2026

Ransomware attacks on UK professional firms have become routine. The interaction between PI, cyber, and business interruption cover matters — and most firms miss part of it.

What ransomware costs a professional firm

PI vs cyber — where the boundaries lie

PI generally covers professional error resulting in third-party financial loss — a ransomware event may not qualify unless client data was compromised and negligence caused it.

Cyber cover picks up: ransom, forensics, business interruption, breach notification, ICO defence, PR crisis management.

Overlap where client data compromised through professional negligence — both policies may respond.

Standalone cyber cover is materially cheaper than the combined potential loss.

ICO reporting obligations

  1. Personal data breach: 72-hour notification requirement to ICO.
  2. High-risk breach: also notify data subjects.
  3. Failure to notify: penalties up to £8.7m or 2% global turnover.
  4. Preserve evidence — forensics matters for both cyber claim and ICO defence.

Practical steps

  1. Do not pay ransom without insurer consent and legal advice.
  2. Preserve forensic evidence — do not restore from backup until preserved.
  3. Notify cyber insurer within 24 hours; PI insurer within notification-clause deadline.
  4. Instruct panel breach counsel where cyber policy provides.
  5. Comply with ICO 72-hour clock — do not delay to complete investigation.

Frequently asked

Should we buy cyber if we already have PI?
Yes. PI rarely covers ransom, forensics, business interruption, or ICO defence adequately.
Is it legal to pay a ransom?
Generally yes in UK law, though OFAC sanctions considerations apply if the attacker is on a US sanctions list. Legal advice is essential.
How much cyber cover is standard?
£250k-£2m for professional firms. Higher for firms handling regulated client data or client money.
What if we self-insure the ransom?
Consider: forensics, business interruption, ICO defence and client remediation costs are often larger than the ransom itself.
Does the insurer decide whether we pay?
Insurers usually reserve the right to decline ransom-payment cover if the payment doesn't meet policy conditions. Broker involvement essential.
What about attorney-client privilege?
Communications with breach counsel typically privileged. Log-file forensics may not be. Legal advice matters early.

Related

Speak to a specialist broker
Get a considered PI quote from Apex
Get a quote Speak to a broker
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. Registered in England and Wales, company number 07014570.