A software development consultancy in the Thames Valley is engaged to design, build and host a customer-facing portal for a UK lender. Twelve months after go-live, an attacker exploits a misconfigured cloud storage bucket in the consultancy's hosting setup and exfiltrates around 180,000 records of customer personal and financial data. Within seventy-two hours the lender has notified the Information Commissioner's Office, within ten days it has begun affected-customer notification, within three weeks it has retained breach-response counsel, and within four months it has issued a letter before action to the consultancy claiming for the breach notification costs, the credit monitoring it offered to affected customers, the regulatory engagement costs, the reputational damage, and an estimated portion of a fall in new business it attributes to the breach. Total claim value: approximately £2.1m.
The consultancy's broker is on the phone the next morning with two questions. Which policy responds — Professional Indemnity, or cyber, or both? And what is the order of play between them?
Those two questions are the heart of the modern UK technology insurance market. The answer involves two distinct products that do different things, that are often bought together, that are sometimes written into a single combined policy and sometimes into two separate ones, and where the precise mapping between them matters when the claim arrives.
This article is for founders, CTOs and operations leads at UK software development consultancies and managed-service firms. It assumes you have read our IT professionals PI guide for context on PI as a product; this piece focuses on the PI/cyber boundary specifically.
The two products, briefly
Professional Indemnity (PI), in the tech market also called tech E&O for "errors and omissions", is a third-party civil liability policy. It responds when a client or third party makes a claim against your firm alleging financial loss caused by your professional services — negligent design, defective code, errors in delivery, breach of contract in respect of professional services, IP infringement, breach of confidence. The trigger is a claim. The policy pays defence costs and damages or settlement up to the policy limit.
Cyber liability insurance is, in modern UK wordings, two policies stitched together. The first-party section responds to your own costs of a cyber incident — forensic investigation, incident response, system restoration, business interruption to your firm, ransomware response, breach notification costs, crisis-management public relations. The trigger is the incident, not a claim. The third-party section responds to civil claims brought against your firm arising from a cyber incident — typically by data subjects, by clients whose data or systems were affected, or by regulators in respect of recoverable defence costs (not fines, which are uninsurable).
PI is about your professional services going wrong. Cyber is about a digital incident — whether at your firm or at a client's firm under your control — and its consequences.
In a clean world the two are crisply separable. In the real world they overlap, particularly for software consultancies whose professional services consist of building and operating systems that handle data.
The overlap problem — and the four answers the market gives it
When a software firm's negligent professional services cause a cyber incident at a client which then causes a civil claim, both policies are potentially in play. The market has four ways of handling this.
The combined wording. Some specialist insurers — including a number of the Lloyd's syndicates active in UK tech, and several of the international carriers writing UK-based tech firms — sell a single combined "tech E&O and cyber" policy under one schedule, with internal sections allocating each loss type to the right pot and a single aggregate limit (or, in higher-end versions, with separately allocated limits per section). The internal carve-up is invisible to the insured: you have one policy, one renewal, one excess on each loss, and one claim notification process.
Separate policies from the same insurer. Some insurers prefer to write tech PI and cyber on two separate wordings — sometimes for regulatory reasons, sometimes for distribution reasons — but designed to nest cleanly. Notifications go to the same claims team, the policies share definitions where it matters, and there is no risk of one policy denying responsibility on the basis that the other policy is in play.
Separate policies from different insurers. This is the area where the broker's work matters most. Two different insurers, two different wordings, two different definitions of "claim", two different definitions of "cyber event", and the very real possibility of a coverage gap — a claim that falls between the two — or a coverage overlap with "other insurance" clauses pushing responsibility back and forth. The broker's job in this structure is to read both wordings carefully against one another, to negotiate any wording variations needed, and to document the intended nesting in writing.
No cyber at all (PI only). A surprising number of UK software firms — particularly smaller and contractor firms — still buy only PI and rely on it for any technology-related dispute. This works imperfectly: tech PI policies normally include some cyber-related cover (most commonly, defence and damages for third-party claims arising from breach of personal data) but typically exclude the firm's own first-party costs of an incident affecting its own systems, exclude ransom payments, and may exclude or sub-limit cover where the incident arose from a state-actor attack or a war exclusion is triggered. PI-only is a workable choice for some low-data-handling firms; it is increasingly hard to justify for any firm that processes meaningful client personal data or operates client-facing systems.
Worked example — back to the breach
Take the breach scenario from the opening of this article. The consultancy has both PI and cyber, bought from the same insurer on combined-but-separate wordings.
The breach is detected. Within hours the consultancy notifies its cyber insurer; an incident response retainer kicks in; forensic investigators are engaged. The cyber policy pays for the investigation (around £85,000 over six weeks), pays for the breach notification process (around £40,000 to a specialist notification provider managing the affected-individual letters and the helpline), pays for credit monitoring offered to affected individuals (around £180,000), and pays the legal fees for engagement with the ICO investigation (around £55,000). The ICO opens an investigation but does not, in the end, issue a monetary penalty notice. If it had, the fine itself would be uninsurable.
In parallel, the lender notifies the consultancy of a civil claim. The cyber insurer's claims team allocates it to the cyber policy's third-party section initially because the trigger is a cyber incident, but as the claim develops it becomes clear that the cause of action is professional negligence — failure to configure the cloud bucket correctly, failure to implement reasonable access controls, failure to follow the consultancy's own security baselines. The claim is reallocated to the PI policy under the same insurer's claims team, which is straightforward because both wordings were written to nest.
Defence costs over the next nine months total around £220,000. The matter settles at £1.4m. PI pays £1.4m of damages and the £220,000 of defence costs less the £25,000 excess.
If the policies had been with different insurers, the reallocation question would have involved two claims teams, two reservation-of-rights letters, and potentially a coverage dispute requiring policy interpretation. The eventual outcome would likely have been the same but the friction, the legal cost of resolving the cover question, and the time consumed would have been materially higher.
What sits on the PI side
The categories of loss that should, in a well-structured programme, fall on PI rather than cyber are:
Defence and damages on a civil claim alleging the firm's professional services were negligent or in breach of contract, even where the consequences include a data incident. The cause of action is the negligence; the data incident is the consequence.
Defence and damages on a claim alleging intellectual property infringement in the code or content the firm delivered. This includes open-source licence non-compliance and, increasingly, disputes over whether AI-assisted output incorporated material from training data without an enforceable licence.
Defence and damages on a claim alleging breach of confidence — for example, where confidential information shared by the client in the engagement is alleged to have been improperly used or disclosed, separate from any data-protection claim.
Defence and damages on a breach-of-contract claim relating to deliverables, acceptance, scope, timeline or service levels — the bread-and-butter project-dispute category.
Defence and damages on a claim by one client alleging the firm's negligence in serving another client affected the first client's interests — a less common but recurring category, particularly in managed-service settings.
What sits on the cyber side
The categories of loss that should fall on cyber rather than PI are:
The firm's own first-party costs of investigating, containing and remediating a cyber incident — forensic experts, incident response retainers, replacement infrastructure, secure rebuild.
The firm's own business interruption — loss of revenue and additional operating cost while the firm's own systems are offline or compromised.
Breach notification costs to affected data subjects, including legal advice on notification obligations, the cost of the notification process itself, and any credit monitoring or identity protection services offered.
Ransom and extortion response — with the important caveat that paying a ransom to a sanctioned entity or in a sanctions-affected jurisdiction is illegal under UK law and the policy will not (and cannot) indemnify it. Insurers' ransomware sections are now closely managed, with sanctions screening, payment intermediation by specialist providers, and an increasing market expectation that backups and incident-response readiness reduce reliance on ransom payment.
Cyber crime cover, where extended — fraudulent funds transfer, social engineering fraud, invoice manipulation fraud — typically with low sub-limits because of the high frequency in the small-business market.
Regulatory defence costs — the legal and consultancy costs of engaging with an ICO investigation, again excluding the fine itself which is uninsurable as a matter of UK public policy.
Crisis-management public relations — specialist PR support during the public-facing phase of an incident.
Where the boundary genuinely is unclear
Three areas remain genuinely unclear in the UK market and deserve broker attention at every renewal.
The claim against the supplier that "originates" in a cyber event. Modern policies handle this differently. Some allocate the entire claim to whichever section is triggered first; some apportion by cause; some leave it to the claims team to determine in good faith. The right question to ask your broker is not "which policy pays" but "if there is any doubt, which insurer's claims team has the final say, and is that the same team as the other policy section?"
Cyber events caused by third-party software in the supplier's stack. Modern software firms typically deliver client systems built on top of third-party platforms, libraries and SaaS dependencies. When the cause of a cyber incident is a vulnerability in one of those upstream components (a SolarWinds-pattern supply chain attack, a Log4Shell-style library vulnerability) the question of whether the supplier's professional services were negligent is a separate question from whether the incident is covered. Most modern wordings cover the cyber response either way; the PI side depends on whether reasonable professional standards required the supplier to detect, mitigate or disclose the underlying risk.
Generative AI in the delivery chain. Where production code includes meaningful AI-assisted output, two cover questions arise. First, IP infringement risk (PI side) if the output reproduces protected material — most major insurers have not introduced express AI-output exclusions, but several have issued clarifying endorsements. Second, error-in-output risk (PI side) if undetected hallucinations enter production code — covered in principle, subject to whether the firm followed reasonable engineering practice in code review. Firms making material use of generative AI in delivery should declare it at renewal so the wording responds as intended.
How the buy-decision typically goes
For a UK software development consultancy in 2026, the structured way to think about the PI/cyber question is as follows.
Decide first whether you process meaningful personal data on behalf of clients or operate client-facing systems. If you do, you need cyber alongside PI — the question is not whether but how much. If you do not (you build software that runs entirely on the client's infrastructure, you have no production hosting role, you handle no client personal data), you may be able to get away with PI only plus a relatively small cyber sub-limit, though even then enterprise clients will increasingly require standalone cyber.
Decide second whether you want a combined policy or two policies. A combined policy from a single insurer is simpler at renewal, simpler at notification, and removes the inter-policy gap risk. Two policies from different insurers may give you better terms on one side or the other, but requires careful broker attention to the nesting. Most UK software firms below £20m of turnover sit comfortably with a combined policy; larger firms more often split.
Decide third on the limits. PI limits should be sized as discussed in the pillar guide — by reference to contractual minima and worst-case engagement exposure. Cyber limits should be sized by reference to the volume of personal data you handle, the criticality of the systems you operate for clients, and the regulatory environment of your client base. As a rough orientation in the current UK market, a small software firm processing modest volumes of client personal data might hold £1m of cyber; a mid-sized firm operating client production systems and handling six-figure record counts typically holds £2m to £5m; firms in regulated sectors hold more.
Decide fourth on the excesses. Cyber retentions tend to run higher than PI retentions in percentage terms because cyber events tend to involve high first-party cost regardless of fault — £10,000 to £50,000 cyber excesses are common for SMEs, £50,000 to £250,000 for larger firms. The right balance depends on your operational resilience and your ability to absorb the first wave of incident costs internally.
The contract-side consequences
The PI/cyber question also flows through into your client contracts. Most modern enterprise MSAs now require the supplier to maintain both PI and cyber at stated minimum limits, with both policies named as continuing obligations after termination. Some MSAs go further and require that the supplier's policies name the client as additional insured or note the client's interest — a request that broker negotiation can usually accommodate but which has a cost. Some go further still and require evidence of cover renewal annually, sometimes with thirty days' advance notice of any material change in terms.
Three contract drafting points are worth being awake to. First, the liability cap interaction: where the MSA caps the supplier's liability at, say, fees paid in the preceding twelve months, that cap usually applies to all forms of liability collectively, which means a single significant breach can exhaust the cap regardless of whether PI or cyber is the responding policy. Second, the personal data carve-out: many MSAs now carve personal data losses out of the general liability cap, leaving uncapped exposure on that head — your cyber policy needs to be sized accordingly. Third, the regulatory fines question: where an MSA requires the supplier to indemnify the client for regulatory fines arising from the supplier's breach, that indemnity is itself uninsurable on the supplier side because the underlying fine is uninsurable; the supplier's only protection is to resist the clause or limit it.
These are the kind of points we work through with clients during renewal and during MSA negotiation. PI and cyber are insurance products, but they are also contract documents that interact closely with the client contracts they sit behind.
How Apex helps
Apex is an independent FCA-authorised insurance broker. We act for our clients in placing PI and cyber cover with the insurance market — we are not tied to any one insurer, we do not have quota arrangements that would skew our advice, and we do not have our own policy wording. What we do is take your renewal information, present it to the insurers we think will price your particular profile sensibly, negotiate terms, and explain the nesting between PI and cyber so you can see how the two policies will respond together when something goes wrong.
That work matters most at the point a claim arrives. A policy programme that looked elegantly stitched together at renewal can come apart at notification if the wordings were not carefully cross-read. We try to do that cross-reading at the time we recommend the cover, not at the time you need it to respond. Information on how we are remunerated and on our regulatory status is on our Terms of Business page; how we handle personal data in the course of placing your cover is in our Privacy notice; and the route for raising any concerns is on our Complaints page.
If you have a PI or cyber renewal coming up, or if you are negotiating an MSA with insurance schedules you need to meet, see our IT professionals sector page or contact us for a no-commitment conversation.
Frequently asked questions
Is cyber insurance the same as Professional Indemnity for a software firm?
No. They cover different things. PI / tech E&O responds to third-party civil claims alleging financial loss from the firm's professional services. Cyber responds to the firm's own first-party costs of a cyber incident (forensic investigation, breach notification, ransomware response, business interruption) and to third-party liability arising from the incident. For a software development firm that handles client personal data or operates client-facing systems, both products are typically needed and are usually bought together — either as a combined policy or as two separate policies designed to nest.
Will PI cover the cost of notifying customers after a data breach?
Usually not, on a standalone PI policy. Breach notification costs — the cost of writing to affected individuals, the cost of credit monitoring or identity protection offered, the cost of the helpline a notification provider runs — sit on the cyber policy's first-party section, not on PI. Where PI is bought combined with cyber from the same insurer, the combined wording will allocate these costs to the cyber section. PI will respond to the third-party civil claims that follow the breach, not to the firm's own response costs.
Does PI or cyber pay an ICO fine if my firm is fined under UK GDPR?
Neither. Regulatory fines imposed by the ICO are uninsurable in the United Kingdom as a matter of public policy — an insurance contract cannot lawfully indemnify a punitive fine intended to deter the conduct that gave rise to it. Both PI and cyber policies will, however, normally pay the legal and professional costs of defending the ICO investigation, of preparing representations, and of engaging with the regulator, up to the relevant policy limit.
My MSA requires both PI and cyber at £5m each — should I buy one £5m combined policy or two separate £5m policies?
The answer depends on the wording, not the headline number. A combined £5m PI-and-cyber policy may have a single £5m aggregate that the two sections share, or it may have separately ringfenced limits per section — the policy schedule says which. A client MSA requiring "£5m PI and £5m cyber" typically expects two separately responding limits, so a shared-aggregate combined policy may not meet the requirement. A broker reading the MSA against the policy schedule will tell you whether the wording delivers what the contract requires; the right answer for one client and one policy is not necessarily the right answer for another.
What happens if a cyber incident is caused by a third-party library or SaaS dependency in our stack?
The cyber policy will normally respond to the firm's own first-party response costs and any third-party liability regardless of whether the underlying vulnerability sat in the firm's own code or in an upstream component. Whether the PI policy also responds depends on whether the firm's professional services were negligent — whether reasonable professional practice required the firm to detect, mitigate or disclose the upstream risk. Supply-chain attacks of the SolarWinds and Log4Shell variety are now a recognised category in tech insurance underwriting and modern wordings address them, but the specifics differ between insurers.
Are AI-generated code or large language model dependencies excluded from cover?
Most major UK tech PI and cyber wordings written in 2025 and 2026 do not have express exclusions for AI-generated output, but several insurers have introduced clarifying endorsements that should be read carefully. The main risk areas are IP infringement (if AI output reproduces protected material), warranties of originality (if the firm represents deliverables as original work), and errors flowing from undetected AI hallucinations in production code. Firms making material use of generative AI in delivery should declare it at renewal so the wording and any endorsements respond as intended; this is one of the points your broker should walk through specifically.
Can I pay a ransomware demand through my cyber policy?
In principle, yes — most UK cyber policies include ransomware extortion cover, subject to a sub-limit and an excess. In practice it is closely managed. Insurers now require notification before any payment is made, will direct the firm to a specialist payment intermediary that conducts sanctions screening, and will not (and lawfully cannot) indemnify a payment to a sanctioned entity or in a sanctions-affected jurisdiction. The UK government's policy posture also actively discourages ransom payment as a category. Most modern insurer engagement focuses on backup quality, response readiness, and not having to pay rather than on facilitating payment.
Do I need cyber if I only build software that runs on the client's infrastructure?
Less obviously, but still often yes. If you handle no client personal data, host nothing yourself, and have no production operational role, your standalone cyber exposure is genuinely smaller and a strong PI policy with a modest cyber sub-limit may be sufficient. However, your own internal systems still create cyber exposure — your developer laptops, your email, your source control, your client communications — and a ransomware event affecting your own operations is a credible scenario. Most enterprise clients will also require standalone cyber as a contractual condition regardless of your delivery model.
Related guides
- IT professionals PI insurance — UK guide 2026
- IT contractor PI insurance and IR35 context
- IT professionals sector page — speak to a broker
About Apex Insurance Brokers
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Last reviewed: May 2026.
This guide is general information about how Professional Indemnity and cyber liability cover sit alongside each other for UK software development firms and is not advice tailored to any individual firm's circumstances. For advice on your own placement, please contact us.
FAQPage JSON-LD (hand-rolled — add via Yoast Custom Field or theme injection)
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Is cyber insurance the same as Professional Indemnity for a software firm?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. PI / tech E&O responds to third-party civil claims alleging financial loss from the firm's professional services. Cyber responds to the firm's own first-party costs of a cyber incident — forensic investigation, breach notification, ransomware response, business interruption — and to third-party liability arising from the incident. For a software firm handling client personal data or operating client-facing systems, both products are typically needed and usually bought together."
}
},
{
"@type": "Question",
"name": "Will PI cover the cost of notifying customers after a data breach?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Usually not on a standalone PI policy. Breach notification costs — the cost of writing to affected individuals, credit monitoring, the helpline a notification provider runs — sit on the cyber policy's first-party section, not on PI. Where PI is bought combined with cyber from the same insurer, the combined wording allocates these costs to the cyber section. PI responds to the third-party civil claims that follow the breach, not to the firm's own response costs."
}
},
{
"@type": "Question",
"name": "Does PI or cyber pay an ICO fine if my firm is fined under UK GDPR?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Neither. Regulatory fines imposed by the ICO are uninsurable in the United Kingdom as a matter of public policy. Both PI and cyber policies will normally pay the legal and professional costs of defending the ICO investigation, of preparing representations, and of engaging with the regulator, up to the relevant policy limit."
}
},
{
"@type": "Question",
"name": "My MSA requires both PI and cyber at £5m each — should I buy one combined policy or two separate policies?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The answer depends on the wording. A combined £5m PI-and-cyber policy may have a single £5m aggregate that the two sections share, or separately ringfenced limits per section — the schedule says which. A client MSA requiring '£5m PI and £5m cyber' typically expects two separately responding limits, so a shared-aggregate combined policy may not meet the requirement. A broker reading the MSA against the policy schedule will tell you whether the wording delivers what the contract requires."
}
},
{
"@type": "Question",
"name": "What happens if a cyber incident is caused by a third-party library or SaaS dependency in our stack?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The cyber policy will normally respond to the firm's own first-party response costs and any third-party liability regardless of whether the underlying vulnerability sat in the firm's own code or in an upstream component. Whether the PI policy also responds depends on whether the firm's professional services were negligent — whether reasonable professional practice required the firm to detect, mitigate or disclose the upstream risk."
}
},
{
"@type": "Question",
"name": "Are AI-generated code or large language model dependencies excluded from cover?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Most major UK tech PI and cyber wordings written in 2025 and 2026 do not have express exclusions for AI-generated output, but several insurers have introduced clarifying endorsements. The main risk areas are IP infringement, warranties of originality, and errors flowing from undetected AI hallucinations in production code. Firms making material use of generative AI in delivery should declare it at renewal so the wording and any endorsements respond as intended."
}
},
{
"@type": "Question",
"name": "Can I pay a ransomware demand through my cyber policy?",
"acceptedAnswer": {
"@type": "Answer",
"text": "In principle yes — most UK cyber policies include ransomware extortion cover, subject to a sub-limit and an excess. In practice it is closely managed. Insurers require notification before any payment, will direct the firm to a specialist payment intermediary that conducts sanctions screening, and will not lawfully indemnify a payment to a sanctioned entity or in a sanctions-affected jurisdiction. The UK government policy posture also discourages ransom payment."
}
},
{
"@type": "Question",
"name": "Do I need cyber if I only build software that runs on the client's infrastructure?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Less obviously, but still often yes. If you handle no client personal data, host nothing yourself, and have no production operational role, your standalone cyber exposure is smaller and a strong PI policy with a modest cyber sub-limit may be sufficient. However, your own internal systems still create cyber exposure — developer laptops, email, source control — and ransomware affecting your own operations is a credible scenario. Most enterprise clients require standalone cyber as a contractual condition regardless of your delivery model."
}
}
]
}