Combining cyber and professional indemnity for professional firms

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

Two policies, one exposure map

The sensible way to think about cyber and professional indemnity is not as two separate purchases but as one exposure map served by two policies. The goal is that every plausible incident lands cleanly in one policy or the other, with no gap where each assumes the other responds and no wasteful double cover.

Start with the incidents, not the products

The exercise begins by listing the incidents a firm actually faces: a ransomware attack, a data breach caused by a technical compromise, a data breach caused by human error, a negligent piece of professional work, a fund-transfer fraud, a system outage that causes a missed deadline. For each, the question is which policy pays - and the answer should be written down before renewal, not discovered at claim.

Aligning the wordings

Alignment means checking that the cyber exclusion in the PI policy matches the insuring clause of the cyber policy, so that what one removes the other grants. It means confirming that professional-negligence claims with a technology element are written back into the PI cover. And it means checking the "other insurance" clauses so the two insurers do not each stand behind the other. A solicitor or surveyor holding both policies should be able to point at any incident and name the insurer that answers it.

Coordinating the response

When an incident engages both policies, the response has to be coordinated. The cyber insurer's incident-response panel, the PI insurer's claims team and the firm's data-protection obligations all move at once, and instructions given to the wrong adviser at the wrong moment can prejudice a claim. Planning the sequence in advance - who is notified, in what order, through whom - turns a chaotic week into a managed one.

The value of reading them together

Placing cyber and PI with an eye to how they interact is detailed work, and it is where a professions-focused broker earns its keep. Apex reviews the two wordings as a pair, maps the exposures against them, and sets out where each responds, so a firm is not left arguing the boundary after an incident has already happened.

Reviewing the pair at every renewal

Alignment is not a one-off exercise. PI and cyber usually renew on different dates and with different insurers, and a change to either wording at renewal can open a gap that did not exist the year before. A cyber insurer tightening its social-engineering sub-limit, or a PI insurer broadening its cyber exclusion, can shift the boundary without the firm noticing until a claim tests it.

The discipline that keeps the programme sound is to review the two wordings together each time either renews, rather than treating each renewal as an isolated event. For a professional firm carrying both covers, that joined-up review is the difference between a programme that responds predictably and one that turns out, at the worst possible moment, to have a hole in the middle. Apex builds that combined review into how it looks after a professional firm's insurance from one year to the next.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation