Notification obligations after a cyber incident: cyber and PI compared

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

Three clocks start at once

A cyber incident at a professional firm can start three separate notification clocks, each with a different deadline and a different recipient. Missing any of them carries a distinct consequence, and the firm's insurance response depends on getting all three right.

The regulatory clock - 72 hours

Under Article 33 of the UK GDPR a controller must notify the Information Commissioner's Office of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Article 34 requires notification to the affected data subjects where the risk to them is high. The Data Protection Act 2018 underpins these duties. This clock runs whether or not the firm has any insurance at all.

The cyber policy clock

A cyber policy usually requires notification of an incident as soon as reasonably practicable, and it often channels the firm to a nominated incident-response panel - forensics, legal and public relations - whose costs are only covered if they are engaged through the insurer. Instructing your own advisers first can prejudice the claim. The cyber insurer wants to be in the room while the 72-hour regulatory clock is still running.

The PI policy clock

If the incident could also give rise to a professional-negligence claim - for example an IFA whose exposed client data leads to complaints, or a solicitor facing allegations of breach of confidence - the PI policy's own notification condition is engaged. A PI policy is claims-made: notifying a circumstance that may give rise to a claim protects the firm's position under the policy in force now, even if the claim itself arrives years later.

Getting the sequence right

The practical risk is that a firm dealing with the regulatory deadline overlooks the two insurance notifications, or instructs advisers the cyber insurer will not pay for. The safe course is to notify both insurers immediately and let them coordinate with the ICO response, rather than treating the data-protection duty as the whole story. Apex helps clients notify the right insurers in the right order when an incident could engage both policies.

Documenting the decision not to notify

Not every incident has to be reported to every recipient. The UK GDPR excuses notification to the ICO where a breach is unlikely to result in a risk to individuals, and a minor system glitch may not be a notifiable circumstance under either insurance policy. But the decision not to notify is itself a decision that should be documented, with the reasoning recorded at the time, because it may be scrutinised later if the incident turns out to be more serious than it first appeared.

For claims-made PI cover in particular, a firm that decides an early warning sign is not worth notifying takes a risk: if a claim later emerges from that circumstance after the policy has renewed or the insurer has changed, cover can be lost. The prudent course is to notify circumstances generously and let the insurer decide. Apex helps clients judge what is notifiable and record the reasoning where a borderline incident is not reported.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation