Cyber cover versus professional indemnity: where the line falls

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

Two products, two different jobs

Professional indemnity insurance and cyber insurance are often bought side by side, but they respond to different events. Professional indemnity answers a third party who alleges the firm was negligent in the professional service it provided. Cyber insurance answers the consequences of a failure of the firm's own information technology and data security, whether that is a ransomware attack, a data breach or a system outage.

The distinction matters because a single incident can look like both. A conveyancing firm that is tricked into sending completion monies to a fraudulent account has suffered a cyber-enabled crime, but the client's loss may also be framed as a failure of professional care. Where the claim lands depends on the wording of each policy, not on how the incident is described in the press.

What professional indemnity covers

A PI policy indemnifies the firm against civil liability to third parties arising from the conduct of the profession - negligent advice, errors in a report, a missed deadline, a defective drawing. It is written on a claims-made basis, meaning the policy in force when the claim is made responds, subject to the retroactive date. For regulated firms such as solicitors, the minimum terms of the professional body set much of the wording.

What cyber covers

Cyber cover is broader than liability. It typically combines first-party costs - incident response, forensic investigation, data restoration, business interruption, and in some wordings ransom payments - with third-party liability for the firm's failure to keep data secure. It also usually funds the regulatory response to a personal data breach, including the cost of managing the Information Commissioner's Office.

The overlap and the gap

Two problems arise at the boundary. The first is double cover: an incident might in principle be claimable under both, which is why insurers write "other insurance" and cyber exclusion clauses to decide which policy pays. The second, and more dangerous, is the gap: an incident that neither policy clearly covers because each assumes the other responds. A negligent act by an IT consultant that also exposes client data can fall between a PI wording that excludes cyber and a cyber wording that excludes professional services.

Mapping that boundary before renewal, rather than after an incident, is the practical value of a broker who reads both wordings together. Apex reviews the two policies as a pair so the exclusions in one are checked against the insuring clauses in the other.

Limits, retentions and how they interact

The two policies also carry different limit structures. A professional indemnity limit is set to reflect the size of claim a negligent piece of work could generate, and for many regulated professions a minimum limit is fixed by the professional body. A cyber limit is set against a different measure - the cost of an incident, the volume of records held, the dependence on systems - and is often much lower than the PI limit even though a serious breach can be just as expensive.

Retentions differ too. A cyber excess may be modest but apply per incident with a waiting period on business interruption, while a PI excess applies per claim. When an incident engages both policies, a firm can face two separate retentions and two separate claims processes at once. Understanding how the two limits and excesses stack is part of building a programme that behaves predictably under pressure rather than one assembled from two products bought in isolation.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation