Cyber exclusions in professional indemnity wordings

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

Why PI wordings now exclude cyber

Following the market move to affirmative cyber, most professional indemnity policies now carry an express cyber exclusion. The purpose is to make clear that first-party cyber loss and pure data-security liability belong in a cyber policy, not in the PI policy, so that neither the firm nor the insurer is relying on silence. The exclusion is not, in itself, a reduction in real cover if a cyber policy picks up what it removes.

The clause families

Underwriters commonly attach standardised clauses published by the Lloyd's Market Association, such as the LMA5400 and LMA5401 cyber exclusion series, sometimes with a write-back. The breadth of these clauses varies. A tightly drafted exclusion removes only losses arising from a cyber act or cyber incident. A broad one can extend to any loss "arising from or in connection with" the use of computer systems - which, read literally, could touch almost any modern professional service.

The write-back that matters

For professional firms the critical feature is a write-back preserving cover for professional negligence even where technology is involved. Without it, a broad exclusion could defeat a genuine negligence claim simply because a computer was used to deliver the advice. An architect whose defective design was produced in CAD software, or an IT consultant whose negligent configuration caused loss, needs the wording to catch the negligence and exclude only the cyber-security exposure.

Reading the exclusion properly

The right questions to ask of any cyber exclusion are: does it define "cyber act" and "cyber incident" narrowly; does it carve back professional services; and does it align with the insuring clause of the firm's cyber policy so nothing falls between the two? A firm can hold two policies that each assume the other responds, and discover the gap only at claim.

The broker's role

Comparing exclusion wordings across insurers, and checking each against the matching cyber policy, is detailed work that rewards a careful read. Apex reviews the cyber exclusion and any write-back in a PI wording against the firm's cyber cover so the boundary is deliberate rather than accidental.

Comparing exclusions across insurers

Because there is no single mandated form, cyber exclusions vary noticeably between insurers even where they start from the same LMA base clause. One insurer may attach a narrow exclusion with a full professional-services write-back; another may use a broad "arising from or in connection with" formulation with no carve-back at all. Two policies offering apparently similar cover at a similar price can therefore behave very differently when a technology-related claim arrives.

This is precisely the kind of difference that is easy to miss on a summary and expensive to discover at claim. Reading the actual clause, not the marketing summary, is the only reliable way to know how a wording treats a cyber-adjacent negligence claim. Apex compares the exclusion language across the insurers it approaches for a professional firm, and sets out in plain terms how each would treat the claims the firm is most likely to face.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation