Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
Architects' practices hold something most other professional firms do not: intellectual property that has direct commercial value to third parties. Design files, CAD drawings, planning submissions and BIM models are the productive output of the practice, and they are stored in exactly the collaborative environments that attackers now routinely target. This entry sets out how cyber cover works for an architects' practice, how it fits with ARB and RIBA standards, and where the notification duties sit under UK GDPR.
The Architects Registration Board's Code of Conduct and Practice sets standards of professionalism that include the safeguarding of client interests. Standard 6 addresses trust and confidence; Standard 8 requires adequate insurance. Neither prescribes a cyber policy, but a practice that loses a client's designs to a threat actor or has a live BIM environment ransomed is on notice under both. The RIBA Code of Professional Conduct sits alongside for members and includes duties around competence and integrity.
Under UK GDPR the practice is a data controller for client, employee and consultant personal data — invoicing details, contracts, correspondence with individuals. In BIM-collaborative projects the practice is often a data processor for information hosted on a shared common data environment (CDE), which raises supply-chain questions about liability if the CDE is compromised. A practice that also stores images or drone footage that captures identifiable individuals has additional exposure. The Building Safety Act 2022 has raised the profile of design-liability record-keeping and made the loss of a design audit trail a materially worse outcome than it was five years ago.
Cyber policies for design practices are usually written on the standard bundle. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful, business interruption while systems and CDE access are down, data restoration (crucial where CAD or BIM files have been encrypted), and cybercrime for social-engineering fraud on fee payments. Data restoration is a section to read carefully: rebuilding a CAD or BIM model from a scratch is not the same task as recovering a spreadsheet, and the wording should reflect that.
Third-party sections respond to privacy and network security liability, regulatory investigation costs, insurable regulatory fines, and media and content liability. Practices should also check whether IP infringement claims arising from designs modified by an attacker are within cover.
The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Practices that work with subcontracted CAD technicians or overseas visualisation studios should check the definition of computer system and whether losses arising from a subcontractor's environment are within the policy or need a specific extension.
Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours. Article 34 requires notification to affected data subjects where the risk is high. For an architects' practice the trigger is usually an email compromise or a ransomware event where personal data is encrypted or exfiltrated. DPA 2018 applies where the data is special category. Reporting up to ARB is a separate matter — ARB's Code requires prompt disclosure of matters that affect competence or integrity, and a serious breach of client data may sit there.
PI responds to civil claims arising from professional services. If a client sues the practice because the loss of designs delayed the project or the exfiltration of a competitor-sensitive design caused loss, that is a PI claim. If a threat actor encrypts the practice's servers and the practice has to pay a forensic team and notify the ICO, that is a cyber loss. A specialist broker aligns the two wordings so an event that touches both is covered on both, and checks for cyber-related exclusions that have crept into some design-PI wordings.
Cyber underwriters price on evidence of a small number of practical safeguards. For an architects' practice expect to be asked about multi-factor authentication on the CDE and on Microsoft 365 or Google Workspace; endpoint detection and response on workstations running CAD and BIM software; offline or immutable backups of live project files tested at least annually — not just the CDE's own version history, which an attacker can wipe; a documented patch cadence for Revit, ArchiCAD, AutoCAD or whichever suite the practice uses; staff phishing training that names the suppliers a spoofed invoice is most likely to imitate; and an incident response plan that treats a BIM environment compromise as a project-programme risk, not just an IT one. A practice that has not done the basics will find the data restoration section written narrowly or excluded outright.
Apex Insurance Brokers Limited places cyber cover for architects and design practices alongside PI. We work with Lloyd's syndicates and specialist company markets, review the data restoration wording against the practice's CAD and BIM environments, and check the interaction with the PI wording line by line. Client retention runs at 95%. Commission is disclosed on request under ICOBS 4.4. Apex Insu