Cyber insurance for engineers — 2026 guide for UK engineering consultancies

Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026

Engineering consultancies — civil, structural, mechanical, electrical, geotechnical — hold intellectual property that has direct commercial value, safety-critical documentation that carries a public interest, and personal data on clients and employees. That combination puts consultancies in a durable position for cyber criminals, and the Building Safety Act 2022 has raised the stakes on the safety-critical documentation piece specifically. This entry sets out how cyber cover works for an engineering consultancy and how it fits with Engineering Council institutional standards.

Why engineering consultancies need cyber cover

The Engineering Council's Statement of Ethical Principles sets expectations around honesty, integrity, respect for life and law, accuracy and rigour, and leadership. Members of the professional institutions — ICE, IStructE, IMechE, IET among them — sit within Codes of Conduct that require the safeguarding of client interests. Loss of design records, project data or client-identifying information puts a member on notice under those codes.

Under UK GDPR every consultancy is a data controller for client, employee and consultant personal data. Consultancies working on higher-risk buildings under the Building Safety Act 2022 need to keep a golden thread of safety-critical information; the loss of that thread through a ransomware event is a materially worse outcome than losing ordinary project files, because the statutory duty to reconstruct it falls on the dutyholder. Consultancies engaged on critical national infrastructure may sit within the NIS Regulations 2018 or be subject to contractual cyber security requirements from the operator.

What an engineering cyber policy typically covers

Cyber policies for engineering consultancies are usually written on the standard bundle. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful, business interruption while systems are down, data restoration (crucial where design files or safety-critical documentation have been encrypted), and cybercrime for social-engineering fraud on fee payments and progress claims.

Third-party sections respond to privacy and network security liability, regulatory investigation costs, insurable regulatory fines, and media and content liability. Consultancies working on safety-critical projects should also check whether IP theft cover extends to the loss of design outputs that end up in a competitor's submission, and whether the data restoration section is written broadly enough to fund a full rebuild of a golden-thread record.

What is typically excluded

The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Bodily injury and property damage exclusions matter for engineering firms because so many claims scenarios involve a physical outcome. Where a cyber event on a control system could cause physical damage (a hacked pump station, say) the interaction between cyber, PI and public liability needs careful mapping; specialist wordings for operational-technology exposures exist and may be worth negotiating in.

The UK GDPR notification clock

Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours. Article 34 requires notification to affected data subjects where the risk is high. For an engineering consultancy the trigger is usually a mailbox compromise or a ransomware event where client personal data is encrypted or exfiltrated. DPA 2018 applies where the data is special category. Where the consultancy is engaged on infrastructure that sits inside NIS Regulations 2018, separate operator notification duties may run in parallel.

Cyber versus PI — where they overlap and where they do not

PI responds to civil claims arising from professional services — a client suing the consultancy because the loss of design records delayed the project or the theft of designs caused loss. Cyber responds to the response itself: forensics, ICO notification, ransomware negotiation, rebuild of records, communications to affected parties. A specialist broker aligns the two wordings so an event that touches both is covered on both, and checks whether cyber-related exclusions have crept into the PI wording.

Controls that underwriters look for in an engineering consultancy

Cyber underwriters price on evidence of a small number of practical safeguards. For an engineering consultancy expect to be asked about multi-factor authentication on remote access, on shared drives holding design and safety-critical documentation, and on any operational-technology environments the practice interacts with; endpoint detection and response on every machine including those used in the field; offline or immutable backups of design and calculation records tested at least annually; a documented patch cadence for calculation and modelling software and for any specialist engineering platforms; separation of design environments from general office IT where practicable; staff phishing training with particular emphasis on subcontractor and supplier impersonation; and an incident response plan that flags any project sitting inside the Building Safety Act 2022 higher-risk regime so the notification cascade to the dutyholder starts on day one.

How Apex handles engineering cyber cover

Apex Insurance Brokers Limited places cyber cover for engineering consultancies alongside PI. We work with Lloyd's syndicates and specialist company markets, review the data restoration wording against the consultancy's design and record-keeping obligations, and check the interaction with the PI wording line by