Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
Independent financial advisers, restricted advisers and financial planning firms hold identifiable personal data at high concentration: national insurance numbers, bank details, pension scheme records, defined benefit transfer files and — in some cases — client money handled under CASS 5. That combination puts advice firms in a familiar position for cyber criminals, and cyber insurance now sits close to PI in the priority list. This entry sets out how cyber cover works for an IFA and how it fits with FCA rules and Consumer Duty expectations.
The FCA's Consumer Duty (PRIN 2A) requires firms to act to deliver good outcomes for retail customers and to avoid causing foreseeable harm. A material data breach involving personal data or client money is a textbook foreseeable harm. FCA rules on client money and client assets — CASS 5 for insurance client money and equivalent CASS rules for investment business — set specific duties around segregation, records and reconciliation that a cyber event can quickly compromise. SUP 15.3.1R requires notification of matters likely to be of material significance to the FCA; a serious breach usually meets that test.
Under UK GDPR every advice firm is a data controller for client, employee and prospect personal data. Pension transfer files, particularly historic defined benefit transfer files, are a durable exposure — the ICO has taken action against firms that lost DB transfer data years after the advice event. The DPA 2018 sits behind the UK GDPR.
Cyber policies for IFAs are usually written on the standard bundle. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful and consistent with UK sanctions rules, business interruption while systems are down, data restoration, and cybercrime for social-engineering fraud on client payments and transfers. The cybercrime section is where diverted-payment fraud responds — the pattern of a compromised paraplanner mailbox followed by a spoofed change-of-bank-details instruction is now well documented.
Third-party sections respond to privacy and network security liability, regulatory investigation costs (ICO and FCA), insurable regulatory fines, and media and content liability. The interaction with FCA CASS obligations matters — a firm holding client money under CASS 5 needs to know the wording will respond to a client money reconciliation event caused by a cyber attack.
The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Some cyber wordings exclude losses arising from advice or the exercise of professional judgement — a fair carve-out that keeps cyber and PI in their lanes, but one that needs checking so that a cyber-triggered failure of an advice-related control is not left uncovered.
Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours. Article 34 requires notification to affected data subjects where the risk is high. For an IFA the trigger is usually a mailbox compromise or an exfiltration event. DPA 2018 applies where the data is special category. FCA notification runs in parallel: SUP 15.3.1R for matters of material significance and the Consumer Duty obligation to consider harm to retail customers. Firms holding client money under CASS 5 have separate reporting obligations if a reconciliation is affected.
PI responds to civil claims arising from advice. If a client sues the firm because a data breach caused a financial loss (a redirected pension payment, say, or misuse of a DB transfer report), that is a PI claim. If the firm has to fund a forensic team, notify the ICO and the FCA and rebuild records, that is a cyber loss. A specialist broker aligns the two wordings and checks the interaction with FCA rules so an event that touches both is handled without a gap.
Cyber underwriters price on evidence of a small number of practical safeguards. For an IFA expect to be asked about multi-factor authentication on the practice's back-office system, on remote access and on every cloud service holding client data; endpoint detection and response on every machine including paraplanners' laptops; offline or immutable backups of client files and DB transfer records tested at least annually; a documented patch cadence for the back-office system and Windows workstations; strict change-of-bank-details procedures with dual verification (call-back to a known number, never to the number in the email); staff phishing training with particular emphasis on adviser and paraplanner impersonation patterns; and a documented incident response plan that names the FCA notification path and the CASS-implications trigger. A firm that has not done these will struggle to place a competitive quote in the current market.
Apex Insurance Brokers Limited places cyber cover for financial advice firms alongside PI. We work with Lloyd's syndicates and specialist company markets, review the cybercrime sub-limit against the firm's client payment volume, and check the interaction with the PI wording and FCA obligations line by line. Client retention runs at