Cyber insurance for insurance brokers — 2026 guide for UK intermediaries

Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026

Insurance brokers hold policyholder personal data at concentration, take client instructions and handle premium money under CASS 5, and act as the trusted intermediary between insureds and insurers. That combination puts brokers in an unusual position on the cyber map — the firm is both a data controller with obligations to its clients and a regulated firm with obligations to the FCA. This entry sets out how cyber cover works for a brokerage and how it interacts with the firm's PI cover and its FCA-regulated status.

Why insurance brokers need cyber cover

The FCA's Consumer Duty (PRIN 2A) requires brokers to act to deliver good outcomes for retail customers and to avoid causing foreseeable harm. A material data breach involving policyholder data or premium money is a textbook foreseeable harm. CASS 5 sets specific duties around client money — segregation, reconciliation, statutory trust — that a cyber event can quickly disrupt. MIPRU 3 requires PI cover for the firm; a serious cyber event that becomes a client claim will fall on that PI wording, which is why the interaction between cyber and PI matters more for brokers than for many other professions.

SUP 15.3.1R requires notification to the FCA of matters likely to be of material significance; a serious breach usually meets that test. Firms also submit regular regulatory data through the FCA's regulatory data platform (RegData, formerly Gabriel) and a cyber event that disrupts reporting is itself a compliance question. Under UK GDPR every brokerage is a data controller for policyholder, employee and prospect personal data. The DPA 2018 applies where the data is special category — some commercial and personal lines involve health or biometric data that fall inside.

What a brokers' cyber policy typically covers

Cyber policies for brokers are usually written on the standard bundle. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful and consistent with UK sanctions rules, business interruption while systems are down, data restoration, and cybercrime for social-engineering fraud on premium payments. The cybercrime section matters particularly for brokers handling risk-transfer or non-risk-transfer client money — a fraudulent instruction that diverts premium away from an insurer is a CASS event as well as a commercial loss.

Third-party sections respond to privacy and network security liability, regulatory investigation costs (ICO and FCA), insurable regulatory fines, and media and content liability. The interaction with the firm's MIPRU 3 PI cover is where most of the negotiation goes — a client claim following a breach usually sits on PI, but the response costs sit on cyber.

What is typically excluded

The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Brokers should pay particular attention to two exclusions. First, professional services carve-outs that could push a client claim off cyber and onto PI — fine if the PI wording will respond, less fine if the PI wording has its own cyber exclusion. Second, dishonest-employee exclusions that could catch a compromised employee credential used to authorise a fraudulent transfer.

The UK GDPR notification clock

Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours. Article 34 requires notification to affected data subjects where the risk is high. For a broker the trigger is usually a mailbox compromise, a ransomware event or an exfiltration event confirmed by a threat actor's leak site. DPA 2018 applies where the data is special category. FCA notification runs in parallel — SUP 15.3.1R for matters of material significance and the Consumer Duty obligation to consider harm to retail customers. Where CASS 5 client money is affected, a further set of reporting obligations applies.

Cyber versus PI — where they overlap and where they do not

The firm's MIPRU 3 PI cover responds to civil claims arising from the firm's activities as a broker — a client suing because a policy was misplaced, a claim was mishandled or a breach led to a financial loss. Cyber responds to the response itself: forensics, ICO notification, FCA notification, ransomware negotiation, client communications and CASS remediation. A specialist broker aligns the two wordings so an event that touches both is handled by both without argument, and checks whether cyber-related exclusions have crept into the PI wording.

Controls that underwriters look for in a brokerage

Cyber underwriters price on evidence of a small number of practical safeguards. For a broker expect to be asked about multi-factor authentication on remote access, on the broker system (Acturis, Applied Epic or equivalent), and on any insurer-hosted portal the firm uses; endpoint detection and response on every machine; offline or immutable backups of client records and CASS reconciliations tested at least annually; a documented patch cadence for broker software; dual-verification on any change to a client's bank details or insurer premium routing; staff phishing training that reflects broker-specific impersonation patterns; and an incident response plan that names both the ICO and FCA notification paths and includes a specific CASS-implications checkpoint. A firm that has not done these will find the cybercrime section either stripped out or heavily sub-limited.

How Apex handles brokers' cyber cover

Apex Insurance Brokers Limited places cyber cover for other UK insurance intermediaries alongside PI, from sole-trader appointed representatives through to directly authorised principals. We work with Lloyd's syndicates and specialist company markets, review the interaction with MIPRU 3 PI and CASS 5 obligations, and check the wording against the firm's typical premium flow and client money profile. Client retention runs at 95%. Commission is disclosed on request under ICOBS 4.4. Apex Insura