Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
IT consultancies, managed service providers and technology contractors carry the highest cyber exposure of any of the professions Apex serves. The reason is structural: consultancies hold production credentials for their clients' systems, deploy code that runs in client environments, host client data on shared infrastructure, and act as the gateway that attackers now target explicitly to reach downstream victims. This entry sets out how cyber cover works for a technology consultancy and how it fits with technology PI — the two products intersect closely and the interaction is where most claims disputes happen.
Every UK consultancy is a data controller for its own personal data and, in most engagements, a data processor for the client's data. UK GDPR obligations under Articles 28 and 32 impose specific duties on processors, including appropriate technical and organisational measures. A supply-chain compromise — the pattern where a consultancy's environment is used as the vector into client tenants — has become one of the most damaging failure modes on the market, and the ICO has taken enforcement action against processors as well as controllers.
Consultancies acting as relevant digital service providers sit within the NIS Regulations 2018 for particular services. The Consumer Duty (PRIN 2A) does not usually apply directly to a B2B consultancy, but where the consultancy serves regulated clients its own security posture becomes a controls question for those clients under Consumer Duty and SYSC. The Building Safety Act 2022 has raised the profile of golden-thread record-keeping for construction technology, and consultancies supplying digital-twin or asset-management systems now inherit some of that exposure through their contracts.
Cyber policies for technology consultancies are usually written on the standard bundle plus technology-specific extensions. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful, business interruption while systems are down, data restoration, and cybercrime for social-engineering fraud. Business interruption cover for a consultancy needs to consider the possibility that the consultancy's own environment is compromised and the possibility that a client environment is compromised through the consultancy's tooling.
Third-party sections respond to privacy and network security liability (the section that fires when a client sues because their environment was compromised through the consultancy), regulatory investigation costs, insurable regulatory fines, and media and content liability. Some cyber wordings also include specific supply-chain liability sections — worth negotiating in for any consultancy acting as an MSP.
The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Two exclusions matter more for consultancies than for other professions. First, the professional services exclusion: some cyber wordings exclude losses arising from the rendering of professional services, on the basis that those losses belong on technology PI. That carve-out has to be aligned with the tech PI wording so that an event sits on one product or the other, not neither. Second, the failure of the insured's product or service exclusion: overly broad drafting can hollow out cover for the very consultancies the product is aimed at. A specialist broker checks both.
Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours where the consultancy is the controller. Where the consultancy is the processor, Article 33(2) requires notification to the controller without undue delay so the controller can meet its own 72-hour clock. Article 34 requires notification to affected data subjects where the risk is high. DPA 2018 applies where the data is special category. The consultancy's client contracts almost always impose shorter notification windows than UK GDPR — 24 hours or less is common — and the cyber wording needs to work with those contractual clocks, not just the regulatory ones.
This is the most important question in the entry. Technology PI responds to civil claims arising from the consultancy's professional services — a client suing because the software the consultancy delivered did not work as promised, or the advice given was negligent. Cyber responds to a security event and its consequences. The failure mode most often seen at claim time is a client claim that mixes both: the consultancy's code contained a security flaw that led to a breach, and the client sues for both the failure to deliver secure software and the resulting data loss. A specialist broker aligns the two wordings so this event triggers cooperation between insurers rather than a gap between them. Some markets now write cyber and technology PI on a combined wording specifically to eliminate the gap.
Apex Insurance Brokers Limited places cyber cover for technology consultancies alongside technology PI. We work with Lloyd's syndicates and specialist company markets, review the professional services exclusion and the definition of computer system carefully, and check the interaction with the tech PI wording line by line. Where a combined wording is available and appropriate, we consider it. Client retention runs at 95%. Commission is disclosed on request under ICOBS 4.4. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, firm reference number 724952.
Talk to a broker
Want cyber cover placed alongside your PI? A named broker at Apex will read your submission and come back within one working day.