Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
Surveying firms hold valuation records, property inspection reports, personal data on clients and tenants, and — in the case of larger firms — commercially sensitive information on transactions that have not yet completed. The combination of client-identifiable data and transactional value makes the profession a durable target for both ransomware and social-engineering fraud. This entry sets out how cyber cover works for a RICS-regulated firm and how it fits with the Rules of Conduct and the Red Book environment.
RICS Rules of Conduct Rule 3 requires members and firms to provide good quality and diligent service. Rule 5 requires respect for confidentiality. The RICS Professional Standard on Conflicts of Interest and the Data Handling requirements that sit inside the Rules of Conduct set expectations around the safeguarding of client information. A firm that loses valuation records or exposes tenant personal data to a threat actor is on notice under both.
Under UK GDPR every practice is a data controller for client, employee and tenant personal data. Firms carrying out Red Book valuations for lending purposes hold commercially sensitive material that would be valuable to competitors and to fraudsters. The Building Safety Act 2022 has increased the record-keeping burden on higher-risk buildings work, and the loss of a survey audit trail is now a materially worse outcome than it was five years ago. Firms that offer property management sit as data controllers for tenant information and also as data processors for landlord clients — which raises the supply-chain question of who notifies what to whom.
Cyber policies for surveyors are usually written on the standard bundle. First-party sections respond to breach response and incident management, cyber extortion and ransomware where lawful, business interruption while systems are down, data restoration, and cybercrime for social-engineering fraud on completion payments or fees. Cybercrime cover is worth reviewing carefully where the practice handles client money — although client accounts for surveyors are less common than for solicitors, they exist in property management and in some transactional practices.
Third-party sections respond to privacy and network security liability, regulatory investigation costs (ICO and, where relevant, RICS), insurable regulatory fines, and media and content liability. Firms should check whether valuation-related claims arising from a data breach fall on the cyber wording or on RICS-mandated PI — the boundary can be surprisingly narrow.
The usual list — state-sponsored acts under the LMA war clauses, prior known circumstances, unpatched critical vulnerabilities, unencrypted portable media, bodily injury and physical property damage. Practices that use third-party site-inspection software or drone-imagery contractors should check the definition of computer system to make sure losses arising from a subcontractor's environment are within cover.
Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours. Article 34 requires notification to affected data subjects where the risk is high. For a surveying practice the trigger is usually a mailbox compromise or a ransomware event where client and tenant personal data is affected. DPA 2018 applies where the data is special category. RICS reporting expectations run in parallel: Rule 12 requires firms to co-operate with RICS, and a serious data breach is likely to require notification via the firm's regulatory contact.
RICS-mandated PI responds to civil claims arising from professional services. If a lender sues the firm because a valuation was mishandled following a data breach, that is a PI claim. If a threat actor encrypts the firm's servers and the firm has to pay a forensic team, notify the ICO and rebuild valuation records, that is a cyber loss. A specialist broker aligns the two wordings so an event that touches both is covered on both, and checks whether any cyber-related exclusion has been introduced into the PI wording.
Cyber underwriters price on evidence of a small number of practical safeguards. For a RICS-regulated firm expect to be asked about multi-factor authentication on remote access, on email, and on the practice's surveying platform (or the residential valuation panel management portal, where applicable); endpoint detection and response on every machine including surveyors' tablets in the field; offline or immutable backups of valuation records and property files tested at least annually; a documented patch cadence for Windows and mobile devices; strict segregation of client-money accounts where the firm operates them; staff phishing training with a property-transaction impersonation module; and an incident response plan that names the RICS contact path and any lender-panel notification obligations. Firms with panel-lender relationships often inherit specific cyber requirements from those lenders which underwriters will expect to see honoured.
Apex Insurance Brokers Limited places cyber cover for RICS-regulated firms alongside PI. We work with Lloyd's syndicates and specialist company markets, review the data restoration wording against valuation record-keeping obligations, and check the interaction with the PI wording line by line. Client rete