Cyber and PI overlap under the SRA MTC: how solicitor firms should think about the two policies together

Reviewed by Matthew Bartlett, Director (SMF3, SMF16, SMF17). Last reviewed 10 July 2026.

Almost every solicitor firm in England and Wales now runs two insurance policies side by side: professional indemnity cover on the SRA Minimum Terms and Conditions, and a standalone cyber policy. That was not the case five years ago. Criminal targeting of law firms has risen, SRA expectations on cyber security have tightened, and insurers have drawn a sharper line between what each policy answers for. This entry sets out what the SRA MTC does and does not cover on cyber-arising losses, what a standalone cyber policy fills, where the two overlap, and where firms most commonly find gaps at renewal.

Why solicitor firms carry both PI and cyber cover in 2026

Legal-sector cyber incidents are no longer occasional headline events. Law firms sit on a combination of client money, confidential transactional data, and high-value counterparty communications that is attractive to criminal actors. Ransomware attacks on mid-sized practices, business-email-compromise fraud in conveyancing chains, and data-exfiltration incidents are regular features of the market. The SRA's cybercrime thematic review, published in late 2024, described the position bluntly: the volume of reports has grown and the sophistication of the attacks has risen.

The regulatory expectation has moved in step. The SRA's Risk Outlook and cybersecurity guidance issued through 2024 and 2025 treat cyber security as a governance issue rather than an IT issue — covering client money protection, incident notification, staff training, multi-factor authentication, backup practice, and supplier due diligence. The underlying rules remain the SRA Principles and the Code of Conduct. Insurers have moved in parallel: most PI insurers on the SRA panel have reduced the cyber sub-limit inside the PI wording, added social-engineering carve-outs, or ceded first-party cyber costs to the standalone market.

What the SRA MTC covers on cyber-arising losses

The MTC is a civil liability wording. It is designed to protect third parties — typically clients — against loss caused by the firm's practice. Where that loss has a cyber cause, the MTC still responds to the client-facing side of the incident. In broad terms the MTC will pick up:

The MTC does not carve out cyber-caused liability. If the ingredient of the civil claim is professional negligence, breach of duty, or breach of trust in the ordinary sense, the wording engages regardless of whether the underlying failure was a mis-drafted contract or a compromised email server. Aggregation of related client claims is dealt with by the MTC's aggregation clause — see the entry on aggregation clauses by regulator.

What the SRA MTC does not typically cover

The MTC is not a cyber policy. It is not designed to answer for the firm's own first-party losses or for its costs of managing an incident. The gaps are foreseeable:

Those categories add up. In a mid-scale ransomware event affecting a firm of thirty fee-earners, the first-party costs alone can run to six figures before any client claim has been quantified.

What standalone cyber policies cover

A modern standalone cyber policy is designed to sit alongside the MTC and pick up the first-party and operational costs the PI cannot reach. A typical wording will include:

Standalone wordings vary widely. Two policies described as "cyber" can look very different in the definitions of "cyber event", "extortion demand", or "business interruption loss".

Where the two policies overlap

The MTC and a standalone cyber policy are meant to complement rather than duplicate each other, but three areas of genuine overlap arise:

The SRA cyber guidance context

The SRA has not issued binding cyber rules in the way the FCA has for regulated financial firms. It has instead published thematic guidance and risk analysis that shape supervisory expectations. The 2024 cybercrime thematic review and the Risk Outlook material through 2024 and 2025 return to a consistent set of themes:

None of that is statutory in the strict sense. All of it affects how the SRA reads a firm whose cyber controls have failed and whose clients have suffered loss.

Common cyber incident scenarios and which policy responds

Ransomware. The cyber policy is the primary responder. Ransom payment, incident response, business interruption, and system rebuild sit within the cyber wording. If a client then sues alleging the ransomware disrupted their matter, that claim engages the MTC.

APP fraud and vendor impersonation. A criminal compromises the firm's email, impersonates a party in a transaction, and induces a client to send funds to a fraudulent account. The firm's civil liability to the client is an MTC exposure. The cyber policy may respond to the forensic and notification costs. The dividing line depends on whose account was compromised, the firm's warning practice, and how each wording defines social engineering. This is the classic boundary case.

Data breach with client personal data leaked. First-party breach management — forensic investigation, notification, credit monitoring — sits with the cyber policy. Client civil claims for distress and consequential loss are an MTC exposure. An ICO fine to the firm is typically not insurable; a civil award against the client that the firm reimburses may fall within the MTC subject to standard exclusions.

Business interruption from a cyber outage. The cyber policy is the first-party responder. The MTC does not answer for lost fees.

Professional advice failure with a cyber cause. The firm's case-management system is down during hearing preparation, deadlines are missed, and a client is prejudiced. The client's claim is a civil liability claim under the MTC. The cyber policy may respond to the operational cost of restoring the system.

How aggregation clauses interact

The MTC aggregates related client claims by reference to acts or omissions in a series of related matters or transactions. A cyber policy aggregates by reference to a single event. In a cyber incident triggering ten client claims across active files, the MTC may treat all ten as one aggregated claim answering to one limit, while the cyber policy may treat the underlying event as one occurrence with its own limit. The result can be favourable or unfavourable depending on where the limits sit.

Common wording issues to review at renewal

How Apex approaches this

Apex Insurance Brokers Limited is FCA-authorised (firm reference number 724952) and places SRA MTC professional indemnity and standalone cyber cover for solicitor firms of all sizes. Matt Bartlett, our director, holds SMF3, SMF16, and SMF17 approvals and reviews the PI and cyber programme personally at renewal. We treat the two policies as a single risk-transfer programme: mapping the firm's realistic loss scenarios against both, identifying overlap and gaps in writing, and negotiating wording changes where the market allows. Where the boundary is likely to be contested — typically on wire-fraud and social-engineering cases — we document the position at inception so that a live claim does not begin with a coverage argument.

Frequently asked questions

Does solicitors PI cover a cyber attack?

The SRA MTC covers civil liability to third parties, including where the underlying cause is a cyber attack. It does not cover the firm's own first-party costs, business interruption, ransom payments, or ICO fines against the firm itself. That is why almost every solicitor firm now carries a standalone cyber policy alongside the PI.

Do I need cyber insurance if I have SRA MTC PI?

The MTC is not designed to answer for first-party cyber losses. Ransomware, incident response, notification, credit monitoring, business interruption, and data restoration sit outside the MTC. Whether the firm needs standalone cyber cover is a governance decision, but the practical answer for most firms is yes.

What SRA guidance applies to cyber security for law firms?

The SRA published a cybercrime thematic review in late 2024 and has addressed cyber risk in its Risk Outlook material through 2024 and 2025. These are not binding rules but shape supervisory expectations. The underlying obligations remain the SRA Principles, the Code of Conduct for Firms and Solicitors, and the SRA Accounts Rules. Firms should also consider UK GDPR and Data Protection Act 2018 obligations enforced by the Information Commissioner's Office.

Does PI cover ransomware payments?

The SRA MTC does not typically cover ransomware or extortion payments. That cover, where available, sits within a standalone cyber policy and is subject to sanctions screening, insurer approval, and any applicable sub-limit.

How do PI and cyber policies interact on a client wire fraud?

Where a client is induced to send money to a fraudulent account after the firm's system was compromised, the firm's civil liability to the client is an MTC exposure. Forensic, notification, and incident-response costs typically sit with the cyber policy. The dividing line depends on the social engineering and funds-transfer-fraud provisions in each policy, and on the facts of the incident.

How much cyber cover does a solicitor firm need?

There is no prescribed minimum. The right limit depends on the firm's size, client base, volume of client money handled, case-management stack, and business continuity resilience. Model a plausible worst-case scenario — a ransomware event that closes systems for two weeks, triggers notification to a substantial client population, and generates related client claims — and check that combined PI and cyber limits absorb it.

Related reading


Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952.