Cyber insurance divides into first-party cover and third-party cover, and the distinction explains why professional indemnity can never be a substitute for cyber.
First-party cover pays the firm's own costs of dealing with a cyber incident. It typically includes forensic investigation to establish what happened, the cost of restoring or recreating lost data, business interruption while systems are down, breach notification and public relations, and in many wordings the cost of a ransom and its negotiation. None of this is liability to anyone else - it is the firm's own balance-sheet loss.
Professional indemnity does not reach any of it. A PI policy is a liability policy: it responds when a third party makes a claim, not when the insured firm incurs its own costs. A management consultancy whose systems are encrypted by ransomware has no PI claim for the cost of getting back online, however serious the disruption.
Third-party cyber cover responds to claims made against the firm by others as a result of a data or security failure - for example a client whose personal data was exposed, or a regulator taking enforcement action. This is where cyber and PI can overlap, because a claim by a client can be framed either as a data-security failure or as professional negligence.
For an IT consultant, the exposure is unusually wide. The firm can suffer its own first-party loss when its systems are attacked, and it can also be sued by a client when a project it delivered fails or exposes the client's data. PI answers the second; only the first-party section of a cyber policy answers the first. Buying one and assuming it covers the other is the most common gap Apex sees.
The sensible exercise at renewal is to list the plausible incidents a firm faces and mark, for each, whether the loss is first-party or third-party and which policy would respond. Gaps show up quickly. Apex carries out that mapping as part of reviewing a professional firm's programme rather than treating PI and cyber as unrelated purchases.
Because the two halves of a cyber policy are distinct, the schedule usually sets a separate limit or sub-limit for each head of cover - forensic costs, business interruption, data restoration, cyber crime, and third-party liability. A firm can hold a policy with a healthy overall limit but a modest sub-limit on the very head it is most likely to claim, such as social-engineering fraud or business interruption. The overall figure on the certificate can be reassuring and misleading at the same time.
The disciplined approach is to read the schedule head by head, test each sub-limit against the plausible loss, and confirm that the third-party liability section aligns with the cyber exclusion in the PI wording. Apex works through the schedule with the client so the sub-limits reflect the firm's real exposure rather than a default template, and so the third-party section dovetails with the professional indemnity cover rather than duplicating or contradicting it.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.