IT consultant PI vs cyber insurance: where the two overlap and where they don’t

~5 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-06

IT consultants operate in the intersection of two of the most active claims segments in the UK insurance market: professional indemnity claims and cyber events. The two are related but distinct — a professional indemnity policy responds to a client's third-party claim that the consultant's professional negligence caused loss, while a cyber insurance policy responds to first-party losses arising from cyber events affecting the consultancy itself or its clients through the consultancy's systems. The two policies overlap in some scenarios and leave gaps in others. Consultancies without both covers face predictable coverage failures. This entry sets out where the two policies overlap, where they diverge, and how brokers help IT consultancies structure the two covers together.

What each policy is for

Professional indemnity insurance responds to a third-party claim brought by a client alleging that the consultant's professional negligence caused loss. The claim is contractual or tortious in nature and typically quantified as the client's actual financial loss. The trigger is the client's complaint. The defence is the professional judgment defensibility — was the consultant's advice or delivery consistent with reasonable professional standards at the time it was given?

Cyber insurance responds to first-party losses arising from cyber events. The event might be a data breach, a ransomware attack, a business email compromise, a denial-of-service attack, or any other cyber incident. The policy typically covers incident response costs (forensic investigation, legal advice, notification costs, credit monitoring), business interruption (revenue lost during system downtime), cyber extortion payments (subject to policy and legal constraints), and specific third-party liability arising from the cyber event.

Where the two overlap

The overlap sits in the scenario where a cyber event on the client's system was caused, in whole or in part, by the IT consultant's professional failure. Consider a consultant who was engaged to implement a client's cloud migration and, in the process, misconfigured access controls in a way that allowed a subsequent breach. The client suffers a data breach — a cyber event from the client's perspective — and brings a claim against the consultant arguing that professional negligence in the migration caused the loss.

From the consultant's perspective, this is a third-party PI claim. From the client's perspective, this is a cyber event costing incident response fees, notification costs, business interruption, and regulatory fine exposure. Both policies could be argued to respond. In practice, the consultant's PII responds to the third-party claim from the client, and the client's own cyber insurance (if any) responds to the client's first-party costs.

Where the two diverge

Three scenarios illustrate the divergence.

First, the consultancy's own systems are attacked. A ransomware attack encrypts the consultancy's internal servers. The consultancy loses access to client project files, project data, and its own operations. This is a first-party cyber event for the consultancy. PI does not respond — no third-party claim has been made. Cyber insurance responds to the incident response, business interruption, and any extortion payment.

Second, a client alleges that the consultant's advice was unsuitable, entirely unrelated to any cyber event. A traditional PI claim — the client wanted a system that did X and got a system that does Y. PI responds. Cyber insurance is irrelevant.

Third, the consultancy inadvertently sends confidential client data to the wrong recipient. This is a data breach from the client's perspective but not a cyber event in the technical sense — no external attack, no system compromise, just a professional error. Both policies may respond depending on wording specifics. Well-drafted policies coordinate the response; poorly-drafted ones can leave a gap.

Coverage gaps typical to IT consultancies

Four coverage gaps recur where consultancies hold only one of the two covers.

First, the consultancy that holds only PI faces uninsured first-party cyber events. Ransomware, phishing losses, business email compromise, and system outages all leave the consultancy bearing the loss out of pocket.

Second, the consultancy that holds only cyber cover faces uninsured PI exposure. A client alleging unsuitable advice or failed delivery, unrelated to any cyber event, is not covered by cyber insurance.

Third, both covers can fail to respond where the loss falls between them. A third-party liability claim arising from a cyber event that is not clearly attributable to the consultant's professional negligence may fall between the two policies — the PI insurer arguing no negligence, the cyber insurer arguing no cyber event on the consultant's system.

Fourth, sub-limits on cyber exposure within a PI policy can leave the consultancy under-insured. Some PI wordings include a modest cyber sub-limit that responds where the third-party claim has a cyber element, but the sub-limit may be far below the actual exposure. Consultancies with material cyber-related work should consider a standalone cyber policy rather than relying on a PI sub-limit.

How to structure the two together

The market-standard approach for IT consultancies is to place PI and cyber cover with wordings that expressly coordinate. The PI wording covers third-party claims for professional negligence, including negligence that results in a client cyber event. The cyber wording covers first-party losses on the consultancy's own systems and can extend to third-party cyber liability where not covered by PI. Wordings should be reviewed together, not in isolation, to identify the seam where one policy ends and the other begins.

Ideally, both policies should be placed with the same broker so the seam is understood at renewal. Consultancies with the two covers placed through different brokers are more exposed to coverage disputes if a loss triggers both.

Client contractual requirements

Increasingly, IT consultancy client contracts require both PI and cyber insurance to specified minimum limits. Enterprise clients, public-sector procurement frameworks, and regulated-sector engagements often specify both. Consultancies should ensure the placed cover meets the contractual specification for both policies at every material engagement.

Worked example

Illustrative only. A six-consultant firm delivering cloud migration and cybersecurity consulting to mid-market financial services clients. Client contracts routinely require £5 million PI plus £2 million cyber cover. Broker action: PI policy placed at £5 million each and every claim on a wording that responds to third-party cyber-related claims arising from consultancy negligence; cyber policy placed at £2 million on a wording that responds to first-party cyber events on the consultancy's own systems and to third-party cyber liability not covered by PI. The two wordings reviewed together, seam confirmed clean. Both policies documented in a single insurance summary the consultancy issues to clients on request.

Related reading

See IT consultants regulatory framework, GDPR and ICO exposure, software delivery project failure claims, and the IT consultants PI insurance guide 2026.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.