Professional indemnity insurance claim — IT consultants UK

Reviewed by Matthew Bartlett, Director · Last reviewed 8 July 2026

If a client has raised a claim over a failed implementation, a missed go-live, a data-loss incident, an integration error or an outage attributed to your work, this entry sets out how a UK IT consultant should think about the next 24 to 48 hours. It covers notification under the claims-made wording, why timing is critical, what UK GDPR and the ICO expect in parallel where personal data is involved, and what your broker does at this point. Read it once, then pick up the phone.

The moment you notify matters

IT consultants' PI is written on a claims-made basis. The policy responds to claims and notified circumstances arising during the period of insurance, not to matters that arose during it but were never told to the insurer. Section 3 of the Insurance Act 2015 sets the duty of fair presentation at inception, renewal and any material variation; section 13A gives the insured a route where an insurer has breached the implied term to pay claims within a reasonable time. Late notification is one of the largest single technical reasons claims fall over at coverage stage. Notifying a circumstance does not commit you to admitting anything — it preserves the year's cover. Where the exposure involves a data breach or a cyber event, the interplay between the PI wording and any separate cyber wording matters and both may need to be triggered.

What "circumstance" means under a claims-made wording

A claim under an IT consultant's PI wording does not need to be a court proceeding. It can be a letter from the client's general counsel, an email escalating a dispute over scope or acceptance criteria, a change-control disagreement that has hardened into a claim, a downstream customer of your client raising a complaint about a system you delivered, or an internal note from a project director saying a delivery has gone wrong. The wording standard is that a fact, matter, event or circumstance which may reasonably be expected to give rise to a claim must be notified. The test is objective. Once someone senior has identified it, the practical clock has started.

The regulator's angle for IT consultants

IT consultancy in the UK is not a licensed profession in the way law or accountancy is, but several regulatory frameworks bite hard on the sector. Where personal data is in scope, the UK GDPR and the Data Protection Act 2018 impose the accountability principle and require a Data Processor to notify their Controller of a personal data breach without undue delay under Article 33(2). Controllers must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach that meets the Article 33(1) threshold, and notify data subjects under Article 34 where the breach is high risk. Where the consultant holds BCS Chartered IT Professional (CITP) status, the BCS Code of Conduct and disciplinary process may run in parallel. Contracts with public-sector clients typically incorporate the Digital, Data and Technology profession standards and clauses driven by the National Cyber Security Centre. Where the engagement operates via a personal service company, IR35 (off-payroll working) is a separate risk framework that does not sit inside PI cover.

What to do in the next 24 hours

Do not respond to the client on substance until you have notified your broker. Preserve every commit, log, ticket, meeting note, statement of work, change-request record and email trail. Do not alter code, delete branches, or "tidy up" a repository after the event. Do not admit liability, offer a rebate that reads as an admission, or float a settlement figure in correspondence. Notify your broker straightaway; the broker handles the notification to the insurer in the form the wording requires and manages what happens next. If a personal data breach is in scope, the 72-hour ICO clock under Article 33 of the UK GDPR is running in parallel from the moment of awareness — that clock does not wait for the PI notification and must be handled at the same time.

What your broker does at this point

A named broker who has run IT consultants' notifications before will take the summary from you, prepare and submit the notification to the insurer in the form the wording requires, protect your position on scope and late-notification questions, and manage the appointment of defence solicitors from the insurer's approved panel. Where the claim engages both the PI wording and a separate cyber wording — a common feature of technology E&O placements — the broker manages both notifications and the interplay. Apex is a broker, not an insurer or a defence firm; the broker handles the notification and manages the process with the insurer's appointed defence panel. This is the technical work where broker experience earns its keep.

Why 95% of Apex clients renew

Not because Apex clients never have claims. Technology delivery carries exposure by design, and long implementation cycles mean disputes can crystallise months after go-live. Apex clients renew because when a matter arose, the notification was made properly, the year's cover attached, and the firm reached the next renewal in a position to place terms on the merits rather than under a cloud.

Notification urgent?

If a matter has just arisen, call now. Late notification is one of the largest single reasons claims get declined. A named broker will pick up the phone and start the notification with you.

Call 0117 325 0027 → or start the quote form