Reviewed by Matthew Bartlett, Director · Last reviewed 8 July 2026
IT consultancy PI renewal now sits in a hybrid market, half traditional professional indemnity, half cyber-adjacent risk transfer. There is no single statutory regulator sitting behind IT consultancy in the way the SRA sits behind solicitors or the ARB sits behind architects. The discipline institution — the BCS Chartered Institute for IT with its CITP designation — sets professional expectations, but the harder pressure at renewal comes from clients who contractually require PI cover of a stated limit and from insurers who look closely at the overlap with cyber.
Eight to twelve weeks before renewal is the working range. Consultancies with a large client base, a project failure on the record, or a data-incident history should be closer to twelve weeks. A smaller advisory-only practice with no software deliverables can work to eight weeks. The reason for the earlier start is that the IT consultancy PI market has diverged — some insurers write software-project-failure risk within PI and others exclude it; some carry cyber-adjacent extensions inside the PI wording and others require a separate cyber policy. Placing the account with an insurer whose wording actually matches the work being done takes time.
Under section 3 of the Insurance Act 2015 the practice owes a duty of fair presentation. The proposal will ask for a revenue split by service line — strategy and advisory, systems integration, custom software development, managed services, data and analytics, security consulting, cloud migration — because each carries a different loss profile. It will ask for the top ten to twenty clients or projects by value, contract terms including liability caps, and any project that has run over budget, run over time, or generated a dispute. GDPR incidents reportable to the ICO under Article 33 of the UK GDPR should be disclosed with the outcome of any investigation. Cyber posture — MFA, backup practice, endpoint detection, incident-response plan — is now a routine question in the PI proposal even where a separate cyber policy is held.
Software project failure is the largest single source of PI claims in the sector, and insurers price the exposure by contract type — fixed-price development attracts more scrutiny than time-and-materials advisory. Data-incident disclosure under the UK GDPR sits at the intersection of PI and cyber; the proposal will ask what went to the ICO and what did not. IR35 status of individual consultants supplied to end clients affects the way liability flows through the engagement chain and can affect insurer view of the risk. Contractual liability caps in client agreements often sit below the PI limit purchased; the proposal should describe the normal cap position honestly. Aggregation exposure is real for a practice supplying similar software to multiple clients — a single defect can aggregate. Wordings that carve out cyber, malware or ransomware exposure from PI leave gaps that a separate cyber policy needs to close.
95% of Apex clients renew with Apex. The number describes what happens when the broker handles the renewal properly — when the fee split is disclosed correctly, when the software-project history is set out fairly, when the GDPR incidents are addressed rather than glossed. Consultancies whose broker did the work come back the following year. Consultancies whose broker asked for last year's proposal to be updated tend not to.
IT consultancy limit adequacy is a two-policy conversation for any firm carrying both PI and cyber cover. Client contracts often require a stated PI limit and a separate stated cyber limit, and the two need to be reviewed together rather than sequentially. A firm whose PI limit sits at £2m and whose cyber limit sits at £1m carries a different risk position from a firm with both at £5m. The right limit review at renewal considers the largest client contract by value, the aggregation exposure across similar software or advice delivered to multiple clients, the data-processing scale for GDPR notification purposes, and the interaction between the PI wording and the cyber wording where a claim could sit in either. Where a firm holds only PI, the review considers whether the PI wording carries meaningful cyber-adjacent extensions and where the gaps sit.
One named broker owns the account. The submission is drafted with the practice, distinguishing revenue by service line in the categories underwriters use, and the software-project history is presented in a way that reflects the actual risk profile rather than the accounts. Every insurer with genuine IT-consulting appetite on our panel is approached, including insurers who write software-project-failure risk within PI. Wording differences — cyber carve-outs, software-project sub-limits, malware exclusions, retroactive dates, defence-costs treatment, contractual liability provisions — are set out in plain English. Where the practice holds a separate cyber policy the interaction is mapped so no