Professional indemnity (PI) insurance and cyber insurance are often bought as separate products from separate underwriters, sit under separate policy wordings, and answer to separate claims teams. For most professional firms they also overlap in ways that only become visible when a claim lands. This entry maps the boundary between the two covers, explains the exclusion language that has redrawn that boundary since roughly 2020, and sets out the practical role a broker plays in stitching the two together.
PI insurance responds to civil liability arising out of the professional services the insured firm provides. For an IT consultancy that means negligent advice on system design, migration, or configuration; for a solicitor it means negligent legal advice; for an architect it means negligent design. The trigger is a claim by a client (or sometimes a third party) that the professional's work fell below the standard reasonably expected and caused loss. PI is a third-party liability cover — it pays what the insured is legally liable to pay to someone else, together with defence costs. See the IT professionals PI guide and the solicitors PI guide for sector detail.
Cyber insurance is a hybrid cover. The first-party section responds to losses the insured itself suffers from a cyber incident: breach response costs (forensic investigation, legal notifications, PR support), ransomware payments where insurable, business interruption, and system restoration. The third-party section responds to claims brought against the insured arising from a cyber incident — typically data-subject claims following a personal data breach, and regulatory investigation costs including ICO enforcement action. The Information Commissioner's Office has powers under the Data Protection Act 2018 and UK GDPR to issue monetary penalties up to £17.5m or 4% of global turnover. Whether the fine itself is insurable is a matter of public policy and specific policy wording; defence and investigation costs generally are. The NIS Regulations 2018 impose parallel obligations on operators of essential services and relevant digital service providers.
Three fact patterns illustrate the overlap.
Professional gives cyber-related advice. An IT consultancy advises a client on data architecture, a solicitor advises on GDPR compliance, an accountant recommends a cloud accounting platform. If the advice is later alleged to be negligent, the primary trigger is the professional service — PI territory.
Client data leaks from the professional's own systems. A law firm's server is breached and client files are exfiltrated. The primary event is a cyber incident affecting the professional's infrastructure — cyber territory, both first-party (breach response) and third-party (data-subject claims).
Client sues the professional for a GDPR breach caused by the professional's IT failure. Here the two covers can both plausibly respond. The claim is dressed as professional negligence but the underlying event is a cyber incident. Which policy leads depends on the wording.
Since Lloyd's Market Association Bulletin Y5258 in 2019 and the subsequent rollout of clauses such as LMA5391 (Cyber Exclusion) and its variants, many PI policies now carve out losses arising from cyber events. The intent from the PI market's perspective is to push cyber loss onto cyber policies. The practical effect is a coverage gap for firms that hold PI but have not bought — or have underbought — cyber. The wording varies. Some clauses exclude only first-party cyber losses; some exclude any liability arising out of a cyber act; some carve back an exception for liability arising from the professional service itself even where a cyber event is involved. Every renewal is an opportunity to read the current exclusion and check it against the current cyber policy.
An IT consultancy advised a client on a cloud migration in 2023. In 2024 the client suffered a data breach traced to a misconfiguration recommended in that advice. The client claims £900,000 in losses and sues the consultancy for professional negligence. The consultancy holds PI cover of £2m and cyber cover of £1m. The PI insurer initially declines, pointing to LMA5391 and arguing the loss arises out of a cyber act. The cyber insurer also pushes back, arguing the claim is at heart a professional negligence action which sits with PI. In practice a broker coordinates a cross-market resolution: the PI wording is examined for a carve-back preserving cover where the professional service itself is the primary trigger, and the likely outcome is that PI responds as the primary layer for the third-party liability, with the cyber policy sitting as excess and covering any first-party losses to the consultancy (forensics, notification). Facts and figures illustrative only.
Apex Insurance Brokers arranges PI and cyber cover for professional firms across the UK. The practical broker tasks are checking that the cyber exclusion in the PI wording is compatible with the trigger in the cyber wording, minimising the risk of a claim falling between the two, and coordinating notification when an incident could plausibly trigger either. See the broker's duty of care, the accountants PI guide, and the management consultants PI guide for sector context.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.