Not every cyber incident is a cyber-insurance claim. Where the firm's own professional work caused or contributed to the loss, the claim can be one of professional negligence with a cyber trigger - and that is PI territory, subject to any cyber exclusion in the wording.
An IT consultant that designs and installs a client's network negligently, leaving a vulnerability that is later exploited, has arguably committed a professional error. The client's loss flows from the consultant's defective work, not from an attack on the consultant's own systems. Similarly, an engineer whose control-system design fails because of a foreseeable security weakness may face a negligence claim rather than a cyber claim.
In each case the insured has provided a professional service that fell below the standard of a reasonably competent practitioner. That is the classic subject matter of a PI policy, tested against the ordinary Bolam standard of the reasonably competent member of the profession.
The difficulty is that many modern PI wordings carry a cyber exclusion. If the exclusion is drafted widely, it may strip out exactly this kind of claim - a professional error that happens to involve technology - even though the essence of the claim is negligence. A narrow exclusion, or a write-back for professional services, preserves the cover. The drafting is where the money is.
Insurers approach these claims by asking what the proximate cause was. If the dominant cause is the firm's negligent professional act, the PI policy is the natural home, subject to the exclusion. If the dominant cause is a security compromise unrelated to the firm's advice, the cyber policy responds. Where causation is genuinely mixed, both insurers may be involved and the allocation is negotiated.
Firms whose professional work is technology-heavy should read the cyber exclusion in their PI wording with particular care, and confirm that a professional-services write-back or a matching cyber policy catches anything the exclusion removes. Apex reviews the exclusion and the write-back together so a technology-facing firm knows which insurer answers a mixed-cause claim.
The negligence analysis rarely stands alone. A technology firm's contract will often contain its own liability and indemnity terms, and the courts read those alongside the common-law duty of care and the Unfair Contract Terms Act 1977 where the client is dealing on the firm's standard terms. A limitation-of-liability clause that survives the reasonableness test can cap the exposure, but it does not remove the need for cover up to that cap, and it does nothing about a claim from a party outside the contract.
For firms delivering technology-heavy professional services, the cleanest position is a PI wording whose professional-services definition plainly captures the work, a cyber exclusion narrow enough not to swallow it, and a matching cyber policy for the security exposure. Apex reads the contract, the PI wording and the cyber policy together so a technology-facing firm understands how a mixed-cause claim would actually be met.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.