Professional negligence with a cyber trigger

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

When cyber and negligence are the same event

Not every cyber incident is a cyber-insurance claim. Where the firm's own professional work caused or contributed to the loss, the claim can be one of professional negligence with a cyber trigger - and that is PI territory, subject to any cyber exclusion in the wording.

Examples that sit on the PI side

An IT consultant that designs and installs a client's network negligently, leaving a vulnerability that is later exploited, has arguably committed a professional error. The client's loss flows from the consultant's defective work, not from an attack on the consultant's own systems. Similarly, an engineer whose control-system design fails because of a foreseeable security weakness may face a negligence claim rather than a cyber claim.

In each case the insured has provided a professional service that fell below the standard of a reasonably competent practitioner. That is the classic subject matter of a PI policy, tested against the ordinary Bolam standard of the reasonably competent member of the profession.

The wording problem

The difficulty is that many modern PI wordings carry a cyber exclusion. If the exclusion is drafted widely, it may strip out exactly this kind of claim - a professional error that happens to involve technology - even though the essence of the claim is negligence. A narrow exclusion, or a write-back for professional services, preserves the cover. The drafting is where the money is.

Why the cause of loss decides

Insurers approach these claims by asking what the proximate cause was. If the dominant cause is the firm's negligent professional act, the PI policy is the natural home, subject to the exclusion. If the dominant cause is a security compromise unrelated to the firm's advice, the cyber policy responds. Where causation is genuinely mixed, both insurers may be involved and the allocation is negotiated.

What a firm should check

Firms whose professional work is technology-heavy should read the cyber exclusion in their PI wording with particular care, and confirm that a professional-services write-back or a matching cyber policy catches anything the exclusion removes. Apex reviews the exclusion and the write-back together so a technology-facing firm knows which insurer answers a mixed-cause claim.

Contractual and statutory overlays

The negligence analysis rarely stands alone. A technology firm's contract will often contain its own liability and indemnity terms, and the courts read those alongside the common-law duty of care and the Unfair Contract Terms Act 1977 where the client is dealing on the firm's standard terms. A limitation-of-liability clause that survives the reasonableness test can cap the exposure, but it does not remove the need for cover up to that cap, and it does nothing about a claim from a party outside the contract.

For firms delivering technology-heavy professional services, the cleanest position is a PI wording whose professional-services definition plainly captures the work, a cyber exclusion narrow enough not to swallow it, and a matching cyber policy for the security exposure. Apex reads the contract, the PI wording and the cyber policy together so a technology-facing firm understands how a mixed-cause claim would actually be met.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation