Ransomware and professional firms: the coverage questions

~3 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-12

Why ransomware is largely a cyber question

Ransomware encrypts a firm's data and demands payment to release it. The immediate losses - restoring systems, recreating data, business interruption, incident response and any ransom - are the firm's own first-party costs, which is why ransomware is primarily a cyber-insurance question rather than a professional indemnity one. A professional indemnity policy, being a liability policy, does not pay the firm's own recovery costs.

Where PI can still be engaged

PI re-enters the picture if the attack causes a third-party loss. An accountancy firm locked out of its systems that misses a statutory filing deadline, or a management consultancy that fails to deliver a contracted service on time, may face a claim from the affected client. That downstream liability can be a professional-negligence exposure, subject to the cyber exclusion in the PI wording.

The payment problem

Paying a ransom is not straightforward. A payment to a sanctioned entity can breach UK financial sanctions administered by the Office of Financial Sanctions Implementation, and the National Cyber Security Centre and law-enforcement bodies discourage payment because it funds further crime and offers no assurance the data will be released. Cyber wordings increasingly require the insurer's prior consent and a sanctions check before any payment, and some now sub-limit or exclude ransom entirely.

Business interruption

For many firms the largest single loss from ransomware is not the ransom but the interruption - fee income lost while the practice cannot operate. This is a first-party cyber head of cover with its own waiting period and indemnity period. It has no analogue in the PI policy, so a firm that carries only PI has no protection against it.

Planning ahead of an incident

The practical protection is preparation: tested backups, an incident-response plan, and a cyber policy whose business-interruption and data-restoration limits reflect the firm's real reliance on its systems. Apex helps professional firms match the cyber limits to the exposure and check that any resulting third-party liability is caught by the PI policy rather than falling into the cyber exclusion.

The regulatory dimension

A ransomware attack that involves personal data being accessed or exfiltrated is not only an operational crisis but a personal data breach, which engages the notification duties under the UK GDPR and the Data Protection Act 2018. The firm may have to notify the Information Commissioner's Office within 72 hours and, where the risk is high, the affected individuals as well. Managing the technical recovery and the regulatory response at the same time is demanding, and it is one reason cyber policies channel firms to a coordinated incident-response panel.

For regulated professions there may be a further layer: the professional body's own reporting expectations where client confidentiality has been compromised. Apex helps professional firms think through the operational, regulatory and professional-body strands of a ransomware event in advance, and confirm that the cyber policy funds the response the firm would actually need to mount.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation