Information technology consulting sits awkwardly between advice and delivery. One engagement may ask a consultant to specify a whole platform, choose vendors, and shape a client's digital roadmap; the next may ask only for a discrete module, an API integration, or a code review against a fixed brief. When something goes wrong and a professional indemnity claim follows, the courts do not treat every negligent output the same way. The scope-of-duty analysis in Manchester Building Society v Grant Thornton [2021] UKSC 20 and the companion decision Khan v Meadows [2021] UKSC 21 controls how far a consultant's liability actually reaches, and it matters as much to a software architect as it does to an auditor.
The starting point is the distinction drawn by Lord Hoffmann in South Australia Asset Management Corp v York Montague [1997] AC 191 — the SAAMCO principle — between advice, which guides a client's decision on a whole course of action, and information, which is one input among many. An IT consultant retained to recommend whether to build in-house, buy an off-the-shelf platform, or adopt a SaaS product is giving advice: the decision is being shaped by the consultant. An IT consultant retained to deliver a specific data-migration script to a specification agreed elsewhere is providing information: the client has already decided what it wants and is buying a defined output. See the companion entry advice versus information under SAAMCO for the underlying framework.
Where the engagement is advice-heavy, the scope of duty is broader and losses flowing from the course of action taken can be recoverable in principle, subject to the counterfactual test. Where the engagement is information-only, the consultant is generally responsible only for losses attributable to the specific inaccuracy in the information supplied, not for the wider consequences of the client's project. That distinction can be decisive when an in-house build over-runs, when a chosen vendor turns out to be unsuitable, or when a migration exposes the client to downtime or data loss.
Manchester Building Society v Grant Thornton reframed the SAAMCO test as a question about the purpose of the duty: what risk was the professional retained to protect the client against, and would the loss have occurred had the advice been non-negligent? For IT consultants that means asking what technology decision the client would have made but for the negligent advice. If a consultant negligently recommends a bespoke build over a fit-for-purpose off-the-shelf product, the counterfactual is the off-the-shelf project, and the recoverable loss is the difference — not the full cost of the failed bespoke build. If a consultant negligently under-specifies security requirements, losses that would have occurred anyway on a competent build are not attributable.
Alongside the tortious analysis, the contractual position matters. Robinson v PE Jones (Contractors) Ltd [2011] EWCA Civ 9 confirms that a professional relationship can generate concurrent contractual and tortious obligations, and that the parties can define the contractual limits through their engagement letter. IT consultants routinely include liability caps — for instance, capped at the fees paid or a multiple of them — together with exclusions for consequential loss, data loss, or third-party software failures. Those caps generally bind in a commercial relationship, though drafting matters and rescission remains available where an engagement was induced by misrepresentation (see Salt v Stratstone Specialist Ltd [2015] EWCA Civ 745).
IT PI overlaps with cyber cover more than most professional lines. A negligent architectural recommendation that leaves a client exposed to a breach may trigger both the consultant's PI policy (for the advice) and the client's cyber policy (for incident response and third-party notifications). Consultants should check whether their PI wording carves out cyber-related claims, whether a separate cyber liability section applies, and how retroactive dates and notification triggers interact. The IT professionals PI guide and the cyber insurance overview cover the layered structure in more detail.
Where the engagement is performed through a personal service company under an IR35-adjacent structure, additional questions arise about whose PI responds and whether the end client's indemnity requirements are satisfied. See IR35 contractor PI for the mechanics.
Worked example (illustrative only, not a case study). In 2020 an IT consultant advises a mid-sized client to build an in-house CRM rather than adopt an off-the-shelf product. The build over-runs and ultimately costs £450,000. A properly conducted options review would have pointed to an off-the-shelf solution costing approximately £180,000 for equivalent functionality. Applying Manchester Building Society, the counterfactual is the off-the-shelf project. The recoverable loss attributable to the negligent advice is £270,000, being the difference in project cost, plus any provable operational benefits lost by the delay. The consultant's PI policy responds to that head of loss subject to the policy limit and any aggregate cap set out in the engagement letter. Losses that would have arisen on any competent build fall outside the scope of duty.
Cross-reference: professional indemnity pillar guide.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.