Business Insurance
Indemnity cover for developers, contractors and IT firms when software goes wrong
A failed integration, a missed bug or a delayed delivery can leave an IT professional facing a claim for the client's losses. This guide explains how professional indemnity works for IT roles and how it sits alongside cyber cover.
TL;DR
Professional indemnity insurance covers an IT professional against claims that their software, advice or services caused a client financial loss, including negligent code, failed projects and breach of intellectual property. It is not required by general law but is routinely demanded in client and agency contracts. PI is usually claims-made and is distinct from cyber insurance, which covers the firm's own data breaches.
Last reviewed: 22 June 2026
|
Key Facts
|
The risks unique to IT work
IT professionals carry a distinctive blend of exposures. They write and integrate software that other businesses depend on, often for mission-critical functions such as payments, logistics or customer records. When that software fails, the consequences cascade quickly: an e-commerce client whose checkout breaks during a busy period can lose revenue by the hour, and the developer who built or maintained the system is the obvious target for a claim.
The range of allegations is broad. A client might claim that code was negligently written, that a project was delivered late or never delivered at all, that a system failed to perform as specified, or that the IT firm gave poor advice on architecture or supplier selection. Each of these is a financial loss flowing from the professional service, which is the territory of professional indemnity insurance.
Intellectual property adds a further layer. Modern development leans heavily on open-source libraries, third-party components and reused code. If a client is later accused of infringing someone else's intellectual property because of how the IT professional built the product, the resulting claim can fall to be defended. Many IT PI policies specifically extend to IP infringement for this reason.
How PI differs from cyber insurance
One of the most important distinctions for IT firms is between professional indemnity and cyber insurance, because they are frequently confused yet cover different events. PI responds when the firm's professional work causes a client a financial loss. Cyber insurance responds when the firm itself suffers a security incident: a hack, ransomware attack, or breach of the personal data the firm holds.
The practical effect is best seen through examples. If a developer writes faulty code that corrupts a client's database, the resulting claim is a PI matter. If the developer's own systems are breached and client data is stolen, the costs of investigation, notification and any regulatory consequences are a cyber matter. An IT firm exposed to both scenarios generally needs both products, because neither one fully substitutes for the other.
Data protection law sits underneath all of this. Personal data must be handled in line with the UK GDPR and the Data Protection Act 2018, which the Information Commissioner's Office enforces. A serious breach can attract regulatory attention as well as a civil claim, and the way cyber and PI cover respond to that combination depends closely on the policy wordings.
When contracts require IT professionals to hold PI
As with consultants generally, the requirement to hold PI usually arrives through contracts rather than legislation. Software clients, especially larger organisations and public sector buyers, often insist on a minimum indemnity limit before engaging a developer or IT supplier. Recruitment agencies that place contractors frequently impose the same condition, requiring PI, public liability and sometimes employers liability as a standard part of the placement.
Typical contractual expectations for IT work include:
- A minimum PI limit, often 1 million pounds, with higher figures for enterprise or high-risk projects.
- A requirement to hold cyber cover where the engagement involves handling personal or sensitive data.
- Confirmation the policy is placed with a UK-authorised insurer and maintained for the contract term.
Contractors working through agencies should pay particular attention to the indemnity clauses in their contracts. Agreeing to liabilities that exceed what the general law imposes, such as fixed guarantees of uptime or performance, can create exposure that a standard PI policy will not back. The contract and the policy should be reviewed together before either is signed.
Claims-made cover, run-off and setting the limit
IT professional indemnity is typically written on a claims-made basis, meaning the policy in force when a claim is notified responds, not the one running when the work was carried out. Software defects can surface long after delivery, so a system built in one year may generate a claim several years later. Continuous cover matters because a lapse can leave earlier projects unprotected even after they are finished and handed over.
When an IT contractor stops trading, moves into a permanent role or closes a company, run-off cover keeps the claims-made protection alive for past work. Given how long latent software issues can take to emerge, run-off is especially relevant in IT, where a bug or design flaw can lie dormant until a particular set of conditions exposes it.
Choosing a limit means weighing the potential loss a client could suffer if a critical system failed, rather than the size of the day rate or fee. A developer maintaining a high-volume transactional platform faces a far larger credible loss than one building a brochure website. The retroactive date in the policy should also be preserved when changing insurer, so that historic projects remain within cover rather than being excluded.
Disclaimer: This article is general information about professional indemnity insurance for IT professionals and is not legal or financial advice. The boundary between PI and cyber cover, along with policy exclusions, varies by insurer, so verify the scope of any cover with an FCA-authorised insurer or broker and review your contracts before relying on it.
Frequently asked questions
Do IT contractors and developers need professional indemnity insurance?
There is no general law requiring it, but most software clients and recruitment agencies make PI a condition of the contract or placement. In practice an IT professional without it is often unable to win or take on work.
Is professional indemnity the same as cyber insurance?
No. PI covers financial loss caused to a client by your professional work, such as negligent code or a failed project. Cyber insurance covers your own security incidents, such as a hack or data breach. IT firms exposed to both usually need both products.
Does IT PI cover intellectual property infringement?
Many IT PI policies extend to claims that your work infringed a third party's intellectual property, which is a real risk when reusing open-source or third-party code. Check the wording, as the scope of this extension varies between insurers.
How much PI cover should an IT professional carry?
It depends on the criticality of the systems you work on and any minimum a contract demands. Limits of 1 million pounds are common, rising for enterprise or high-volume platforms. The limit should reflect the worst credible loss if a critical system failed.
What happens to cover when I stop contracting?
You generally need run-off cover, which continues claims-made protection for past work after you stop trading. This matters in IT because software defects can surface years after a project is delivered.
Sources:
- ABI: business insurance guidance - abi.org.uk/products/business-insurance
- ICO: guide to UK GDPR - ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources
- Data Protection Act 2018 - legislation.gov.uk/ukpga/2018/12
- Financial Ombudsman Service: insurance complaints - financial-ombudsman.org.uk
