A management consultant advises a client to restructure their operations. The client follows the advice and loses a significant contract as a result. They blame the consultant and file a claim for the financial loss.
At the same time, the consultant's laptop is stolen from a coworking space. The laptop held client data. The Personal Data Protection Commission (PDPC) notification clock starts ticking.
One week. Two simultaneous crises. Two different insurance policies, if the consultant has them. If not, both costs come out of pocket.
This is the reality of professional risk in Singapore today. The exposures that used to arrive separately are increasingly arriving together. And the insurance that addresses them is still too often bought separately, reviewed separately, and discovered to have gaps only when a claim makes those gaps visible.
The three covers and what each one does
Before we discuss why they work better together, it helps to understand what each cover actually does on its own.
Professional indemnity insurance (PI) covers you when a client suffers a financial loss because of something you did or failed to do in your professional capacity. A wrong recommendation. An error in a deliverable. Advice that turned out to be incorrect. The client holds you responsible and makes a claim. PI covers the legal cost of defending that claim and any damages awarded. It does not matter whether you were actually at fault. The claim still needs to be defended, and defence costs accumulate from the day the claim is filed.
PI is claims-made cover, which means the policy that responds is the one in force when the claim is made, not when the work was done. This matters more than most professionals realise. If you switch insurers or let a policy lapse, a claim arising from work done years earlier may not be covered if your current policy was not in place when the claim arrived.
Cyber insurance covers the costs of a data or security incident, from two directions. First-party costs are the ones your own business incurs: forensic investigation to understand what happened, legal advice on your PDPA obligations, notification costs to affected individuals, and business interruption if systems go down. Third-party costs are the ones you owe to others: a client whose data was exposed because of your breach may have a claim against you, and the cyber policy covers that liability as well.
For any business that holds client data, which is practically every professional services firm in Singapore, a cyber incident is no longer an IT department problem. It is a business continuity problem and a regulatory compliance problem simultaneously.
General liability insurance covers claims for bodily injury or property damage caused by your business operations. A client visits your office and slips on a wet floor. A contractor working on your behalf accidentally damages a third party's property. These are the everyday physical risks that any business premises generates. General liability cover responds to those claims.
Why the three risks are converging
The boundaries between these three categories of risk have blurred, and the same event can now trigger all three at once.
Here is a scenario that plays out in professional services firms more often than most owners expect.
A technology consultancy delivers a software implementation for a client. The system contains a vulnerability in the code that the consultancy wrote. Six months after go-live, a criminal exploits that vulnerability to access the client's customer database. The client's customer data is exposed.
Now consider what happens next. The client makes a claim against the consultancy for the negligent coding error. That is a PI claim: a professional error that caused the client a loss. The client's affected customers may also have a direct claim against the consultancy for exposing their personal data. That is a cyber liability claim. And if the consultancy's own systems were compromised in the same incident, the costs of their own investigation and response are first-party cyber costs.
Three claims. One event. Three different policy wordings. And if those three policies were bought separately, from different insurers, at different times, with no one checking that the wordings were coordinated, the risk of a gap is real.
The most common gap is an exclusion in the PI policy for claims arising from cyber events, and an exclusion in the cyber policy for professional liability claims. Each policy points to the other. Neither responds cleanly to the claim that sits at the intersection.
Why most professionals are still buying them separately
The historical reason is simple: each cover evolved independently, from different underwriting traditions, sold by different specialists. PI was traditionally placed by professional indemnity brokers who focused on the advice-giving professions. Cyber emerged as its own category in the early 2000s. General liability was part of the commercial lines package. Nobody coordinated the wordings because for a long time the risks did not overlap in practice the way they do today.
That has changed. The digitisation of professional services means that practically every PI risk now has a cyber dimension, because the professional services firm holds client data and delivers work digitally. The question of whether a loss was caused by bad advice or a data failure is often genuinely ambiguous, and ambiguity in insurance is what produces gaps.
What a coordinated approach looks like
The solution is not necessarily a single bundled policy document, though combined products exist for certain professional classes. The more important thing is that the three covers are placed with awareness of each other: the wordings reviewed for coherence, exclusions checked against each other, and the same renewal date applied where possible so there is never a gap between them.
For a professional services SME in Singapore, the practical checklist looks like this.
Does the PI policy exclude cyber events? If it does, is that exclusion intended to push the claim to a cyber policy that actually covers it, or does it create a gap where neither responds?
Does the cyber policy have a professional liability exclusion? If so, how is professional liability defined? A poorly drafted exclusion can push a claim back to the PI policy while the PI policy's cyber exclusion pushes it back to cyber.
Do the run-off provisions in the PI policy cover former work adequately, and is there continuity of cover if the insurer changes at renewal?
Does the general liability policy cover the business premises and any client-facing activity, or are there gaps in territorial scope or activity definitions?
Are all three policies renewing on dates that leave no window of uninsured exposure between them?
None of these questions requires a legal degree to ask. But they do require someone to read the wordings with all three policies in front of them at the same time, which is what coordinated placement means in practice.
You can read more about our professional indemnity cover and cyber insurance on the products page. We also covered the technology liability dimension in more detail in Technology Liability Insurance in Singapore and the cyber risk picture for Singapore SMEs in The Cost of a Cyber Incident in Singapore.
If you would like to review how your current professional liability, cyber, and general liability cover sit together, and whether the wordings are coordinated in the way they need to be, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.