Your E&O Policy Doesn't Cover Cyber. Here's Why That Matters.

June 19, 2026 · True Cover

I get this question a lot: “I already have professional liability. Do I really need a separate cyber policy?”

The short answer is yes. The longer answer is that these two policies look like they overlap, but they cover fundamentally different risks. And the gap between them is exactly where claims get denied.

What E&O covers

Professional liability (E&O) covers claims that arise from your professional work. A client says your advice was wrong, your deliverable was flawed, or you missed a deadline that cost them money. The claim is about your professional judgment or service.

An accounting firm files a tax return incorrectly, and the client owes penalties. A consulting firm recommends a strategy that leads to losses. A law firm misses a statute of limitations. These are E&O claims.

Key point

E&O responds when the claim is about what you did professionally. The trigger is an alleged error, omission, or negligent act in your professional services.

What cyber insurance covers

Cyber insurance covers incidents involving your data, your systems, and the fallout when either is compromised. A hacker gets into your network. An employee clicks a phishing link. A laptop with client files gets stolen. Ransomware locks your systems for a week.

Cyber insurance pays for breach notification, forensic investigation, legal defense, regulatory fines, credit monitoring for affected clients, and the revenue you lose while your systems are down.

Key point

Cyber responds when the claim is about what happened to your data or systems. The trigger is a security incident, not a professional mistake.

Where firms get confused

The confusion is understandable. Both policies can be triggered by the same event.

Say you’re an accounting firm. An employee falls for a phishing email, and a hacker accesses client tax returns. Two things happen:

  1. The data breach itself. Client records are exposed. You need forensic investigation, breach notification, regulatory defense, and possibly credit monitoring for affected clients. This is a cyber claim.

  2. The professional liability angle. Clients whose data was exposed sue you, alleging you failed to protect their confidential information as part of your professional duty. This could be an E&O claim.

Here’s the problem: most E&O policies have a cyber exclusion. They explicitly exclude claims arising from data breaches, unauthorized access, or failure to protect electronic data. So claim #2 gets denied under E&O, and if you don’t have cyber insurance, claim #1 has no policy to respond at all.

The exclusions that matter

This is where the policy language gets important. Here are the exclusions I see most often in professional services E&O policies:

E&O policies typically exclude:

  • Loss or unauthorized disclosure of electronic data
  • Failure to protect personally identifiable information
  • Claims arising from a network security failure
  • Costs associated with breach notification or regulatory compliance

Cyber policies typically exclude:

  • Professional errors or omissions (your actual work product)
  • Breach of contract claims unrelated to data security
  • Bodily injury and property damage

The two policies are designed to complement each other, not overlap. When one excludes something, the other is supposed to pick it up. But only if you have both.

Real-world scenarios

Scenario 1: Phishing attack at a CPA firm. An employee clicks a malicious link. Attackers access the firm's network and download client tax returns. The firm needs forensic analysis, must notify 2,000 affected clients, and faces a state AG investigation. Total cost: $180,000+. E&O won't cover it. This is a cyber claim.
Scenario 2: Bad advice from a consultant. A management consultant recommends a vendor that turns out to be a poor fit. The client loses $500K and sues. No data was compromised, no systems were breached. This is a straightforward E&O claim. Cyber insurance won't respond because there was no security incident.
Scenario 3: The gray area. A law firm's document management system is breached. Privileged client communications are exposed. The client sues for malpractice, arguing the firm had a professional duty to protect confidential communications. The E&O carrier points to the cyber exclusion. The cyber carrier covers the breach response but not the malpractice allegation. Without both policies, the firm has a gap.

What about “cyber endorsements” on E&O policies?

Some carriers offer a cyber endorsement that can be added to an E&O policy. This is better than nothing, but it’s usually not enough.

Cyber endorsements on E&O policies tend to have lower limits (often $50K-$100K), limited coverage scope (breach notification only, no business interruption or ransomware), and may not cover regulatory defense or forensic investigation. A standalone cyber policy built for your firm’s risk profile is almost always more comprehensive.

If you have a cyber endorsement on your E&O, it’s worth checking what it actually covers. I can do that for you.

The bottom line

E&O and cyber insurance serve different purposes. E&O covers mistakes in your professional work. Cyber covers what happens when your data or systems are compromised. Most professional services firms need both, and most E&O policies are written to make sure they don’t cover what cyber is supposed to cover.

If you’re not sure whether your current policies have gaps between them, send them to me. I’ll read the exclusions, check the definitions, and tell you where you stand.

Get a free policy review or call me at (717) 490-7670.