Roughly 60 percent of engineering firms reported a cyber incident in the last year. The average data breach for a design professional firm now runs about $400,000. And here is the part that does not show up on the dashboard: most professional liability policies for architects and engineers were never built to respond to a cyber event. The policy is doing exactly what it was written to do. The firm just thought it was doing something else.

That is the gap. And it is widening fast.

Building Information Modeling has been a productivity story for fifteen years. In 2026, it is also a target story. BIM models concentrate everything an attacker would otherwise have to assemble — proprietary designs, owner financial data, jurisdictional approvals, structural calculations, infrastructure schematics, contractor and consultant credentials, schedule milestones. A firm that has standardized on cloud-hosted BIM has consolidated more sensitive client data into one workflow than most law firms ever do. The exposure profile changed. The policy form, in most cases, did not.

Three things on every E&O review right now

First, the cyber events that bleed into professional liability claims. A ransomware lockout that delays a design deliverable is not just a cyber claim. It is a delay claim from the owner. The professional liability policy is the one that responds to the standard-of-care argument the plaintiff will make — and that policy almost always has a cyber-event exclusion or, worse, ambiguous silence. A free-standing cyber policy with the right wording fills the financial side. It does not fill the professional-liability side. Two policies are the floor, not a redundancy.

Second, the BIM file that gets corrupted, lost, or altered. Design firms have started to see claims where an attacker did not exfiltrate data — they corrupted it. A construction-defect claim built on tampered or partially restored BIM data is a professional liability problem dressed up as a cyber problem. The defense costs alone are not trivial: average construction-defect claims against design professionals are running tens of millions of dollars in recent disputes. The first question in deposition is not “was your firewall current?” It is “did the engineer of record validate the model before sealing the drawings?”

Third, the AI exclusion that landed January 1. Verisk's new endorsement forms are now in effect on the standard market. Some carriers are bolting them onto E&O renewals as full exclusions. Others are carving out narrow language around “autonomous AI decision-making.” The policy a firm bought in 2023 is not the policy a firm has in 2026. The COI never changes. The endorsements page does.

The certificate culture is what the new market is no longer underwriting

There is a quieter pattern underneath all three of these. The traditional broker model in A&E has been built around the certificate. Renew the E&O. Confirm the limits. Send the COI to the client. Move on. That model produced a certificate-driven culture where policy form was assumed and never re-examined. The 2026 carriers are no longer underwriting that culture. The renewal questionnaires are sharper. The cyber-controls supplements are real. The AI-use questions are coming. The firm that has nothing to show is paying the spread — first in premium, then in coverage, eventually in claim outcomes.

PFTN was built to be the opposite of the certificate broker. Our 4-Step Strategic Process for design firms starts with Strategic Discovery: project types, jurisdictions, BIM stack, AI use, cloud architecture, and prime-contract indemnity profile. Risk Assessment quantifies what most brokers never look for: actual policy form (not the dec page), endorsement stack, exclusionary wording around cyber and AI, attachment points on the umbrella, and the gap between professional liability and cyber that almost every firm has but few firms see. Solution Design pairs the right E&O form with the right cyber form so that the two policies do not leave a seam where the actual claim lands. Ongoing Optimization re-checks the form, not just the limits, every year.

The firm that walks the project and stamps the drawing deserves a broker who walks the program and engineers the protection. That is the discipline that wins on a softening market and survives on a hardening one.

The shift starts with one conversation — and preferably long before the next renewal hits.

— Ryan Mefford, President & Risk Advisor