HANDBOOK

LIABILITY RISK EXPOSURES AND

SOLUTIONS

IT/ITES SEGMENT

1
In today's rapidly evolving digital reliance on technology grows across
landscape, IT companies find themselves industries, so does the potential for legal
at the forefront of innovation and progress. and financial exposure.
From developing cutting-edge software
In the process to navigate the complex
solutions to managing complex data
intersection of technology and liability, it
infrastructure, these companies play a
becomes apparent that proactive risk
pivotal role in shaping the modern business
management is not merely a prudent
landscape.
business practice but a fundamental
However, with great technological necessity for the survival and success of IT
advancements come great risks, companies in today’s business and
particularly in terms of liability. As the economic landscape.

Legal &
Regulatory
Risk
Services Repuational
Related Risk Risk

Financial
Risk

Operational
Risk Cyber Risk

The IT sector faces a multitude of liability risks and challenges that require continuous
vigilance, investment in robust security measures, and a proactive approach to compliance
and risk management. Navigating this landscape effectively is critical for maintaining trust,
protecting assets, and ensuring long-term success.
From data breaches and cyber-attacks to contractual disputes, management disputes and
intellectual property challenges, the terrain is filled with potential pitfalls for an IT/ITeS
company. In today's digital age, the repercussions of such risks can be far-reaching, resulting
in costly litigation, reputational damage, and financial losses. In order to address these risks
there’s variety of insurance protections are available e.g. Marine Insurance for Transportation
relations risks, Property Insurance for asset risk, Liability Insurance for risks involving third
party financial loss etc.
Here in this handbook we shall elaborate on the liability risks that IT/ITeS companies can be
exposed to.

2
Liability risk for an IT company can come in multiple forms, let’s look at some of the
examples:

Data breaches Service interruptions

leading to exposing leading to disrupting
sensitive information operations,
leading to legal impacting revenue,
ramifications and and tarnishing
loss of trust. reputation.

Intellectual property Court case against

infringement could directors of IT/ITeS
result in lawsuits for company because of
unauthorized use of failure to disclose
patents, copyrights, required information
or trademarks. in their annual report

Contractual
Threats such as
disputes: Legal
ransomware, malware, or
battles arising from
phishing compromising
breaches of
systems and causing
agreements with
financial and reputational
clients, vendors, or
harm.
partners.

Facing lawsuits from

Human error or
stakeholders,
omission leading to
employees, or
data loss, financial
competitors for
loss, faliure to
various legal
perform or breaches
disputes.

3
Professional indemnity insurance (PII) the services provided by the IT company,
holds immense significance for IT they may file a lawsuit. Moreover, clients
companies due to the nature of services often require IT companies to have PII as a
they provide and the potential risks prerequisite for engaging in business
associated with them. IT companies often relationships. By investing in PII, IT
provide advice, consultancy, and services companies can safeguard their interests,
related to software development, system protect their assets, and maintain their
integration, and network security etc. If a reputation in a highly competitive and
client suffers financial losses or damages litigious business environment.
due to errors, omissions, or negligence in

Case 1: An IT company failed to deliver the services agreed in the service agreement.

IT Company
signed an SLA
The IT Independent Arbitration was
with a BFSI BFSI company
Company investigators initiated
company. As sent a legal
failed to fulfill were appointed between the 2
per SLA, notice to the IT
the terms of to assess the parties and the
Software company. IT
SLA and delay Loss due to matter was
development, Company
in delivery for late deliveries settled for
BPO services agreed with
the BFSI and approx. INR
and cloud BFSI company.
company. development. 160 Cr.
based IT
services.

Case 2: A lawsuit filed against an IT company on account of error in the service provided.

The wrong scanning

key was assigned to The
IT Company the barcodes, as a pharmaceutical
An IT company
committed an error result the company filed a
providing barcode
in the services of pharmaceutical lawsuit claiming
services to a large
providing scanable company suffered a approx. INR 7.5 Cr.
pharmaceutical
barcodes for financial loss on in damages as a
company.
different products. account of this error result of this
in the service negligence.
provided.

4
The relevance of cyber insurance for IT companies has surged significantly, driven by several
key factors like the proliferation of sophisticated cyber threats, including ransomware attacks
and data breaches, the expansion of regulatory frameworks worldwide, such as the GDPR in
Europe and the CCPA in California, and the escalating costs associated with cyber incidents,
encompassing expenses for incident response, litigation, and reputational damage.
Moreover, the increasing interconnectedness of digital ecosystems, driven by trends like
cloud computing, IoT, and remote work, has expanded the attack surface for cyber threats.

Case 3: A software company falls victim to a global scale cyber attack

An estimate of
A cyber attack This allowed A federal lawsuit losses from the
targetted the attackers to gain was filed against SolarWinds attack
software company unauthorized access the organization, to be ~ $90 Million
where its network to the networks of alleging that they which includes
management numerous misled incident response
software was organizations, govt shareholders prior and forensic
compromised to agencies and IT to the breach services for
distribute malicious companies globally regarding their companies who
updates. at a large scale. security measures. were impacted by
this incident.

Case 4: A ransomware attack leading to breach in thousands of organizations globally

Data included names,

Over 2,000 organizations
An enterprise file transfer addresses, social security
including govt organisations
tool was hacked by a numbers, credit cards
were reported being
group of ransomware gang information etc. Hacker
attacked, with data thefts
that exploited the zero day group focused on
affecting more than 62
vulnerability. exploitation of data to
million people.
demand ransom.

5
Directors and officers of IT companies are responsible for making critical decisions that can
impact the company's financial health, reputation, and legal standing. Talented executives
and directors are essential for the success of IT companies. Offering D&O insurance
demonstrates a commitment to protecting the personal assets of key personnel, making the
company a more attractive employer. D&O insurance also signals to investors that the
company has taken proactive steps to mitigate the risks faced by its leadership team, thereby
enhancing investor confidence and potentially lowering the cost of capital.

Case 5: An employment discrimination lawsuit resulted in huge financial impact

Financial Impact:
Thecompanydenied USD 11 Million in
The IT company
Global tech giant the allegations of damages including
was alleged to
faced a class action unfair bias of older USD 2.5 Million as
systemically
lawsuit in US by applicants but the lawyers' fees.
discriminate against
227 job applicants lead plaintiff alleged
job applicants who The Impact:
claiming denial of she interviewd 4
were above the age Adverese impact on
job. times but didn't get
of 40. brand reputation
a job.
and revenues.

Case 6: A tech company taken to court by shareholders for accounting fraud

The lawsuit
accused
The company In 2018, the
Shareholders company's The scandal
faced multiple company
of a technology executives of led to
lawsuits and agreed to pay
company filed engaging in an significant
regulatory $3.68 billion to
a lawsuit accounting losses for
investigations settle a lawsuit
against the fraud to inflate shareholders
in Japan and brought by
company's the company's and damaged
the United investors in the
management. financial reputation.
States. United States.
performance
artificially.

6
Despite the primarily digital and intellectual nature of their operations, IT companies can
face significant implications from third-party bodily injury or property damage claims. These
incidents can occur during client visits to company premises, at offsite project locations, or
due to product failures, such as defective hardware causing physical harm or damage. The
financial repercussions include hefty legal defense costs, settlements, or court-ordered
compensation, which can strain the company's resources and impact profitability.

Case 7: A premises not being kept in proper condition led to a lawsuit and payment.

He took the
Other
tech
Financial Adverse
A man He fell on company to
Impact: Impact:
walked in to the slippery court
US$1mn in Brand
the restroom alleging wet
compensati- value,
restroom of floor and floor and
on plus Share price,
a Tech had severe improper
defense Human
company. injuries signage in
costs resources
the
and time
premises

7
Keeping in mind the above-mentioned risks that IT/ITeS companies are exposed to, it’s
better to protect by virtue of buying liability insurance policies for each of these risks.
Briefing about each of the policy as below:
Professional Indemnity Insurance

The IT sector is characterized by its dynamic nature, wherein professionals constantly

engage in developing, implementing, and managing complex systems, software, and
networks. Despite stringent quality control measures, errors, omissions, or negligence can
occur, leading to financial losses, business disruptions, and even legal claims from clients or
third parties. This is where Professional Indemnity Insurance plays a pivotal role.
Professional Indemnity Insurance protects insured against legal liability for breach of
professional duty in conduct of their services.

RISKS

Errors and
Failure to use the Failure to
Omissions or
degree of skill perform services
Negligence while
expected from a in accordance
performing
professional in with the terms of
professional
his/her field contract
service

Breach or
Violation of duty
and
confidentiality

IMPLICATIONS

Dissatisfied client end Potential financial

up suing for sub- burden of litigation and
standard service or can be complex, time
financial loss consuming

Judgments typically in
Negative impact on the
favor of clients leading
reputation, integrity and
to paying of huge
personal assets
compensatory damages

8
A professional indemnity insurance policy covers legal and defense cost, settlements
and compensatory damages awarded by the court against the insured.
Further, it also has following extensions under the policy:
 Breach of confidentiality - Client's information provided in confidence is disclosed
without client’s consent.
 Defamation – Libel and/ or Slander, any written or spoken words.
 Intellectual Property Rights – Unintentional use of copyrights or design plans.
 Interference with Privacy – Unintentional breach of privacy.
 Loss of Documents – Replacing or restoring the documents/ data lost.
 Professional Enquiries – Cost & expenses for legal representation in connection with,
preparation for, attendance at or compliance with an inquiry by professional body.
 Estates, Heirs & Legal Representatives – Protection to estates, heirs and legal
representatives in case of death or incapacity of the insured.

Key Exclusions under the policy:

 Professional service/ Business activity /Advice outside the scope of work.
 Willful or deliberate non-compliance of any statutory provision.
 Fines and Penalties – Punitive, aggravated, multiple or exemplary damages or fines and
penalties.
 War and Terrorism.
 Loss due to non-delivery of professional services or due to delay in the provision of
professional service.
 Radioactivity & Electromagnetic Radiations – ionizing radiations, radioactive waste,
electro-Magnetic fields and/ or electro-magnetic interference.

9
CYBER INSURANCE
Cyber insurance is a specialized form of insurance designed to protect businesses from the
financial losses and liabilities associated with cyber threats and data breaches. It provides
coverage for various expenses and damages incurred as a result of cyberattacks, data
breaches, and other cyber incidents.
Additionally, Incident Response (IR) is critical for IT companies to swiftly address cyber
breaches. Prompt and structured responses to cyber incidents, such as data breaches or
ransomware attacks, can mitigate damage, restore operations, and protect sensitive
information.
Insurers play a key role by providing resources for forensic analysis, legal support, and
financial compensation, thereby ensuring comprehensive risk management and mitigating
the long-term impacts of cyber threats.

Key Coverage Areas:

FIRST PARTY COSTS
 Data Breach Response Expenses: Coverage for expenses related to investigating
and responding to a data breach, including forensic investigations, credit monitoring
services, and public relations efforts to manage reputational damage.
 Data Loss and Restoration: Reimbursement for costs associated with restoring or
recreating lost or corrupted data, as well as expenses for data recovery services and
data restoration efforts.
 Business Interruption Losses: Compensation for lost income and extra expenses
incurred due to business interruption caused by a cyber-incident, such as network
downtime, system disruptions, or inability to access critical data or systems.
 Legal Representation Cost: Cost incurred to obtain legal advice and legal
representation associated with a regulatory investigation.
 Regulatory fines and penalties: The policy also provides coverage for Insurable
regulatory fines or penalties imposed and arising from a breach of law.

THIRD PARTY COSTS

 Damages
o Any monetary compensation the Insured is legally obligated to pay pursuant
to an award or judgment entered against the insured.
o Settlements negotiated by insured and consented to by the insurer

 Defense Cost
o Court fees, premiums for any surety, appeal bond, attachment bond, personal
bond or similar bond for any civil proceeding resulting solely and exclusively
from the investigation, adjustment, defense or appeal of a Claim against any
Insured

10
A few add-ons:

Expenses associated with continuous monitoring of a company's digital

CREDIT MONITORING infrastructure for potential security threats eg. Credit monitoring services for
COSTS 12 months to affected individuals.

Covers expenses related to negotiating with hackers, ransom payments,

CYBER EXTORTION and data recovery efforts eg. security consultants cost and cash or
COSTS marketable goods or services paid by the company.

Expenses incurred for investigating and assessing the extent of a cyber-

incident eg. cost to hire a forensics expert to determine the existence and
FORENSIC COSTS
cause of the Security or Privacy Breach aiding in recovery and liability
assessment.

Expenses incurred by a business to inform customers or individuals

PRIVACY affected by a data breach about the breach and its implications. Includes
NOTIFICATION COSTS printing and mailing letters, email notifications, call centre support etc.

Cost related to recreating or recollecting Data held by the company.

DATA RESTORATION Includes costs associated with retrieving lost or corrupted data, rebuilding
COSTS
databases, and restoring systems to their pre-incident state.

Costs related to measures to avert or mitigate material damage to the

CRISIS MANAGEMENT Company’s reputation or goodwill eg. communication campaigns, issuing
COSTS
public statements, and managing media inquiries.

The policy doesn’t pay for the following losses:

• Prior claims and circumstances
• Bodily Injury/Property Damage
• Contractual Liability
• War and Terrorism
• Unlawful gathering of private information

11
Directors and Officers Insurance
Insurance coverage intended to protect the individuals from personal losses for actual or
alleged wrongful acts committed in managerial and fiduciary capacity.
Section1: Director Reimbursement: When insurer reimburses the director/officer for a claim
against such director/officer; in cases where the company is unable to bear the cost or
indemnify them.
Section 2: Company Reimbursement: When the company pays on behalf of the
director/officer for a claims against them and insurer reimburses the company
Section 3: Entity Reimbursement: When Insurer reimburses the company for a claim
against the company regarding its securities and employees only, e.g. shareholder and
employment lawsuits against the company.

Key Coverages:
• Defense Costs - This coverage reimburses the legal expenses incurred by directors
and officers in defending against claims alleging wrongful acts or breaches of duty in
their capacity as corporate leaders. Legal costs can include attorney fees, court
expenses, and settlement payments. For example, if a shareholder files a lawsuit
against a company's board members alleging mismanagement of funds, the D&O
insurance would cover the legal defense costs.

• Investigation Costs - D&O insurance can also provide coverage for expenses
related to investigations initiated by regulatory bodies or internal inquiries into
alleged misconduct. These costs may include hiring forensic accountants,
conducting internal investigations, and obtaining expert advice. For instance, if a
company is under investigation by the Securities and Exchange Commission (SEC)
for suspected financial fraud, the D&O policy would cover the costs associated with
conducting an internal investigation to address the allegations.

• Fines and Penalties - Some D&O policies may include coverage for fines, penalties,
and settlement payments imposed by regulatory agencies or courts as a result of
covered claims. This coverage can provide financial protection for directors and
officers against personal liability for regulatory violations. For example, if a company
is found guilty of violating environmental regulations and is fined by the
Environmental Protection Agency (EPA), the D&O insurance would cover the fines
imposed on the directors and officers personally.

• Emergency Costs - D&O insurance may also cover emergency expenses incurred
in responding to unforeseen crises or events that pose immediate risks to the
company or its leadership. These costs can include expenses for crisis management
services, public relations efforts, emergency travel, and temporary accommodations
etc. For instance, if a director is facing a lawsuit regarding the alleged
misappropriation of accounts, the insurance policy will cover the above mentioned
costs incurred by such director.

12
A few add-ons:
Advancement of Defence Costs: In case an employee to be a director in another
a claim has covered and uncovered matter company, then any legal liability on that
and the Insurer is unable to arrive at a company resulting in a claim against the
decision within 15days then the insurer officer or employee gets picked up by the
pays for defence costs till it arrives at the D&O policy of the policyholder.
decision
New and acquired subsidiaries
Retired Directors and Officer’s coverage: This cover protects any
Coverage: It ensures that individuals subsidiary created or acquired by an
remain protected from any claims that may organization during a policy period.
arise against them in the future, as a result
Estates, heirs, and legal
of any wrongful act that occurred prior to
representatives' coverage: This cover
their departure. This cover is extended for
protects any legal representative of an
a length of time.
insured person in the event they are drawn
Outside Directorship Coverage: into a claim, but only with respect to the
Whenever a policyholder asks an officer or insured’s actions, not their own.

Other Common Extensions: The policy doesn’t pay for:

• Bail bond expenses • Bodily injury/ property damage
• Public relations expenses • Crime, fraud and personal conduct
• Court attendance expenses • Prior and pending litigation
• Crisis communication cover • SEC exclusion

Employment Practices Liability

Employment Practices Liability Insurance (EPLI) protects the insured against claims made
by employees alleging wrongful employment practices

WRONGFUL BREACH OF
ILLEGAL SEXUAL
EMPLOYEMENT
TERMINATION DISCRIMINATION HARASSMENT CONTRACT

FAILURE TO
NEGLIGENT INVASION
DEFAMATION EMPLOY OR
PROMOTE
EVALUATION OF PRIVACY

13
Commercial General Liability

CGL covers third party Bodily Injury/Death/Property damage caused by a business’ premises,
products or operations. It provides combined cover for both Public & Product Liability
sections.

The policy also provides:

 Medical payments coverage

 Defense costs
 Tenant legal liability
 Contractual liability

In addition to the above, CGL policies may include additional coverages or endorsements
tailored to specific industry exposures, risks, or requirements.

A Few Standard Extensions:

Personal & Advertising Injury:

• Personal Injury will pay for claim resulting from the Third Party for
defamation, libel, slander, false arrest, false detention etc.

• Advertising Injury: will pay for claim resulting from Oral & written publication
violating personal privacy, use of another’s advertising idea in your
advertisement, infringement upon copyright, trademark or slogan in your
advertisement etc.

Fire Damage: This will pay for

Medical Expenses: This will pay for
Insured’s Legal Liability arising out of
medical expenses towards an injury to
property damage to premises
the Third Party within the Insured
leased/rented by the Insured due to
Premises for the first-aid provided.
fire.

72hrs Sudden and Accidental

Act Of God: This will pay for any legal
Pollution: This provides cover for
liability arising out of Third Party Bodily
sudden, unintended, unexpected and
Injury/Death/Property damage at the
accidental pollution due to Insured's
Insured’s business premises resulting
business operation. The incident has
from AOG perils.
to occur and reported within 72 hour.

14
The policy doesn’t pay for following losses:

 Any liability of railways & Aircrafts, watercraft

 Damage to Owned Property
 Nuclear Energy
 Cyber Liability
 Product Contamination loss* (unless opted as an extension)

Salient features of the CGL policy: Retroactive Date is usually the

date when the policy was first
 Applicable for all products
bought and it implies the
 Applicable to whole turnover
coverage of claims originating
 Worldwide coverage: claim anywhere in in the world
after that date. The date is
 The insurer provides the legal defence costs maintained in the policy with
 Retroactive coverage benefit each timely renewal.

The policy pays all claims up to the limit of liability, the limit can be chosen by the insured company.
While choosing limit, following is to be kept in mind:

 Products
 Turnover
 Contractual requirement
 Past experience
 Peer limits

RETROACTIVE DATE
Retroactive date refers to the date from which coverage begins for claims arising from incidents that
occurred prior to the policy's inception date.

Retroac ve date Wrongful act happened No fica on

is 1st April 2019 during this period during this period

2019 2021 2024

For example, an IT/ITeS company, operational since 2019, buys a Professional Indemnity
Insurance Policy in 2024 with a retroactive date of April 1, 2019. This protects the insured
against liabilities from incidents predating the policy. For example, if a 2021 error of
omission in services claim arises in 2024, the policy covers it.

15
Although the buying pattern of every organisation is different and is on their internal risk
policies, contractual needs, and other external factors we have curated the revenue and
limit comparisons for PI, Cyber, D&O and CGL policies below:

Revenue- less than Revenue- INR 500 Revenue- INR 1000 Revenue - More
INR 500 Cr. Cr. to INR 1000 Cr. Cr. to INR 2500 Cr. than INR 2500 Cr.
CGL -INR 5-10 Cr. CGL - INR 20 - 35 Cr. CGL -INR 25- 50 Cr. CGL -INR 40-100 Cr.

D&O - INR 10 - 20 Cr. D&O - INR 15-35 Cr. D&O -INR 20-50 Cr. D&O -INR 30-75 Cr.

Cyber - INR 5-15 Cr. Cyber - INR 10-20 Cr. Cyber -INR 15-35 Cr. Cyber - INR 25-50 Cr.

PI - INR 10-35 Cr. PI- INR 25-50 Cr. PI - INR 30 - 70 Cr. PI - INR 35 - 100 Cr.

Disclaimer: Please note the informa on presented in this chart is for illustra ve purposes only and does not cons tute an offer,
solicita on, or recommenda on for the purchase of any insurance policy. Insurance needs vary significantly, and appropriate policy
limits should be determined in consulta on with a qualified insurance professional. The data depicted may not be current or
comprehensive and should not be relied upon for making insurance decisions. The provider of this chart assumes no liability for any
errors, omissions, or reliance on the informa on provided herein.

An organisation buys an Insurance policy for various reasons, but it needs to be able to
come through at the time of claims a few to do and not to do are as follows for a better
claim management:
What to do:
1. Promptly notify about the facts which could potentially give rise to claim in the future.
We require written notice as soon as practicable after discovery of a situation that may
give rise to a claim.
2. The insured should take written consent from ILGIC before incurring any costs which
it seeks to be picked up by the policy
3. Considering the complex nature of coverage, insureds should have a systematic
review process in place. This would assure that no claim is overlooked and prevent
any loss of coverage on such account.

What not to do:

1. Do not suppress or inadvertently miss out on reporting any claims or situations which
may lead to claims during the policy period or improper disclosure at the time of
policy renewal.
2. Do not discuss the claim with any other insurance company or any other party who
may be involved in the incident, except the ones approved by ILGIC.
3. Do not provide any acknowledgment, assumption or admission of liability including
any verbal or written promise to compensate the affected party.
4. Do not voluntarily make any payment or incur any expense (including any defense
cost) without ILGIC’s consent.

16
Why ICICI / Our Strength
We are one of the leading insurance company. On this date, we have more than 250 offices
spread across India and our business have received a rating of iAAA by ICRA Limited.
We have been doing liability business for more than 2 decades and have settled claims
across the globe. We are the largest underwriter on liability business in terms of premium.
Some of our Capabilities specific to liability business are;
• Underwriting Capability across products, segments & geographies
• Claims management capabilities across the globe
• Structuring Global Programs (risk solutions for Indian MNCs)
• Tech Advantage
• Value Added Solutions
• Innovation

17