SEC Filings

WNS (HOLDINGS) LTD filed this Form 20-F on 05/16/2018
Entire Document

Table of Contents

We are liable to our clients for damages caused by unauthorized disclosure of sensitive or confidential information, whether through a breach or circumvention of our or our clients’ computer systems and processes, through our employees or otherwise. Further, cybersecurity and data privacy considerations could impact our business.

We are typically required to manage, utilize and store sensitive or confidential client data in connection with the services we provide. Under the terms of our client contracts, we are required to keep such information strictly confidential. Our client contracts do not include any limitation on our liability to them with respect to breaches of our obligation to maintain confidentiality on the information we receive from them. Although we seek to implement measures to protect sensitive and confidential client data, there can be no assurance that we would be able to prevent breaches of security. Further, some of our projects require us to conduct business functions and computer operations using our clients’ systems over which we do not have control and which may not be compliant with industry security standards. In addition, some of the client designed processes that we are contractually required to follow for delivering services to them and which we are unable to unilaterally change, could be designed in a manner that allows for control weaknesses to exist and be exploited. Any vulnerability in a client’s system or client designed process, if exploited, could result in breaches of security or unauthorized transactions and result in a claim for substantial damages against us. Although we have implemented appropriate policies, procedures and infrastructure to reduce the possibility of physical, logical and personnel security breaches, along with appropriate audit oversight for verifying continued operating effectiveness of the same through internal audits and external SSAE16 / ISAE3402, ISO27001 and PCI-DSS reviews, such measures can never completely eliminate the risk of cybersecurity attacks. If any person, including any of our employees, penetrates our or our clients’ network security or otherwise mismanages or misappropriates sensitive or confidential client data, we could be subject to significant liability and lawsuits from our clients or their customers for breaching contractual confidentiality provisions or privacy laws.

To date, although there has not been a material cybersecurity attack that has had an adverse effect on our operations, there is no assurance that there may not be a material adverse effect in the future. Rapid advancements and changes to the technological landscape may require us to make significant further investments in the domain of cybersecurity in order to protect our and our clients’ data and infrastructure. In addition, such advancements coupled with the rise in the sophisticated nature of cyber threats and attacks make it possible that certain threats or vulnerabilities may not be detected in time to prevent an attack on our or our clients’ business. On account of the interconnected nature of our business, there is an interdependency between our clients, business partners and our business to implement appropriate cybersecurity controls in order to mitigate cybersecurity risk. A failure of cybersecurity controls at our client or business partners could therefore result in a breach at our company.

While we have insurance coverage for mismanagement or misappropriation of such information by our employees, that coverage may not continue to be available on reasonable terms or in sufficient amounts to cover one or more large claims against us, and our insurers may disclaim coverage as to any future claims. Penetration of the network security of our or our clients’ data centers or computer systems or unauthorized use or disclosure of sensitive or confidential client data, whether through breach of our or our clients’ computer systems, systems failure, loss or theft of assets containing confidential information or otherwise, could also have a negative impact on our reputation which would harm our business.

We also cannot be certain that advances in criminal capabilities (including cyber-attacks or cyber intrusions over the internet, malware, computer viruses and the like), discovery of new vulnerabilities or attempts to exploit existing vulnerabilities in our or our clients’ or business partners’ systems, other data thefts, physical system or network break-ins or inappropriate access, or other developments will not compromise or breach the technology protecting our or our client’s or business partners’ computer systems and networks that access and store sensitive information. Cyber threats, such as phishing and trojans, could intrude into our or our client’s or business partners’ network to steal data or to seek sensitive information. Any intrusion into our network or our client’s or business partners’ network (to the extent attributed to us or perceived to be attributed to us) that results in any breach of security could cause damage to our reputation and adversely impact our business and financial results. A significant failure in security measures could have a material adverse effect on our business, reputation, results of operations and financial condition.

Our business could be materially and adversely affected if we do not protect our intellectual property or if our services are found to infringe on the intellectual property of others.

Our success depends in part on certain methodologies, practices, tools and technical expertise we utilize in designing, developing, implementing and maintaining applications and other proprietary intellectual property rights. In order to protect our rights in such intellectual properties, we rely upon a combination of nondisclosure and other contractual arrangements as well as trade secret, copyright and trademark laws. We also generally enter into confidentiality agreements with our employees, consultants, clients and potential clients, and limit access to and distribution of our proprietary information to the extent required for our business purpose.

India is a member of the Berne Convention, an international intellectual property treaty, and has agreed to recognize protections on intellectual property rights conferred under the laws of other foreign countries, including the laws of the United States. There can be no assurance that the laws, rules, regulations and treaties in effect in the United States, India and the other jurisdictions in which we operate and the contractual and other protective measures we take, are adequate to protect us from misappropriation or unauthorized use of our intellectual property, or that such laws will not change. We may not be able to detect unauthorized use and take appropriate steps to enforce our rights, and any such steps may not be successful. Infringement by others of our intellectual property, including the costs of enforcing our intellectual property rights, may have a material adverse effect on our business, results of operations and financial condition.