|WNS (HOLDINGS) LTD filed this Form 6-K on 01/31/2019|
Our dependence on our offshore delivery centers requires us to maintain active data and voice communications between our main delivery centers in China, Costa Rica, India, the Philippines, Poland, Romania, South Africa, Sri Lanka, Spain, Turkey, the UK and the US, our international technology hubs in the UK and the US and our clients offices. Although we maintain redundant facilities and communications links, disruptions could result from, among other things, technical and electricity breakdowns, computer glitches and viruses and adverse weather conditions. Any significant failure of our equipment or systems, or any major disruption to basic infrastructure like power and telecommunications in the locations in which we operate, could impede our ability to provide services to our clients, have a negative impact on our reputation, cause us to lose clients, reduce our revenue and harm our business.
We depend on human resources to process transactions for our clients. Disruptive incidents, including man-made events such as civil strikes and shutdowns, may impact the ability of our employees to commute to and from our operating premises. Non-natural disasters, whether unintentional (such as those caused by accidents) or intentional (such as those caused by terrorist attacks), may also disrupt our operations. While we have implemented business continuity plans for clients where we have contractually agreed to do so, we may not always be able to provide services to our clients for the duration of such incidents.
Although under most of our contracts with our clients, our liability for breach of our obligations is limited to actual damages suffered by the client and capped at a portion of the fees paid or payable to us under the relevant contract, our liability for breach of our obligations under certain of our contracts is unlimited. With respect to those of our contracts that contain limitations on liability, such limitations may be unenforceable or otherwise may not protect us from liability for damages. In addition, certain liabilities, such as claims of third parties for which we may be required to indemnify our clients, are generally not limited under those agreements. Further, although we have professional indemnity insurance coverage, the coverage may not continue to be available on reasonable terms or in sufficient amounts to cover one or more large claims and our insurers may disclaim coverage as to any future claims. The successful assertion of one or more large claims against us that exceed available insurance coverage, or changes in our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have a material adverse effect on our business, reputation, results of operations, financial condition and cash flows.
We are liable to our clients for damages caused by unauthorized disclosure of sensitive or confidential information, whether through a breach or circumvention of our or our clients computer systems and processes, through our employees or otherwise. Further, cybersecurity and data privacy considerations could impact our business.
We are typically required to manage, utilize and store sensitive or confidential client data in connection with the services we provide. Under the terms of our client contracts, we are required to keep such information strictly confidential. Our client contracts do not include any limitation on our liability to them with respect to breaches of our obligation to maintain confidentiality of the information we receive from them. Although we seek to implement measures to protect sensitive and confidential client data, there can be no assurance that we would be able to prevent breaches of security. Further, some of our projects require us to conduct business functions and computer operations using our clients systems over which we do not have control and which may not be compliant with industry security standards. In addition, some of the client designed processes that we are contractually required to follow for delivering services to them and which we are unable to unilaterally change, could be designed in a manner that allows for control weaknesses to exist and be exploited. Any vulnerability in a clients system or client designed process, if exploited, could result in breaches of security or unauthorized transactions and result in a claim for substantial damages against us. Although we have implemented appropriate policies, procedures and infrastructure to reduce the possibility of physical, logical and personnel security breaches, along with appropriate audit oversight for verifying continued operating effectiveness of the same through internal audits and external SSAE16 / ISAE3402, ISO27001 and PCI-DSS reviews, such measures can never completely eliminate the risk of cybersecurity attacks. If any person, including any of our employees, penetrates our or our clients network security or otherwise mismanages or misappropriates sensitive or confidential client data, we could be subject to significant liability and lawsuits from our clients or their customers for breaching contractual confidentiality provisions or privacy laws.
To date, although there has not been a material cybersecurity attack that has had an adverse effect on our operations, there is no assurance that there may not be a material adverse effect in the future. Rapid advancements and changes to the technological landscape may require us to make significant further investments in the domain of cybersecurity in order to protect our and our clients data and infrastructure. In addition, such advancements coupled with the rise in the sophisticated nature of cyber threats and attacks make it possible that certain threats or vulnerabilities may not be detected in time to prevent an attack on our or our clients business. On account of the interconnected nature of our business, there is an interdependency between our clients, business partners and our business to implement appropriate cybersecurity controls in order to mitigate cybersecurity risk. A failure of cybersecurity controls at our client or business partners could therefore result in a breach at our company.