HomeServicesLoans & InsuranceProfessional Indemnity, D&O & Cyber Risk Insurance Advisory

Loans & Insurance · Insurance Advisory

Professional Indemnity, D&O & Cyber Risk Insurance Advisory

Professional Indemnity, Directors & Officers (D&O), and Cyber Risk insurance are the three covers that protect the people who run a business — not just its physical assets.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Professional Indemnity, Directors & Officers (D&O), and Cyber Risk insurance are the three covers that protect the people who run a business — not just its physical assets. A single client lawsuit, a regulator's notice against a director, or a ransomware attack on customer data can create personal financial exposure that no amount of general liability cover will touch. PNPC Global's Professional Indemnity, D&O & Cyber Risk Insurance Advisory helps directors, professionals, and growing companies understand exactly what these three covers do, do not, and should include — before a claim forces the question. We are not an insurance broker chasing commission on a policy sale. We are a CA firm that reviews your actual risk profile, your board structure, your data footprint, and your contractual indemnity exposure, and advises you on the cover that matches it — coordinating with licensed brokers and insurers only to execute what we have already worked out is right for you.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Professional Indemnity, D&O & Cyber Risk Insurance Advisory is

Professional Indemnity (PI) insurance indemnifies a professional or a company against claims of negligence, errors, omissions, or breach of professional duty made by a client or third party in the course of providing professional services — CA firms, IT consultants, doctors, architects, lawyers, and management consultants are the most common buyers. Directors & Officers (D&O) Liability insurance protects the personal assets of a company's directors and officers against claims alleging a wrongful act in their capacity as decision-makers — mismanagement, breach of fiduciary duty, regulatory action, or shareholder claims — and increasingly extends to statutory defence costs for proceedings before SEBI, the NCLT, RoC, or under the Insolvency and Bankruptcy Code 2016. Cyber Risk insurance responds to first-party costs (data breach investigation, customer notification, ransom negotiation, business interruption from a cyberattack) and third-party liability (customer or regulator claims arising from a data breach) that follow a cyber incident — a category of exposure that has grown sharply for Indian companies since the Digital Personal Data Protection Act 2023 (DPDPA) introduced statutory breach-notification obligations and financial penalties for data fiduciaries.

These three covers are frequently sold and bought in isolation, which is precisely where the gaps appear. A D&O policy without cyber-event extension may not respond to a shareholder derivative claim alleging the board failed to oversee cybersecurity adequately. A cyber policy without a properly scoped business-interruption trigger may pay for breach response costs but not the weeks of lost revenue while systems are rebuilt. A Professional Indemnity policy for a CA firm or IT services company that excludes data breach liability leaves the firm exposed precisely where its modern service delivery — cloud accounting, client data hosting, SaaS delivery — actually creates risk. PNPC's advisory approach starts by mapping your actual risk surface — client contracts, board composition, data processing footprint, regulatory exposure — rather than starting from a standard policy template and asking you to fit into it.

When this advisory genuinely adds value

Your company is raising a funding round or onboarding independent/nominee directors — investors and independent directors routinely make a properly scoped D&O policy a condition of joining the board

You run a professional practice — CA firm, IT/ITES company, consultancy, architecture or engineering firm — where a single client engagement gone wrong can trigger a professional-negligence claim disproportionate to the fee earned

Your business collects, stores, or processes personal data of customers or employees at scale — e-commerce, fintech, healthtech, SaaS, BPO — and therefore carries direct exposure under the DPDPA 2023 breach-notification and penalty regime

You are a director or officer of a company (including as an NRI or non-executive/independent director) and want personal asset protection independent of what the company's own D&O policy may or may not cover you for

Your existing PI, D&O, or cyber cover was bought several years ago, off a template, without a fresh review against your current contracts, board structure, or data footprint — most policies are renewed on autopilot rather than re-underwritten against actual risk

You are responding to a client, lender, or investor's contractual requirement to carry a specific minimum limit of PI, D&O, or cyber cover and need help interpreting what that requirement actually means for your policy structure

Your company has had a near-miss — a client complaint, a regulator query, a phishing incident, a vendor data exposure — and the board wants an independent risk and coverage assessment rather than simply renewing the existing policy

When this may not be the immediate priority

You are a very early-stage business with no employees, no board beyond the founders, no client contracts imposing indemnity obligations, and no meaningful data processing — basic general liability and, if applicable, product liability cover is usually the more urgent first purchase

You are looking for the cheapest possible policy purchase with no interest in a risk assessment, contract review, or coverage-gap analysis — a standard insurance broker or online aggregator can place a template policy faster and typically at a lower advisory fee

Your requirement is a claims dispute or a rejected claim under an existing policy — that is a distinct engagement (claim advocacy and dispute support) rather than a pre-purchase or portfolio-review advisory, though PNPC's Insurance Claims practice handles exactly that

You need a statutorily mandated cover such as motor third-party, fire/property insurance for a factory licence, or workmen's compensation — those are compliance-driven purchases with limited scope for structural advisory beyond ensuring adequate sum insured

Your company already retains a sophisticated corporate insurance broker with an in-house risk engineering team conducting an annual placement review — in that case PNPC's role is better suited to an independent second-opinion review rather than a full advisory mandate

You are an individual seeking personal life, health, or motor insurance advice — that falls under PNPC's separate Personal Finance and Retirement Planning advisory rather than this professional-risk-focused service

Structure Comparison

How PI, D&O, and Cyber Risk covers compare — and what each actually responds to

FeatureProfessional Indemnity (PI)Directors & Officers (D&O)Cyber RiskGeneral Liability / CGL (for contrast)
Who it protectsThe professional/firm rendering paid advice or serviceIndividual directors and officers personally, and increasingly the company itself (Side C)The company — first-party costs and third-party liability from a cyber eventThe company against third-party bodily injury/property damage claims
Typical triggerClaim alleging negligence, error, omission, or breach of professional duty in service deliveryClaim alleging a wrongful act in a director/officer's management capacity — mismanagement, breach of fiduciary duty, misrepresentationA cyber event — data breach, ransomware, business email compromise, denial-of-service, system failurePhysical injury or property damage caused by the business's operations or products
Regulatory proceedings coveredRarely — most PI policies are civil-claim focused, not regulatory-defence focusedOften extends to SEBI, RoC, NCLT, and IBC 2016 proceedings against directors — but sublimits are common and must be checkedIncreasingly extends to DPDPA 2023 regulatory defence and Data Protection Board proceedings — varies materially by insurerNot typically covered — regulatory defence sits outside CGL scope
First-party costs (own losses)Not typically — PI is third-party liability focusedLimited — mainly defence costs advancement, not business lossesYes — breach investigation, forensic IT, customer notification, credit monitoring, ransom negotiation, business interruptionNot applicable — CGL is third-party only
Retroactive date relevanceCritical — claims-made policies only respond to acts after the retroactive date; gaps on renewal or insurer switch can leave prior conduct uninsuredCritical — same claims-made structure; a lapse or non-renewal can leave past board decisions permanently uninsured absent run-off coverLess central but still relevant for ongoing/undetected intrusions that predate the policy periodOccurrence-based cover is more common; retroactive date less relevant
Typical exclusions to checkFraud/dishonesty, prior known circumstances, contractual liability assumed beyond ordinary professional duty, cyber-related professional failure (unless endorsed back in)Fraud/dishonesty (final adjudication), prior claims/circumstances, insured-vs-insured disputes (with carve-backs), fines and penalties where uninsurable by lawWar/cyber-war carve-outs, infrastructure failure outside insured's control, betterment/upgrade costs, prior known vulnerabilities not disclosedProfessional services, product recall (unless endorsed), pollution, employment practices
Who typically demands it as a conditionClients under a services agreement; regulators for certain licensed professionals (e.g., some CA/CS/valuer engagements)Institutional investors, independent directors, and lenders before board appointment or fundingEnterprise customers under data processing agreements; increasingly a board-level ask post-DPDPA 2023Landlords, event venues, some vendor contracts
Claims-made vs occurrenceClaims-made — notification within the policy period (or an agreed extended reporting period) is essentialClaims-made — same notification discipline applies; late notice is the single most common reason D&O claims are deniedPredominantly claims-made for liability sections; first-party sections often respond on a loss-discovered basisPredominantly occurrence-based
Where PNPC's advisory adds the most valueAligning policy wording to actual client-contract indemnity clauses and confirming cyber/data exclusions are endorsed back where relevantConfirming Side A (personal), Side B (company reimbursement), and Side C (entity/securities) limits are structured correctly for the company's stage and shareholder baseMapping actual data flows, vendor dependencies, and DPDPA 2023 exposure to the specific sub-limits and retentions in the quoted policyNot the focus of this advisory — reviewed only where it interacts with PI/D&O/Cyber gaps

This table is directional. Actual policy wordings vary significantly between insurers, and IRDAI-approved product filings in India do not yet offer the level of standardisation seen in more mature PI/D&O/Cyber markets abroad — every clause genuinely needs to be read, not assumed. A pre-purchase or renewal review by a professional advisor who is not earning commission on the sale remains the most reliable way to catch gaps before a claim, not after.

How it works
#Stage & What PNPC DoesWhat Standard Brokers Often SkipTypical Timeline
1Risk & Exposure Mapping — before any policy is discussedWe map your actual exposure first: client contracts and their indemnity/limitation-of-liability clauses, board composition and shareholder base, data types processed and where they are hosted, vendor and sub-processor dependencies, and any prior claims, complaints, or regulatory correspondence. This determines what cover you actually need — not what a standard product brochure offers.Week 1
2Existing Policy Audit (if cover already exists)For clients renewing existing PI, D&O, or cyber cover, we read the actual policy wording clause-by-clause against the risk map from Stage 1 — sub-limits, exclusions, the retroactive date, notification conditions, and the definition of 'claim' and 'wrongful act'. Most silent gaps live inside definitions and exclusions that a renewal notice never surfaces.Week 1–2
3Coverage Requirement Specification — what to actually ask insurers forWe translate the risk map and audit findings into a specification: minimum limits by cover, the sub-limits that matter for your risk profile (e.g., cyber extortion, regulatory defence costs, Side C entity cover), and the exclusions that must be negotiated out or endorsed back in. This document is what a broker should be quoting against — most placements start from the insurer's standard form instead.Week 2
4Broker/Insurer Coordination — PNPC stays engaged through placementWe do not place policies ourselves (PNPC is not a licensed insurance broker/intermediary), but we work alongside your chosen IRDAI-licensed broker or directly with insurers to ensure the quotes obtained actually match the specification from Stage 3, and we flag any material deviation in the quoted wording before you bind cover.Week 2–4
5Quote Comparison & Wording ReviewPremium is only one variable. We compare quotes on retroactive date offered, sub-limit structure, retention/deductible level, defence-cost-inside-or-outside-limit structure, panel counsel flexibility, and claims-made notification conditions — the variables that determine whether a claim actually gets paid, not just how much the premium costs.Week 3–4
6Board Approval & Documentation (for D&O specifically)D&O placement decisions are a board-level matter. We prepare the board note summarising the recommended cover, limits, and cost — the documentation an independent director or investor will expect to see when asked what D&O protection the board actually reviewed and approved.Week 4
7Policy Binding & Certificate IssuanceOnce terms are agreed, the broker/insurer issues the policy and Certificate of Insurance. We review the final wording against the agreed specification one more time before advising you to release premium — insurers occasionally issue wording that differs from the quote.Week 4–5
8Internal Communication & Claim-Notification ProtocolA policy is only useful if the right people inside the company know it exists and know the claims-made notification deadline. We help set up an internal protocol — who is authorised to notify a claim, within what timeframe, and to whom — because a late notification under a claims-made policy is one of the most common reasons legitimate claims are denied.Week 5
9Annual Renewal Review — not a rubber-stampAt each renewal, we re-run the risk map — new contracts signed, new board members, new data processing activities, any near-miss incidents in the past year — and compare it against the expiring policy before recommending renewal, amendment, or a fresh market review.Annually, ahead of renewal date
10Mid-Term Review TriggersCertain events should trigger an immediate cover review rather than waiting for renewal: a funding round closing, a new independent director joining, a material new client contract with unusual indemnity terms, expansion into a new data-processing activity, or a near-miss cyber incident. We flag these triggers proactively.As triggered — PNPC monitors known milestones
11Claim Notification Support (if a claim arises)If a potential claim or circumstance arises, we help you draft the notification to the insurer within the policy's stated timeframe, assess whether the incident should be notified as a 'circumstance' even before a formal claim materialises (protecting your position under the current policy period), and coordinate with legal counsel and the insurer's appointed surveyor/investigator.As needed — time-critical, typically within days of discovery
12Post-Claim Portfolio ReassessmentAfter any claim — successful, denied, or settled — we reassess the coverage structure to close whatever gap the claim experience exposed, so the next renewal reflects the lesson rather than repeating the same policy structure.Post-claim, ahead of next renewal

Realistic timeline for a full first-time advisory engagement — risk mapping through bound policy — is typically 4–6 weeks; this can compress to 1–2 weeks for a straightforward renewal review of existing cover. PNPC does not hold an IRDAI insurance intermediary licence and does not itself sell or place policies; we advise on risk, coverage adequacy, and wording, and coordinate with your licensed broker or insurer of choice for execution.

Document Checklist
For the Risk & Exposure Mapping Stage

Latest audited financial statements and current-year management accounts — used to assess appropriate limit of indemnity relative to revenue and balance-sheet exposure

Standard client/customer service agreements and any non-standard contracts with unusual indemnity, limitation-of-liability, or consequential-loss clauses

Board composition details — number of directors, whether any are independent/nominee directors, and the company's current shareholder register

A description of what personal or sensitive data the company collects, processes, or stores, and where it is hosted (in-house servers, cloud provider, third-party SaaS)

List of key vendors, sub-processors, or outsourced IT/data functions, with copies of data processing agreements where they exist

Any prior insurance claims, client complaints, regulatory notices, or near-miss cyber incidents in the last 5 years, even if no claim was ultimately made

For Existing Policy Audit (Renewal Clients)

Complete current policy wording — not just the schedule/certificate — including all endorsements and exclusion clauses

Prior 2–3 years of policy schedules, to identify any changes in limits, sub-limits, or exclusions introduced at renewal without explicit discussion

Premium payment history and any broker correspondence relating to the placement

Details of the retroactive date currently in force and confirmation of continuous, unbroken renewal history (a lapse can reset or forfeit prior-acts cover)

For D&O Cover Specifically

Certificate of Incorporation, MoA/AoA, and current MCA master data extract confirming director details

Details of any pending or past litigation, SEBI/RoC/NCLT proceedings, or IBC 2016 insolvency-related exposure involving the company or its directors

Cap table and shareholder agreement, particularly where institutional investors or independent directors have specific D&O requirements as a condition of investment or appointment

Minutes of the Board resolution proposing to procure or renew D&O cover — most placements expect this as supporting documentation

For Cyber Risk Cover Specifically

A data inventory — categories of personal data held (customer, employee, vendor), approximate volume of data subjects, and retention practices

Details of IT security measures currently in place — firewall, endpoint protection, encryption, backup and disaster-recovery protocol, multi-factor authentication

Confirmation of DPDPA 2023 compliance readiness — whether a Data Protection Officer/nodal contact has been designated where applicable, and whether a breach-notification protocol exists

Any third-party security assessment, VAPT (Vulnerability Assessment and Penetration Testing) report, or ISO 27001 certification status, if available

For Professional Indemnity Cover Specifically (Practices/Firms)

Description of professional services offered, client categories served, and the largest engagement value/exposure undertaken in the last 3 years

Standard engagement letter or terms of service used with clients, including any limitation-of-liability clause already negotiated

Details of professional qualifications and licences held by principal partners/directors (CA, CS, advocate, architect, doctor, etc., as applicable)

History of professional indemnity claims or client disputes, if any, in the preceding 5 years

Post-Placement — Documents PNPC Helps You Maintain

A one-page internal claim-notification protocol — who notifies, within what timeframe, to whom — circulated to relevant directors, officers, and department heads

A renewal tracker noting the retroactive date, sub-limits, and key exclusions of the current policy, to be reviewed ahead of every renewal rather than relying on the insurer's renewal notice alone

A record of any 'circumstance' notified to the insurer even where no formal claim has yet been made — protecting the company's position under the current claims-made policy period

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Pre-Purchase Risk AssessmentDecision to buy PI, D&O, or cyber cover for the first timeRisk mapping against actual contracts, board structure, and data footprint before approaching any insurer or broker; a written coverage specification prepared for the placement.Buying a template policy that does not match actual exposure — discovering the gap only when a claim is filed and denied on an exclusion nobody read.
Placement & BindingQuotes received from broker/insurerWording review against the specification; comparison on retroactive date, sub-limits, retentions, and claims-made notification conditions — not premium alone.Binding cover on price alone while missing a materially worse retroactive date, a lower sub-limit on the exposure that matters most, or a narrower definition of 'wrongful act' or 'claim'.
First Year of CoverPolicy inceptedInternal claim-notification protocol established; directors and key staff briefed on what triggers notification and the timeframe to notify.A genuine incident occurs but is not notified within the claims-made window because nobody inside the company knew the protocol — the claim is later denied for late notice.
Mid-Term Risk EventsFunding round, new director appointment, new high-value client contract, new data-processing activity, security incidentProactive mid-term review triggered by these known milestones rather than waiting for renewal; endorsement or top-up cover arranged where a gap has opened mid-policy.A material new exposure (e.g., an independent director appointed, or a large new dataset onboarded) sits uninsured for months until the next renewal cycle.
Annual RenewalPolicy anniversaryFull re-run of the risk map against the expiring policy; renewal, amendment, or fresh market review recommended based on what has changed in the business over the year — not an automatic roll-over.Auto-renewal of a policy that no longer matches the business's risk profile — premium paid for cover that does not respond to the company's actual current exposure.
Circumstance or Incident ArisesA complaint, regulator query, cyber event, or potential claim surfacesImmediate assessment of whether to notify the insurer as a 'circumstance' (even pre-claim) to lock in coverage under the current policy period; coordination with legal counsel and the insurer's appointed surveyor/investigator.Delayed or no notification — insurer later denies the claim for late notice, or the circumstance is deemed a 'known circumstance' excluded from the next policy period.
Claim Settlement or DenialInsurer's decision on a notified claimReview of the insurer's basis for settlement or denial against the actual policy wording; escalation through the insurer's grievance mechanism or the Insurance Ombudsman (for eligible claim values) where the denial appears to conflict with the policy terms.Accepting a denial or a low settlement offer without an independent check against the policy wording — many denials cite an exclusion that a proper reading shows does not actually apply to the facts.
Post-Claim Portfolio ResetClaim experience concludes (settled, denied, or litigated)Coverage structure reassessed in light of the claim experience — closing whatever specific gap the claim exposed before the next renewal, and briefing the board on lessons learned.Renewing the same policy structure unchanged, repeating the exact gap that caused the last claim's difficulty.
Frequently asked
What is Professional Indemnity insurance and who actually needs it?

Professional Indemnity (PI) insurance covers claims made against a professional or firm alleging negligence, an error, an omission, or a breach of professional duty in the course of rendering paid services. It is most relevant for CA firms, company secretaries, lawyers, architects, engineers, IT and management consultants, doctors, and any business whose core offering is advice or a professional service rather than a physical product. If a client can plausibly claim your advice or service caused them a financial loss, PI cover is worth assessing.

Practitioner noteWe frequently see professional firms with cover that has not been reviewed since it was first purchased years ago — even as the firm's service lines, client base, and contract values have grown well beyond what the original limit of indemnity anticipated.
What does D&O insurance actually protect — the company or the individual director?

Primarily the individual director or officer, personally, against claims alleging a wrongful act in their management capacity. A standard D&O structure has three components: Side A covers the director personally when the company cannot or will not indemnify them; Side B reimburses the company when it does indemnify the director; and Side C (entity cover) protects the company itself, typically for securities claims. Most Indian D&O placements for private companies focus on Side A and B; Side C becomes more relevant as a company approaches a public listing or has a wider shareholder base.

Practitioner noteIndependent directors joining a board should specifically confirm Side A limits are adequate and not simply assume the company's broader D&O policy protects them the same way it protects an executive director — the practical exposure and risk appetite can differ.
Why would a private, unlisted company need D&O cover at all?

Because directors of private companies can still face personal liability claims — from shareholders, creditors, employees, regulators (SEBI where applicable, RoC, or under the Insolvency and Bankruptcy Code 2016 in a distress scenario), or even the company itself in a dispute. Institutional investors and independent directors increasingly make adequate D&O cover a condition before they invest or agree to join the board — it is now a standard governance expectation, not a listed-company-only concern.

Practitioner noteWe advise founders raising a Series A or later round to have D&O cover in place before the investor's legal team asks for it as a closing condition — sourcing and placing it under time pressure at closing rarely gets the wording right.
How does the Digital Personal Data Protection Act 2023 (DPDPA) affect cyber insurance needs?

The DPDPA 2023 introduced statutory obligations for 'Data Fiduciaries' — entities that determine the purpose and means of processing personal data — including breach-notification duties to the Data Protection Board of India and to affected individuals, and financial penalties for non-compliance that can run into crores of rupees depending on the nature and scale of the breach. Cyber insurance increasingly needs to be assessed against this specific regulatory exposure — not just against the operational cost of a breach (forensic investigation, system restoration, customer notification) but against the DPDPA penalty and regulatory-defence dimension as well.

Practitioner noteNot every cyber policy in the Indian market currently extends explicitly to DPDPA regulatory-defence costs or penalties — the product landscape is still evolving as the DPDPA's rules and enforcement mechanism mature. We review this specific point clause-by-clause on every cyber placement or renewal rather than assuming standard cover responds.
Is PNPC a licensed insurance broker — can PNPC sell us a policy directly?

No. PNPC Global is a Chartered Accountancy firm and does not hold an IRDAI insurance intermediary (broker/agent) licence, and this advisory does not involve PNPC selling, underwriting, or placing policies. Our role is risk assessment, coverage-gap analysis, and wording review — independent of any commission on the policy sale. We coordinate with your chosen IRDAI-licensed broker, or directly with insurers, to ensure the policy actually placed matches what our risk assessment says you need.

Practitioner noteThis independence is deliberate. A broker earning commission on the premium has a structural incentive to place a policy, even a suboptimal one. Our fee is for the advisory work, not tied to premium size — so our recommendation on limits and structure is not distorted by that incentive.
What is a 'claims-made' policy and why does it matter so much for PI and D&O cover?

A claims-made policy responds to claims first made against the insured during the policy period (or an agreed extended reporting period), regardless of when the underlying act occurred — provided the act occurred after the policy's retroactive date. This is different from an 'occurrence' policy, which responds based on when the incident happened, regardless of when the claim is later made. Because PI and D&O policies are almost always claims-made, a gap in renewal, a switch to a new insurer without preserving the retroactive date, or a late notification of a known circumstance can leave genuine exposure completely uninsured.

Practitioner noteThe retroactive date is, in our experience, the single most under-discussed clause at renewal time. We check it on every review — a client who unknowingly lets it reset when switching insurers can lose years of prior-acts protection without realising it until a claim from an old matter surfaces.
What is a 'circumstance' notification and why should we do it even before a formal claim exists?

Most claims-made policies allow (and often require, to preserve rights) notification of a 'circumstance' — a set of facts that could reasonably give rise to a claim in future — even before any formal claim or demand has been made. Notifying a circumstance during the current policy period generally locks in coverage under that policy, even if the formal claim materialises after the policy has expired or been non-renewed. Failing to notify a known circumstance, and then having a formal claim arise later, is one of the most common grounds insurers use to deny cover.

Practitioner noteWe treat this as a standing agenda item whenever a client mentions a client complaint, a regulator query, or a security incident in passing — even if they do not think it will become a formal claim. The cost of an unnecessary circumstance notification is negligible; the cost of a missed one can be the entire claim.
How is the right sum insured or limit of indemnity determined for PI cover?

There is no fixed statutory formula. Insurers and advisors typically consider the firm's annual professional fee income, the value of the largest client engagements undertaken, any specific contractual minimum limits demanded by key clients, and the sector's typical claim severity. A firm advising on high-value transactions (M&A, large audits, complex valuations) generally needs a materially higher limit than a firm doing routine compliance work, even at similar revenue levels.

Practitioner noteWe recommend benchmarking the limit against your single largest client engagement value, not just average revenue — a catastrophic claim typically arises from the one unusually large or unusually complex engagement, not from routine work.
Does a company's general liability (CGL) policy already cover professional negligence or director liability?

No, ordinarily not. A standard CGL policy is designed to cover third-party bodily injury or property damage arising from the business's operations or premises — it typically carries an explicit exclusion for professional services liability and does not respond to a director's alleged wrongful management decision. PI and D&O are distinct, separately underwritten covers precisely because CGL is not designed to respond to these exposures.

Practitioner noteWe regularly encounter companies that assumed their CGL policy 'covers everything' until a professional-negligence claim surfaced the explicit exclusion in the wording. Reading the exclusions section of an existing CGL policy is a five-minute exercise that avoids a very expensive surprise.
What are common exclusions in cyber insurance policies that catch companies off guard?

Frequent exclusions include: war and cyber-war/state-sponsored-attack carve-outs (a live and evolving area of dispute globally), infrastructure or utility failure outside the insured's direct control, costs of 'betterment' (upgrading systems beyond their pre-incident state), and losses arising from a vulnerability the insured knew about and failed to patch before the incident. Sub-limits — often materially lower than the headline policy limit — commonly apply to specific heads such as cyber-extortion/ransom payments, regulatory fines (where legally insurable), and business-interruption waiting periods.

Practitioner noteWe ask insurers to confirm, in writing, how the war/state-sponsored-attack exclusion would be interpreted for a ransomware attack of unclear origin — a genuinely unsettled question in current cyber insurance markets — rather than relying on the wording alone.
Can a startup with a small team and no data breach history skip cyber insurance?

It depends on the actual risk profile, not the company's size. A small SaaS company processing customer payment data or health records can carry disproportionate cyber exposure relative to its headcount. Conversely, a small business with minimal digital footprint and no customer data processing may reasonably deprioritise cyber cover in favour of other insurance or working-capital needs. This is exactly the judgment call our risk-mapping stage is designed to make explicit rather than leaving it to a generic 'every business needs cyber insurance' sales pitch.

Practitioner noteWe have advised some very early-stage clients that cyber cover is not yet their most urgent spend — and told others, with a much smaller headcount but a much larger data footprint, that it should be a priority. The honest answer depends on data, not company size.
What happens if a director resigns — does their D&O cover end immediately?

Most D&O policies continue to cover a former director for wrongful acts committed while they served, for claims made during the policy period (subject to the retroactive date), even after resignation — this is sometimes explicitly extended through a 'run-off' or 'extended reporting period' provision, particularly important when the company itself is being sold, merged, or wound up. A director resigning from a company should specifically ask whether run-off cover exists and for how long.

Practitioner noteThis becomes critical in an M&A or winding-up scenario — if the D&O policy is not renewed and no run-off cover is purchased, departing directors can be left personally exposed for claims relating to decisions made years earlier. We flag this specifically whenever a client company is heading toward a sale, merger, or closure.
How does PNPC charge for this advisory — is it commission-based like a broker?

No. PNPC charges a fixed, agreed professional fee for the risk assessment, policy audit, specification, and ongoing advisory work — discussed and confirmed in writing before the engagement begins. We do not receive commission on the premium of any policy ultimately placed, because we are not the licensed intermediary placing it. This keeps our recommendation focused on what actually covers your risk, not on which product pays the highest commission.

Practitioner noteWe are upfront that this fee-based model means our advisory has a cost even before a policy is bought — unlike a broker, whose 'advice' is technically free because it is commission-funded. In our experience, clients who have been burned by a coverage gap understand immediately why that difference matters.
Is Professional Indemnity insurance mandatory for Chartered Accountants or other professionals in India?

PI insurance is not universally mandated by statute for all professionals, but specific regulators and professional bodies impose it in defined circumstances — for instance, certain categories of statutory audit engagements, valuation assignments under the Companies Act 2013 and IBC 2016 framework (Registered Valuers), and specific SEBI-regulated intermediary roles carry PI requirements or strong professional-body recommendations. Even where not mandatory, many corporate and institutional clients now contractually require their professional advisors to carry a minimum PI limit as a condition of engagement.

Practitioner noteWe check the specific regulatory or contractual requirement applicable to each client's practice area rather than assuming a blanket rule — the requirement (and the required limit) genuinely differs between a Registered Valuer engagement, a statutory audit engagement, and a general advisory engagement.
What is 'Side A', 'Side B', and 'Side C' cover in a D&O policy?

Side A covers individual directors and officers personally when the company is unable or legally unwilling to indemnify them (for instance, in an insolvency scenario, or where indemnification is legally restricted). Side B reimburses the company for amounts it has indemnified its directors and officers for. Side C, where included, extends cover to the entity itself — most commonly for securities-related claims, and more relevant as a company's shareholder base widens or it approaches a public listing.

Practitioner noteFor most privately held Indian companies we advise, Side A and Side B adequacy is the priority; Side C becomes a live discussion point specifically when a pre-IPO structuring or wider institutional shareholder base enters the picture.
Our company already has a broker who handles all our insurance — why would we need PNPC as well?

A corporate insurance broker's role is typically to place cover efficiently across the market and manage the relationship with insurers on your behalf — a valuable and distinct function. PNPC's advisory sits one step earlier: independently assessing what your actual risk profile requires, auditing whether the policy your broker placed actually matches that risk (reading the wording, not just the premium quote), and providing a second, non-commission-linked opinion before you bind or renew cover. The two roles work well together rather than in competition — we have supported clients whose existing broker relationship continued, with PNPC providing the independent coverage-adequacy check.

Practitioner noteWe are careful never to present this as replacing a good broker relationship — a sophisticated broker with a genuine risk-engineering function is valuable. Where we add the most value is for companies whose broker relationship has become a routine annual renewal exercise rather than an active risk conversation.
What is 'business interruption' cover within a cyber policy, and how is the payout calculated?

Business interruption cover within a cyber policy responds to lost income and continuing operating expenses incurred while systems are down or degraded following a covered cyber event — typically subject to a waiting period (a number of hours the systems must be down before the cover triggers) and a defined indemnity period (the maximum duration for which lost income is payable). The payout is usually calculated against a pre-agreed methodology in the policy — often based on prior-period revenue trends adjusted for the interruption — and insurers frequently appoint a forensic accountant to quantify the actual loss.

Practitioner noteAs Chartered Accountants, we are frequently engaged specifically to prepare or review the business-interruption loss quantification following a cyber incident — this is an area where the accounting methodology in the claim submission materially affects the final settlement, and generic IT-incident-response teams are not equipped to prepare it.
Can a cyber insurance policy help with actual DPDPA 2023 compliance, or is it purely financial protection?

A cyber policy itself does not create DPDPA compliance — that requires the underlying operational measures (consent management, data minimisation, breach-notification protocols, appointing a Data Protection Officer/nodal contact where the DPDPA and its rules require one, and reasonable security safeguards under the Act). What a well-structured cyber policy does is provide financial protection — breach-response costs, potential regulatory-defence costs, and business-interruption losses — for the event that compliance measures did not prevent. The two are complementary, not substitutes for each other.

Practitioner noteWe routinely see companies treat cyber insurance as a substitute for actual DPDPA compliance work rather than a complement to it — insurers themselves are increasingly asking underwriting questions about actual security posture and DPDPA readiness before quoting, so weak compliance can also mean weaker or costlier cover.
What should a company do in the first 24-48 hours after discovering a cyber incident, from an insurance standpoint?

Notify the insurer (or the policy's specified incident-response hotline) as early as possible — many cyber policies require prior insurer consent before engaging forensic IT firms or legal counsel if those costs are to be covered under the policy. Preserve evidence rather than immediately wiping and rebuilding affected systems. Avoid making public statements about the scope or cause of the incident before initial forensic findings are available. Engage the insurer-approved panel of forensic IT and legal advisors where the policy specifies one, since using non-panel vendors without consent can affect cost reimbursement.

Practitioner noteThe instinct in the first hours of an incident is to fix the problem as fast as possible — which sometimes means wiping the very evidence a forensic investigator needs, and engaging vendors outside the insurer's approved panel. We advise clients to build the insurer-notification step into their incident-response runbook itself, not treat it as an afterthought once the technical fire is out.
How often should a company review its PI, D&O, and cyber insurance portfolio?

At minimum, annually, at renewal. But a proper review should also be triggered by specific events — a funding round, a new independent director joining the board, a significant new client contract with unusual indemnity terms, a material change in the company's data-processing footprint, or any near-miss incident, complaint, or regulatory query, even one that did not become a formal claim.

Practitioner noteWe set calendar triggers for our retainer clients tied to these specific events rather than relying solely on the renewal date — the gap between 'what the business looked like when the policy was last reviewed' and 'what the business looks like today' is where most coverage inadequacy quietly accumulates.
Does D&O insurance cover fines or penalties imposed by regulators like SEBI or the RoC?

Generally, fines and penalties that are 'uninsurable as a matter of law' are excluded from D&O cover — Indian law, like most jurisdictions, does not permit insuring against certain punitive fines as a matter of public policy. However, defence costs incurred in responding to a regulatory investigation or proceeding — legal fees, expert costs — are typically covered even where the eventual fine itself would not be, and this defence-cost coverage is often the more financially significant benefit in practice, since regulatory proceedings can run for years before any fine is even determined.

Practitioner noteWe specifically check whether defence costs are payable as incurred (as the proceeding unfolds) or only after final adjudication — a policy that only reimburses defence costs after the proceeding concludes can leave a director funding years of legal fees out of pocket in the interim, which defeats much of the practical purpose of the cover.
What is the difference between 'defence costs within limits' and 'defence costs in addition to limits'?

Where defence costs are 'within limits', every rupee spent defending a claim erodes the same limit that would otherwise be available to pay a settlement or judgment — a long, expensive defence can leave little or nothing left to pay the underlying claim. Where defence costs are 'in addition to limits', the insurer pays defence costs separately, over and above the stated limit of indemnity, preserving the full limit for settlement or judgment. This structural difference can matter more than the headline limit amount itself.

Practitioner noteWe treat this clause as a priority check on every D&O and PI review — a policy with a large headline limit but defence-costs-within-limits structure can, in a protracted regulatory matter, leave materially less protection than a smaller-limit policy with defence-costs-in-addition-to-limits.
Should a company with overseas operations (including UAE) carry separate PI/D&O/cyber cover in each jurisdiction?

Usually yes, at least in part — Indian PI, D&O, and cyber policies are typically underwritten with an Indian jurisdiction and legal-system assumption, and may not adequately respond to a claim brought in a foreign court or under a foreign regulator's jurisdiction. Companies with UAE operations, in particular, should assess whether UAE-domiciled entities need separate local cover (UAE has its own insurance market and, since the UAE Federal Data Protection Law, its own data-protection exposure) rather than assuming the Indian parent's policy extends worldwide.

Practitioner noteOur Dubai office frequently coordinates exactly this — assessing whether an Indian parent company's existing PI/D&O/cyber cover genuinely extends to its UAE subsidiary's operations and jurisdictional exposure, or whether standalone UAE cover is needed. Assuming worldwide extension without reading the territorial-scope clause is a common and costly mistake.
What is the Insurance Ombudsman and when is it relevant to a PI, D&O, or cyber claim dispute?

The Insurance Ombudsman is a statutory grievance-redressal mechanism under the Insurance Ombudsman Rules for policyholder complaints against insurers, generally available for claims up to a specified monetary threshold and typically used after the insurer's own internal grievance process has been exhausted without resolution. For larger commercial PI, D&O, and cyber claims that often exceed the Ombudsman's pecuniary threshold, disputes more commonly proceed through arbitration (if the policy has an arbitration clause) or civil litigation instead.

Practitioner noteWe check the Ombudsman's applicable pecuniary threshold at the time of the dispute — it has been revised periodically — before advising a client whether this route is even available for their specific claim value, rather than assuming it universally applies.
How does PNPC's advisory differ for a listed company versus a private company on D&O cover?

Listed companies face materially higher D&O exposure — SEBI's Listing Obligations and Disclosure Requirements (LODR), securities-class-action-style claims (even though the Indian class-action framework differs from the US model), and heightened public shareholder scrutiny — and typically require a higher limit, explicit Side C entity/securities cover, and broader regulatory-defence extensions. Private companies generally prioritise Side A/B adequacy relative to their specific investor base and board composition. Our risk-mapping approach adjusts the specification accordingly rather than applying a one-size template.

Practitioner noteA pre-IPO company is a specific inflection point we flag proactively — D&O cover adequate for a private company's board is very rarely adequate for the listed-company exposure that begins the moment listing occurs, and the cover needs to be reassessed well before the IPO closes, not after.
What is 'social engineering fraud' cover and is it part of a standard cyber policy?

Social engineering fraud cover responds to losses from fraudulent instructions — a fake CEO email, a spoofed vendor payment-details change, business email compromise — that trick an employee into transferring funds to a fraudster, even though no technical system was actually 'hacked' in the traditional sense. It is frequently sold as a separate endorsement or sub-limited add-on to a cyber or crime policy rather than being automatically included, and companies sometimes discover this gap only after such a fraud has already occurred.

Practitioner noteThis is one of the most common actual loss scenarios we see among mid-sized Indian companies — and one of the most commonly excluded or severely sub-limited covers in a standard cyber policy. We specifically ask insurers to quote this as an explicit, adequately limited endorsement rather than assuming it is bundled in.
Can PNPC help review the D&O/PI/cyber section of a shareholders' agreement or investment term sheet?

Yes. Investment term sheets and shareholders' agreements frequently include specific insurance covenants — minimum D&O limits, indemnification obligations the company must undertake for its directors, and sometimes specific cyber-cover requirements as a condition of investment. We review these clauses alongside our broader risk assessment to confirm the company can practically source the required cover in the market, and at what approximate cost, before those terms are finalised.

Practitioner noteWe have seen term sheets specify a D&O limit that, once the company actually approaches insurers, proves difficult or expensive to place given the company's sector or claims history. Flagging this during term-sheet negotiation — rather than after signing — gives the company real room to negotiate the clause.
Is there GST on insurance premiums, and does that affect the overall cost comparison?

Yes — insurance premiums for general insurance products, including PI, D&O, and cyber covers, attract GST under the CGST Act 2017, and the applicable rate should be confirmed against the current GST rate structure at the time of purchase, since GST rates on specific categories are periodically revised by the GST Council. This GST is an additional cost layer on top of the base premium quoted by the insurer or broker and should be factored into any premium comparison across quotes.

Practitioner noteWe always ask brokers to confirm whether a quoted premium figure is inclusive or exclusive of GST before comparing two quotes — a lower headline premium that is GST-exclusive can end up costing more than a higher headline premium quoted GST-inclusive.
What records should a company keep to support a smooth claims process later?

A complete copy of the policy wording (not just the schedule), all endorsements and correspondence with the insurer/broker at every renewal, a log of any circumstance notifications made, the internal claim-notification protocol document, and — specifically for cyber exposure — records of security measures in place at the time of placement (since insurers may ask for evidence of the security posture disclosed at underwriting if a claim is later contested on non-disclosure grounds).

Practitioner noteNon-disclosure or misrepresentation at the time of underwriting is a common ground insurers use to contest claims. We advise clients to keep a dated record of exactly what was disclosed to the insurer at placement and renewal — protecting the client's position if a dispute later arises over what was or was not known at the time.
How does PNPC coordinate with our existing CA/finance team when reviewing insurance needs?

This advisory is delivered by PNPC's insurance and risk advisory practice, which works alongside — not in place of — your existing statutory audit, tax, and finance function, whether that is PNPC's own team or another firm's. We draw on the company's financial statements, board minutes, and existing contracts as inputs to the risk assessment, and we coordinate directly with the CFO or finance controller rather than requiring the founder or board to be the sole point of contact.

Practitioner noteFor PNPC's existing audit and compliance retainer clients, this advisory typically moves faster because we already hold much of the underlying financial and governance information needed for the risk assessment — new clients should expect the initial information-gathering stage to take proportionately longer.
What is the realistic professional fee range for this advisory, and does it vary by company size?

The fee depends on the scope — a first-time risk assessment and specification for a company procuring PI, D&O, and cyber cover for the first time is a more substantial engagement than an annual renewal review of existing, well-structured cover. PNPC agrees a fixed fee in writing for the specific scope before work begins, scaled to the company's size, number of covers under review, and complexity of the risk profile (multiple jurisdictions, complex data footprint, prior claims history, etc.).

Practitioner noteWe deliberately avoid quoting a placeholder industry-average figure here, since fee-setting genuinely depends on scope — ask us for a written scope and fee proposal after an initial no-obligation conversation about what you actually need reviewed.
Can a sole proprietor or freelance professional (not a company) buy PI insurance, and does D&O even apply to them?

Yes to PI — sole proprietors and freelance professionals (consultants, freelance designers, independent IT contractors) can and often should carry Professional Indemnity cover in their own name or business name, particularly where client contracts require it. D&O cover, by contrast, is specific to the directors and officers of an incorporated entity (company or, in some structures, an LLP's designated partners under an equivalent liability cover) — it is not a relevant product category for a sole proprietorship, which has no separate legal personality or board structure to protect.

Practitioner noteWe occasionally get this question from freelance consultants assuming they need 'the same three covers' as an incorporated client — for a sole proprietor, PI (and possibly cyber, depending on data handled) is usually the relevant pairing, with D&O simply not applicable until the business incorporates.
What is the single most common coverage gap PNPC finds when auditing an existing PI, D&O, or cyber policy?

Across engagements, the most recurring gap is a mismatch between what the policy's definitions and exclusions actually say and what the client believed the policy covered based on the broker's renewal summary or the policy's marketing brochure — most commonly: a cyber exclusion buried in a PI policy that excludes exactly the data-related professional failures modern service delivery creates, a D&O policy with defence-costs-within-limits structure the board was unaware of, or a materially reduced sub-limit for the specific risk (cyber-extortion, regulatory defence, social engineering fraud) that turns out to matter most for that particular business.

Practitioner noteThis is precisely why we insist on reading the full policy wording, endorsement by endorsement, rather than relying on the one-page renewal summary most brokers send — the summary is written to be readable, and readability and completeness are not the same thing in an insurance contract.
Why PNPC Global

PNPC's advisory approach versus other routes to PI/D&O/Cyber cover

FeatureStandard Insurance BrokerOnline Insurance AggregatorDIY (Company Buys Direct)PNPC Global Insurance Advisory
Independent of commission on premiumNo — earns brokerage on the policy soldNo — earns referral/placement commissionN/A — no advisor involvedYes — fixed advisory fee, not premium-linked
Reads full policy wording clause-by-clause before recommendingSometimes — depends on the individual broker's diligenceRarely — optimised for fast comparison, not deep wording reviewRarely — most buyers rely on the summary/brochureAlways — this is the core of the engagement
Maps cover to actual client contracts, board structure, and data footprintOccasionally, for larger corporate accounts with a risk-engineering functionNo — standardised online questionnaire onlyNo — buyer self-assesses without a structured frameworkYes — this is Stage 1 of the engagement, before any product is discussed
Understands DPDPA 2023, IBC 2016, SEBI/RoC regulatory exposure contextVaries significantly by individual broker's expertiseNo — general insurance product focusDepends entirely on in-house legal/compliance sophisticationYes — grounded in CA-firm regulatory and compliance practice since 1986
Coordinates with existing CA/finance/audit functionNot typically part of the broker relationshipNoAd hoc, if the company's own CA is consulted informallyYes — directly integrated where PNPC is also the client's audit/tax advisor, and coordinated where another firm is
Supports claim notification and post-claim portfolio reassessmentSome brokers offer basic claims assistanceMinimal to noneCompany handles alone, often for the first time under stressYes — full support from circumstance-notification through post-claim reassessment
Fee transparencyCommission embedded in premium, often not separately disclosedCommission embedded, rarely itemised to the buyerN/AFixed fee agreed and disclosed in writing before engagement begins
Cross-border (India-UAE) coordinationRare, unless part of a large multinational broking networkNoNoYes — via PNPC's Chennai, Bangalore, Hyderabad, and Dubai offices

This comparison reflects typical market patterns and is directional, not a claim about any specific named broker or insurer. Individual brokers and insurers vary significantly in diligence and service quality — the comparison is meant to clarify PNPC's distinct, non-commission-linked advisory role, not to disparage licensed insurance intermediaries generally, whose placement function remains necessary for actually binding cover.

What the PNPC package includes

  1. 01

    Comprehensive risk and exposure mapping — client contracts, board structure, data footprint, and regulatory exposure — before any policy is discussed

  2. 02

    Independent audit of existing PI, D&O, or cyber policy wording, clause-by-clause, against the company's actual risk profile

  3. 03

    Written coverage specification translating the risk assessment into the limits, sub-limits, and exclusions the company should actually be asking insurers for

  4. 04

    Coordination with your chosen IRDAI-licensed broker or insurer to ensure quotes obtained match the specification, without PNPC earning any commission on the premium

  5. 05

    Quote comparison across retroactive date, sub-limits, retentions, defence-cost structure, and claims-made notification conditions — not premium alone

  6. 06

    Board-ready documentation summarising the recommended D&O cover and rationale, suitable for board approval and investor due diligence

  7. 07

    Internal claim-notification protocol design — who notifies, within what timeframe, to whom — so a genuine incident is never missed for lack of an internal process

  8. 08

    Proactive mid-term review triggers tied to funding rounds, new director appointments, new high-value contracts, and data-footprint changes

  9. 09

    Support at the point of a potential claim or circumstance — notification drafting, insurer and surveyor coordination, and liaison with legal counsel

  10. 10

    Post-claim portfolio reassessment to close whatever specific gap a claim experience exposed before the next renewal

  11. 11

    Cross-border India-UAE coordination for companies with operations or entities in both jurisdictions, via PNPC's Dubai office

  12. 12

    Ongoing annual renewal review — a full re-run of the risk map against the expiring policy, not an automatic roll-over recommendation

Before your next PI, D&O, or cyber renewal notice arrives on autopilot, have a CA firm that has practised risk and compliance advisory since 1986 read the actual policy wording against your actual risk — not the brochure against your assumptions.

← Back to Loans & Insurance
Talk to a CA