D&O Insurance in the Age of Data Governance: Premium Realities under India’s DPDP Regime

Introduction

India’s enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) marks a decisive shift toward a modern data protection regime anchored in accountability, consent, and enforcement. While the statute is primarily directed at “data fiduciaries,” its implications extend well beyond operational compliance. At the boardroom level, the Act has triggered a reassessment of governance responsibilities, risk allocation, and critically Directors and Officers (“D&O”) insurance.

A key question now confronting corporates and insurers alike is whether the DPDP Act has materially altered the D&O risk landscape. The emerging answer is nuanced but unmistakable: increased premiums and tighter underwriting are not only real, but structurally justified.

The DPDP Framework and Board-Level Accountability

The DPDP Act imposes obligations on entities that determine the purpose and means of processing personal data. These include:

• lawful processing based on consent or legitimate use;
• implementation of reasonable security safeguards;
• prompt breach notification; and
• accountability for third-party data processors.

Although the statute does not expressly create automatic personal liability for directors, it embeds a governance expectation: boards must ensure that adequate systems, controls, and oversight mechanisms are in place. This expectation aligns with broader principles of fiduciary duty under Indian company law, where directors are required to act with due and reasonable care.

Consequently, any failure in data governance may be framed not merely as a compliance lapse, but as a failure of oversight, a cornerstone trigger for D&O claims globally.

The Changing Risk Profile for Directors

The DPDP Act introduces a risk environment characterised by three features:

1. High-Value Regulatory Penalties
The statute contemplates significant monetary penalties, potentially up to ₹250 crore per instance. While such penalties are imposed on the company, they often catalyse derivative claims, shareholder actions, or regulatory scrutiny of board conduct.

2. Expanded Litigation Pathways
Data breaches, consent failures, or misuse of personal data may give rise to:

• regulatory proceedings before the Data Protection Board;
• civil claims from affected individuals; and
• shareholder actions alleging governance failures.

In each case, directors may be named not for the breach itself, but for inadequate supervision or risk management.

3. Attribution through Governance Failures
Modern D&O jurisprudence increasingly centres on whether boards exercised appropriate oversight. Under the DPDP regime, lapses such as failure to implement cybersecurity frameworks, inadequate vendor due diligence, or delayed breach response can be attributed to board-level neglect.

Insurance Market Response: Premiums, Exclusions, and Scrutiny

The Indian insurance market supported by global reinsurers has responded predictably to this evolving risk:

Premium Inflation: Data-intensive sectors such as technology, fintech, healthcare, and e-commerce are witnessing noticeable increases in D&O premiums. Insurers are pricing in the uncertainty of enforcement and the potential for high-value claims.

Narrowing Coverage: Policies are increasingly:

• carving out cyber-related incidents or subjecting them to sub-limits;
• excluding regulatory fines where legally permissible; and
• tightening definitions of “wrongful acts” to limit exposure.

Higher Retentions and Co-Insurance: Insured entities are being required to retain a greater portion of risk, reflecting insurers’ cautious stance.

Enhanced Underwriting Due Diligence: Underwriters now routinely evaluate:

• existence of a data protection officer or equivalent function;
• maturity of cybersecurity infrastructure;
• incident response protocols;
• vendor and processor risk management frameworks; and
• board-level reporting mechanisms on data governance.

In effect, insurance pricing is becoming a proxy for governance quality.

The Interplay Between Cyber Insurance and D&O Cover

A critical development in the post-DPDP landscape is the functional separation between cyber insurance and D&O insurance.

• Cyber insurance addresses first-party and operational losses such as forensic investigation, system restoration, and breach notification costs.
• D&O insurance, by contrast, responds to claims alleging mismanagement, breach of duty, or failure of oversight by directors and officers.

Historically, some overlap existed between these products. However, insurers are now actively delineating boundaries, resulting in potential coverage gaps if organisations rely on D&O policies alone. A coordinated insurance strategy is therefore essential.

Legal Position: Personal Liability versus Allegational Risk

It bears emphasis that the DPDP Act does not, in itself, impose strict personal liability on directors for every contravention. However, two factors sustain D&O exposure:

• Derivative and secondary liability frameworks under Indian law may still implicate directors where offences occur with their consent, connivance, or attributable neglect.
• D&O policies are triggered by allegations, not final adjudications. Even unproven claims can generate substantial defence costs.

Thus, the rise in premiums reflects not only actual liability risk, but also the cost of defending governance-related claims in an increasingly litigious environment.

Strategic Considerations for Boards

In this evolving landscape, boards must move beyond a compliance-centric approach and adopt a governance-led strategy. Key measures include:

• Institutionalising Data Governance: Establish formal reporting lines to the board on data protection risks and compliance status.
• Documenting Oversight: Maintain detailed records of board deliberations, risk assessments, and decisions relating to data governance.
• Strengthening Vendor Management: Ensure contractual and operational safeguards when engaging data processors, with clear allocation of responsibilities.
• Testing Incident Response Mechanisms: Conduct periodic simulations to evaluate breach readiness and response timelines.
• Aligning Insurance Architecture: Review D&O and cyber policies holistically to identify and address coverage gaps.

Such steps not only mitigate legal exposure but also favourably influence underwriting outcomes, potentially stabilising or reducing premium escalation.

Conclusion

The DPDP Act represents more than a regulatory milestone; it signals a broader transformation in how data risk is perceived and governed in India. For directors and officers, this transformation translates into heightened scrutiny, expanded allegational exposure, and a recalibrated insurance market.

The increase in D&O premiums is neither incidental nor temporary. It is a rational response to a legal regime that elevates data governance to the core of corporate accountability. Organisations that proactively embed robust oversight mechanisms will not only enhance compliance but also position themselves advantageously in negotiations with insurers.

In the final analysis, D&O insurance under the DPDP era is no longer a passive safeguard but an active reflection of governance maturity.