Risks facing directors & officers
October 2020 | ROUNDTABLE | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
October 2020 Issue
The coronavirus (COVID-19) pandemic crisis has created a challenging environment for directors & officers (D&Os), causing an uptick in the level of risk and liability they face. Claims by shareholders, investors and third parties are set to increase, while litigation funding could fuel more class action style litigation. Regulatory scrutiny is also escalating. With COVID-19 having brought a microscope to firms’ culture, now more than ever it is essential for D&Os to monitor and document how they fulfil their fiduciary duties and exercise proper business judgment.
FW: Could you outline how the risks facing D&Os have evolved recently? What key factors are shaping the risk landscape?
Surgeoner: The coronavirus (COVID-19) crisis has created an even more challenging environment for directors. The risk of derivative actions, investor action or regulatory scrutiny has dramatically increased at a time when businesses are facing a huge threat to their business while trying to keep their employees safe. COVID-19 has brought a microscope to firms’ culture and an expectation of a greener future leading to an increasing focus on climate change. And the ‘big two’ threats of a cyber attack and data loss are ever present.
Suskin: Shareholder class actions against companies and directors and officers (D&Os) continue to be filed at a high rate due to a wide range of circumstances. A recent report by Cornerstone Research showed that 182 new securities class action cases were filed in the first half of 2020. During that period, on an annualised basis, one in 21 S&P 500 companies was sued in shareholder litigation. Lawsuits are event-driven, such as stock drop cases, as well as being instigated by announcements of M&A activity, although M&A-related litigation has slowed during the recent economic downturn. Notably, over 30 percent of the filings were against non-US issuers; in fact, the number of filings against non-US issuers is on pace to be the highest on record. Among the trends, reflecting key factors shaping the risk landscape, are an increased number of shareholder lawsuits against companies in the cryptocurrencies and cannabis industries. Additionally, a wave of cases by shareholders has been filed against companies alleging misleading or inadequate disclosures relating to the companies’ responses to the COVID-19 pandemic.
Hadwin: From a UK perspective, the evolution of risks faced by D&Os continues to be one of greater scrutiny and potential liability. This is both in terms of the legal and regulatory obligations that D&Os face and the expectations that shareholders and third parties have of them. In the financial services sector, the Senior Managers Regime (SMR) continues to be a key factor in the risk landscape as directors are considered to be the front line in managing risk and meeting legal and regulatory obligations on behalf of their companies. More broadly, cyber risk is, now more than ever, a prominent area for D&Os to understand for two reasons. First, with the COVID-19 pandemic, entire workforces now operate entirely from the comfort of their own homes, shifting the security focus to home-based working rather than office-based working. Secondly, we are starting to see the emergence of US-style class actions being brought following cyber attacks, which is likely to generate criticism of, and potentially shareholder derivative claims against, the boards of companies. Even before COVID-19, regulators emphasised that boards should adopt a top-down approach to managing cyber risk, which is indicative of a broader shift toward risk management being something which has to be implemented at all levels of an organisation, and that starts with the board.
Bentz: One of most notable trends shaping the risk landscape has been the hardening of the D&O insurance market. This is the first hard market we have seen in roughly 15 years. This hard market is the result of more frequent and severe losses, a deteriorating risk landscape, event-driven litigation and increasing legal fees. The increase in security class actions over the years, caused by some key legal decisions, has also fuelled the rising cost of D&O coverage. Moreover, D&Os are now facing novel, contemporary issues related to cyber security and data privacy, as well as a slew of challenges in the face of COVID-19.
FW: To what extent are high-ranking executives being held personally responsible and liable for transgressions occurring within their company?
Suskin: D&Os are routinely named in shareholder lawsuits in order for shareholders to tap into D&O insurance coverage, but it remains relatively rare for D&Os to be held personally responsible or liable to pay out of their own pockets. Most D&Os are indemnified by the corporation’s bylaws to the fullest extent of the law, in addition to being covered by D&O insurance, which generally leaves D&Os exposed to personal liability only in instances of proven intent to defraud. But there are certainly exceptions, including the well-known instances of corporate officers of Enron and WorldCom being sentenced to prison for securities law violations. More recently, in 2020, a chief executive was sentenced to 40 months in prison for antitrust violations involving price fixing in the canned tuna industry. In these instances, availability of D&O insurance is important to cover legal defence costs, particularly if the corporation is bankrupt and unable to indemnify.
Hadwin: From a regulatory perspective, the UK Financial Conduct Authority (FCA) is continuing to take its enforcement role against executives very seriously. In the FCA 2018/19 Annual Enforcement Report, a total of eight executives received significant financial penalties, totalling £80.2m, for breaches of anti-money laundering (AML) regulations and whistleblowing. Beyond regulator enforcement, shareholder activism is also holding executives accountable, including, in the most serious circumstances, by way of shareholder derivative lawsuits. Lawsuits of this type sometimes treat poor commercial performance as automatically equating to a breach of duty on the part of the director in and of itself. Poor commercial performance has brought this into greater focus during the COVID-19 crisis, particularly as many companies have been hit hard by the pandemic. However, legally this is not the case, but it demonstrates the aggressive approach that some shareholders are willing to take.
Bentz: Although D&Os can be held personally liable in a civil action for an alleged breach of duty, indemnification obligations of the company and D&O insurance often mitigate or eliminate that exposure. Therefore, it is critically important to have and maintain a strong risk management programme, including adequate insurance limits. Failure to maintain adequate insurance may leave a director or officer personally exposed to plaintiffs who do not feel that they can be adequately compensated by an insurance policy for their losses. It is important to remember that most D&O policies are ‘wasting policies’, which means that defence costs can reduce or eliminate the limit of the policy available to settle or resolve claims. As defence costs increase, this is becoming more of a concern for many companies.
Surgeoner: It is still relatively rare in the UK for high-ranking executives to be held personally responsible and liable for transgressions occurring within their company. That said, there have been a number of high-profile prosecutions that, while unsuccessful, have made it plain that criminal exposure for directors will continue. It is also important to consider US exposure and cover for extradition proceedings in the event of criminal prosecution in the US.
FW: Could you highlight any recent claims against D&Os in which the outcome proved to be particularly significant?
Hadwin: Cyber risk is a key topic here. The D&O implications of large-scale, high-profile cyber attacks were brought into focus by a number of shareholder derivative suits in the US that were brought against directors in the aftermath of large data breaches, alleging that directors had failed to manage and mitigate cyber risk adequately. While we have not yet seen this in the UK, claims of this kind are likely to grow, particularly with the emergence of large class actions being brought by claimant law firms following cyber breaches. The risk is further exacerbated by the fact that the General Data Protection Regulation (GDPR) imposes stringent burdens on companies that process European Economic Area (EEA) citizens’ data. The Information Commissioner’s Office’s (ICO’s) recent intentions to impose heavy turnover-based fines demonstrates how significant the penalties imposed under the GDPR can be. Shareholders, regulators and customers may look to the board to ascertain what went wrong.
Surgeoner: The recent case of Hunt (as Liquidator of System Building Services Group Ltd v Michie & Ors) confirmed that a director’s duties continue after the company has become insolvent, bringing clarity to this issue. Directors should consider carefully what D&O cover is available to them in these circumstances and also pay careful attention to their conduct, particularly in relation to pre-pack deals.
Bentz: In its 2018 Cyan case, the US Supreme Court held that state courts retain concurrent jurisdiction with federal courts for liability actions arising under the Securities Act of 1933, thereby preventing defendants from removing cases filed in state court to federal court. As a safeguard, Delaware corporations would insert a forum selection clause in their charters, forcing certain ‘33 Act litigation to occur in federal court. The problem was that the Court of Chancery later held such forum selection clauses unenforceable, under the theory that such ‘33 Act claims do not relate to the ‘internal affairs’ of a corporation, and therefore could not be governed by Delaware corporate law. However, in its 2020 Sciabacucchi decision, the Delaware Supreme Court held that forum selection clauses are indeed enforceable, rebutted the Chancery Court’s ‘internal versus external affairs’ argument, and provided insureds with a way to control the forum for certain ‘33 Act disputes.
Suskin: A case that continues to generate a lot of attention is the Delaware Supreme Court’s decision in 2019 involving Blue Bell Creameries USA, where the court made clear that to satisfy their duty of loyalty, directors must make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks. Failure to do so may expose directors to liability. That ruling has caused many boards of directors to evaluate the integrity of their companies’ internal controls and the efficacy of the boards’ oversight functions.
FW: How important is it for D&Os to ensure they have appropriate levels of D&O liability insurance coverage in place? How can D&Os accurately determine whether or not their insurance coverage is equal to the range of risk scenarios that exist?
Bentz: Simply put, it is very important for D&Os to ensure they have appropriate levels of cover in place. While there is no foolproof way to determine the perfect amount of D&O insurance, there are factors that can inform insureds as to the proper amount of insurance they need to feel comfortable. Perhaps the most scientific way to determine the appropriate D&O insurance limit is to consider a claims study. Benchmarking studies also provide an insured with information about what limit the insured’s ‘peer companies’ are purchasing. As for selecting a retention, an insured should select a retention that is above what it takes to resolve a typical ‘cost of doing business’ type claim, but below the point where satisfying the retention would have a significant, negative impact on the insured’s operations. Within that range, the insured must balance the cost of a policy with a lower retention amount against the cost of a policy with a higher retention amount.
Suskin: Companies should take a holistic approach to ensuring they offer their D&Os an appropriate level of coverage. This includes having the D&O insurance programme provide, in addition to Side-A only coverage, other coverage programmes for errors and omissions, property, products – if relevant to the business in question – cyber and general liability. Consulting with outside insurance coverage counsel and insurance brokers is important to making an accurate determination whether insurance coverage is adequate. And it is equally important that D&Os, before accepting their positions, investigate and ask questions to confirm that they are appropriately covered. After all, it is their personal assets that are at risk if coverage is insufficient.
Surgeoner: The true test for any insurance is how it responds when it is needed. Too often it is seen as a ‘boilerplate’ part of risk management. Is there D&O insurance? Box ticked if the answer is yes. However, those responsible for procuring the insurance should spend time with their broker analysing their business and where claims may emanate from, and working with the directors to ensure appropriate levels of cover. This will always be a trade-off between available limits and budget.
Hadwin: Companies and their D&Os should work together to scope the liability risks that the D&Os face globally and should then cooperate to ensure that appropriate protections are in place to mitigate those risks. These protections will most likely take the form of a corporate indemnity and D&O insurance cover. This position, in terms of both the liability risks and the appropriate means of protection, should be kept under constant review, bearing in mind that the risk landscape is anything but static.
FW: What aspects should companies and their D&Os focus on when assessing the specifics of a D&O liability policy? Are there any common pitfalls, for example?
Suskin: Common pitfalls are failing to identify gaps and limitations in coverage that do not address ever-changing circumstances. For example, pre-COVID-19, many companies overlooked exclusions relating to pandemics and business interruption caused by government shutdowns. Those companies now find themselves exposed to uncovered losses and shareholder lawsuits blaming the companies and their boards for the omissions. One aspect that is particularly important, and overlooked, is with regard to insurer control over selection of counsel to defend D&Os when shareholders sue. D&Os understandably prefer to be defended by counsel with whom they are familiar. But D&O policies often give the insurer significant influence or control over selection of counsel, frequently in connection with the insurer having negotiated significant rate discounts with select panel counsel. D&Os should examine whether their regular outside panel counsel will be on the insurer’s approved list and, if they are not, negotiate their inclusion at the policy’s inception. It is usually difficult to get counsel approved later, and approval may be tied to significant concessions on rate discounts that the counsel may be unable or unwilling to accept. It is also important to make sure policies include coverage for investigations. Not all policies do, and some that do have limitations that unrealistically underestimate the costs of conducting such investigations. Additionally, many policies do not cover responding to government subpoenas, including as non-party witnesses, but such responses can entail exceptionally high costs, particularly where identification, recovery and production of electronically stored information is involved.
Surgeoner: In my experience, companies and directors should focus on the defence costs section of the policy. Directors face increased regulatory scrutiny and risk of criminal investigation and it is vital that in these circumstances the policy responds to provide cover for defence costs. All too often, the policy is dusted down at a time of crisis and significant personal stress, only for the operation of the policy to be less clear than one would have hoped.
Hadwin: Companies should always analyse the scope of and limitations on D&O cover to ensure that it matches the risk profile faced by the D&Os. For example, is the limit of indemnity sufficient? Is the definition of ‘insured person’ broad enough to include all relevant individuals in the appropriate contexts, such as individuals with particular regulatory responsibilities? Companies should also make sure that triggers for cover are early enough. This is because regulators have, in recent years, increasingly made enquiries of D&Os in particular circumstances, in a way which falls short of being a full-blown investigation. Ideally, D&O policies should cover any costs incurred in responding to those enquiries, notwithstanding that a formal ‘investigation’, which was traditionally the trigger for investigation costs cover in many D&O policies, has not been commenced.
Bentz: Perhaps the most important factor to consider when deciding which D&O policy to purchase are the terms and conditions of the policy itself. Terms and conditions in D&O policies are not standard. An insured who saves a few dollars in premium by selecting an inferior policy may find themselves being ‘penny-wise but pound-foolish’. Other important factors to consider include understanding an insurer’s claims handling process, its financial ratings and its longevity in the industry. As for pitfalls, risk managers should be wary of failing to appreciate the importance of the D&O application, failing to analyse the ‘duty to defend’ language, and the hourly limits when selecting counsel, and failing to understand how excess and other insurance policies interact with the D&O policy.
FW: What advice would you impart to D&Os on regularly revisiting and reviewing their D&O policies to account for new developments and changing circumstances?
Bentz: Understanding risk is not a once-a-year project. The D&O insurance market is always changing. Insurance carriers are constantly monitoring risk trends and making changes to their policy terms and pricing accordingly. A company that is not doing the same cannot keep up. Unfortunately, most D&Os have little day-to-day exposure to the different policy terms that are available or the most up-to-date issues in the insurance industry. That is why it is so critically important for insureds to regularly review their D&O policies with an experienced D&O insurance broker and an insurance attorney specialising in D&O insurance coverage. This is especially important during this hard market cycle where many insurers are making ‘minor’ changes that could have a significant impact on coverage. Failing to understand the impact of a change, or the alternatives that may be available, can have a catastrophic impact on coverage.
Hadwin: COVID-19 is certainly a testing time for D&Os. With economic uncertainty, boards must take difficult decisions, whether that be furloughing staff, rescheduling loan repayments or finding emergency funding. All these activities pose a significant threat to the potential personal liability of D&Os. While companies should regularly review their policies, in the midst of this crisis, companies should review the measures they have in place to reduce the risk of personal liability to D&Os to ensure that D&Os are not distracted by the risk of personal liability to shareholders for their good faith business decisions which later might be second guessed if their company should suffer significant losses or fail.
Surgeoner: Reviewing D&O policies is critical and simply cannot be emphasised enough. It should be an essential part of any risk management programme. The broker can also play an important role in identifying trends, claims in the market and appropriate levels of cover.
Suskin: D&Os must review their policies, but they should not try to do it on their own. The board should engage separate counsel to regularly review their D&O policies and indemnification to identify gaps and limitations in coverage in view of ever-changing circumstances. And when D&Os learn of new trends and developments in the business world – such as the risk of cyber breaches, liability for ‘#MeToo’ misconduct of others, failures to make adequate disclosures about responses to pandemics or risks of business interruption – they should revisit and review their policies again, to confirm that they are covered for these new and previously unexpected risks.
FW: Looking ahead, do you expect the level of risk and liability facing D&Os to increase? How do D&Os themselves need to respond?
Hadwin: Heightened regulatory scrutiny and higher shareholder expectations have become everyday concerns for D&Os. However, the emergence of class actions following cyber attacks is likely to be a new development that will cause significant concern for D&Os as we are starting to see companies having to manage risk on two fronts – managing the regulator on one and managing customer claims on the other – both of which will likely fuel shareholder activism. However, the challenge for directors continues to be understanding and dealing with emerging risks, which for this year has come in the form of COVID-19. As COVID-19 has changed the way many companies work, there is a heightened risk for D&Os to understand cyber risk now more than ever. Companies that do not put in place appropriate technical measures now may face claims against directors for not doing enough to protect their companies against cyber threats.
Surgeoner: Unfortunately, the level of risk and liability facing D&Os is only headed upwards. Claims are increasing by shareholders, investors and third parties – litigation funding is fuelling more class action style litigation. Regulators are increasing enforcement, and health and safety in light of COVID-19 has come back to the top of the agenda. There is no replacement for a sound risk assessment, risk management and risk mitigation programme, coupled with robust record keeping demonstrating consideration of the risks and subsequent decisions taken in relation to issues facing the company.
Suskin: As Yogi Berra said, “It’s difficult to make predictions, especially about the future”. Indeed, it is very daunting to try to anticipate what new and unexpected risks might confront D&Os in the years ahead, as the landscape becomes more complex, international and unpredictable in scope. Very few, if any, predicted a couple years ago the explosion in ‘#MeToo’ investigations and claims that are now being lodged with increased frequency against D&Os and their companies for having failed to prevent alleged misconduct. Likewise, in the securities litigation arena, efforts at bringing shareholder class actions in foreign jurisdictions are getting more traction. Additionally, shareholder activist campaigns, including demands for books and records under Delaware’s General Corporation Law Section 220 and analogous statutes in other states, shareholder derivative demands and shareholder derivative lawsuits, continue to evolve as new controversies ‘de jour’ unfold. The subject matters of the campaigns have been wide ranging, including issues concerning accounting internal controls, internal controls related to cyber breaches, Foreign Corrupt Practices Act (FCPA) violations and allegedly excessive compensation of D&Os. All of this elevated risk of liability has been exacerbated by the trend of having shareholder activism being supported by litigation funding firms. The consequence is that the opposition can afford to be more aggressive and has considerable added staying power to remain in the fight. All of which augers for the importance of confirming that D&Os have robust insurance coverage.
Bentz: Both the risk and liability facing D&Os is increasing. This is reflected in the hardening D&O insurance market and the uncertainties of exposure related to the pandemic. During this time, it is more important than ever for D&Os to monitor and document how they are fulfilling their fiduciary duties and exercising proper business judgment. Businesses facing financial distress should consider their unique fiduciary duties related to insolvency and how their potential exposure may be addressed in their D&O policy. It is very important to make sure that the D&O policy prioritises coverage for individual D&Os, as opposed to the company. Again, minor changes to the policy on this topic could make a significant difference if the company is forced to file for bankruptcy protection.
Stephen Surgeoner advises on all forms of commercial dispute resolution, with a focus on the banking, funds, insurance, energy and telecommunications industries. He has considerable experience in high-value, cross-jurisdictional complex commercial litigation, as well as domestic and international arbitration and mediation. He also advises financial institutions and corporate enterprises on risk mitigation including the use of insurance products such as political risk, credit, directors and officers, and warranty and indemnity insurance. He can be contacted on +44 (0)20 7184 7877 or by email: stephen.surgeoner@dechert.com.
Thomas H. Bentz Jr. is a partner at Holland & Knight LLP where he practices insurance law with a focus on directors and officers (D&Os), cyber and other management liability insurance policies. Mr Bentz is a co-chair of the firm’s insurance industry team and leads Holland & Knight’s D&O and management liability insurance team, which provides insight and guidance on ways to improve policy language and helps insureds maximise their possible insurance recovery. He can be contacted on +1 (202) 828 1879 or by email: thomas.bentz@hklaw.com.
Howard S. Suskin is a litigator with substantial first-chair experience in civil and criminal securities matters. He is co-chair of the firm’s securities litigation and enforcement practice and the class action practice. Individuals and businesses seek his counsel in such matters as class actions alleging securities fraud and misrepresentation claims, derivative actions claiming breach of fiduciary duty, contests for corporate control, and shareholder demands for corporate books and records. He can be contacted on +1 (312) 923 2604 or by email: hsuskin@jenner.com.
Steven Hadwin is a dispute resolution and risk advisory lawyer based in London. He is experienced on advising corporates and individuals on a range of commercial and operational risks, with a particular focus on cyber-related risks and risks facing directors and officers. He can be contacted on +44 (0)20 7444 2290 or by email: steven.hadwin@nortonrosefulbright.com.
© Financier Worldwide
THE PANELLISTS
Dechert LLP
Holland & Knight
Jenner & Block
Norton Rose Fulbright LLP