The value of boardroom engagement

Digital infrastructure is increasing the risk and severity of data breaches and cyber attacks that can lead to regulatory action across multiple jurisdictions, heavy fines and scrutiny of boardroom responsibility. For instance, contravention of the European Union General Data Protection Regulation (GDPR) can result in fines of up to €20m or 4% of worldwide annual revenue, and directors, if found to have not exercised reasonable care and diligence, could face criminal charges or lawsuits from the company’s shareholders. 

Digital infrastructure is increasing the risk and severity of data breaches

In addition, where the board or management was perceived to have delayed action or failed to make full disclosures to consumers and the financial markets about data breaches, shareholders have filed securities class actions against their companies and their directors and officers.

The unpredictability of geopolitical tensions and a trend towards populist parties in elections increases the possibility of governments and authorities intensifying their scrutiny of large institutions and those who run them. If a long-standing regime is replaced with a more hostile one, the relationships that local directors have built up over time may become worthless overnight.

Moreover, the regulatory and legal environment in which a company operates may become uncertain or unpredictable as regimes change. As discussed below, risk professionals must ensure that their organisation is monitoring developments in all jurisdictions in which it operates, especially where there are directors and officers on the ground.

As climate and environmental disruption increases, shareholders and customers want to see more action taken to show that directors are not only preparing for the impact on their organisations but also that they are behaving as a responsible corporate citizen.

In the US, ExxonMobil has faced fraud investigations from New York and Massachusetts, with the former ultimately issuing a lawsuit that named former chairman and CEO Rex Tillerson as a defendant. Organisations across many sectors are waking up to the likelihood of increased scrutiny headed their way from governments, shareholders and consumers if they are viewed as not acting responsibly on this and other issues of corporate social responsibility.

Emerging threats

Activity from the Serious Fraud Office (SFO) in the UK and other prosecutors around the world has increased significantly during the past decade. The UK’s National Crime Agency has become more proactive in its investigations, evolving into the UK’s FBI equivalent, and is spending time and resources uncovering cyber crime. And the increased activity is not limited to the UK.

There is more co-operation between various national governments as well as supranational bodies. The focus of these investigations include accountancy fraud, bribery and other forms of corruption, environmental violations, and health and safety breaches.

“Regulators and enforcement agencies became much more active after the financial crisis than they had been in the past,” says Kevin M. LaCroix, a US-based D&O attorney and Executive Vice President of RT ProExec. “They have begun collaborating more with each other in the past five years. Regulators have discovered their powers, they are using them more and, as a result, there is much greater claims frequency in the market.” 

The Deferred Prosecution Agreements entered into by the SFO with Standard Bank (2015), Rolls-Royce (2017) and Tesco (2017), for example, may have caught the headlines, but activity and defence costs are increasing in multiple territories around the world.

In the US, securities class actions remain a common source of large claims, as do group litigation actions in other countries. The latter is expected to become more common and easier to execute closer to home after the European Parliament approved rules in March 2019 allowing groups of consumers harmed by illegal practices to launch collective actions and seek compensation.

Previously, only 19 member states had the legal framework for facilitating action from mass victims of harm.

More effort needs to be made to educate senior leaders about coverage and the process to access it in the event of a claim

Not just big business

The D&O risks facing small-to-medium enterprises (SMEs) may sometimes be overlooked, but they are no less important for the survival of the business. Claims can arise from the regulatory actions already discussed, but SME directors should also be mindful of employees, creditors and clients pursuing legal action against them as well as public relations crises.

SMEs should not underestimate the cost of defending a claim or responding to an investigation. When purchasing D&O insurance, £1 million in costs may sound like a lot of money, but if several directors are subject to a criminal investigation, then it is unlikely to be enough to cover all the defence costs.

When a D&O insurance policy is bought, more emphasis needs to be made on education for directors and officers about the coverage and the process to access it in the event of the notification of an event or a claim. It is more common among SMEs for their coverage and limits to go to waste because notification was made too late or not at all.

“This is more common than you might think. We have had brokers come to us two years after the event to say there has been a claim,” says Noona Barlow, Head of International Financial Lines Claims at AIG.

Regulators have discovered their powers and, as a result, there is much greater claims frequency in the market

Kevin M. LaCroix, US-based D&O attorney

Myths, misunderstandings and missteps

D&O insurance typically provides liability cover for current, future and past directors and officers of a company, including its subsidiaries. Given the potentially significant costs and serious personal impact of a D&O claim, if something goes wrong with the insurance coverage, the relevant director will come to the risk manager for answers. There are common misconceptions concerning how a D&O policy responds that are important to understand before buying coverage.

Misstep: Lack of awareness of personal liabilities

Only 18% believe their directors are aware of their personal liabilities, and only 14% are confident that their directors have read and understood their D&O policy (Figure 4). This suggests a perception of complacency within the boardroom that an investigation or action will not happen to them.

“There is a perception in some businesses that ‘we don’t have the problem’, ‘it will not happen to us’ and ‘we don’t want to hear from anyone that suggests otherwise’,” says Neil O’May, Partner at Norton Rose Fulbright LLP.

“There are two camps. Those organisations that have experienced an investigation and are well prepared for the next one. And those that have never had an investigation and do not know what to expect. The latter will often not have the internal governance in place to know who in the organisation should be dealing with the investigator – that is absolutely essential, particularly when it is a criminal investigation.”

If directors do not fully understand the liabilities they face and the events that can lead to claims, then it is unlikely they will be prepared to respond appropriately when an action develops. It is essential that directors and officers are fully aware of the notification process to follow with any type of claim or circumstance that might give rise to a claim. As such, all named directors and officers in a policy should be fully aware of the coverage they have and the process to follow in the event of an action.

If reporting the claim is delayed because the subject or organisation did not believe that it would be covered under its policy, then legal costs incurred before the claim was reported to the insurer will generally not be covered under the policy. In addition, the insurer can provide critical guidance about steps to take in dealing with a claim, so there is no impact on the conduct of the claim or the defence.

If the risk manager, relevant directors and officers, and other internal stakeholders understand the policy and when it applies, then the organisation is more likely to notify brokers and insurers immediately, in order to set the claims process in motion.

Myth: My policy contains sufficient limits for all defence costs

The costs associated with an SFO investigation and prosecution can be hard to predict (figure 5) but will quickly escalate as lawyers are retained. While 45% of survey respondents believe that the average per director defence costs will reach £1 million, a similar 44% think it would be less than that.

The individuals concerned will want to retain the best defence lawyers possible in the event of a prosecution. Depending on the subject matter of the prosecution, a specialist lawyer may be required. In fact, SFO defence costs can be as much as £4m per director, and in some instances the costs are even higher.

Misunderstanding: Director defence costs are prioritised

Only 18% of respondents are confident there is a clear process in place for who gets paid first under their D&O policy (Figure 4). This is a common confusion and can result from not understanding the policy purchased, or the insurer’s obligations. If multiple directors and officers are targeted in a regulatory or enforcement action that is covered by the D&O policy, then each will likely retain a separate lawyer. Once the insurer has been notified and approval received, the insurer will begin paying the legal fees. The policy will not stipulate or prioritise which director’s claims are paid first. If the policy limit is exhausted, the insurer is under no obligation to continue paying defence costs.

A traditional D&O policy will provide cover for non-indemnifiable loss for directors and officers (Side A), indemnifiable loss (Side B) and sometimes loss to the company itself for securities claims (Side C). If an action takes place that results in Side B and Side C losses, it is possible that the limits will be exhausted before covering any potential Side A losses. As a result, Side A difference-in-conditions (DIC) can be bought to provide additional limits to named individuals and sit on top of the traditional D&O policy.

“Buyers need to determine their strategy and priorities when buying a D&O policy,” says Noona Barlow, Head of International Financial Fines Claims at AIG. “Some buyers will prioritise balance sheet protection in the event the company is sued. Some companies will only buy Side A or treat it as only Side A for the main board in a catastrophic event. Identifying and communicating the strategy from the beginning will avoid confusion when a claim arises.”

Buyers need to determine their strategy and priorities when buying a D&O policy

Misstep: Recruiting a (expensive) lawyer prior to notification

In most D&O policies, the insurer’s consent is required before lawyers are retained by the company or an individual director. If the insured does not follow this process, then it risks the insurer declining to cover these defence costs, when coverage may have been available if the correct protocols had been followed.

Moreover, most companies will not have experience in handling a D&O claim. A knowledgeable D&O insurer will have extensive experience with D&O claims, including which legal advisors can assist with specialist claims. Hiring the wrong advisor early in a case can increase the overall cost and prejudice possible defences.

Misunderstanding: What does a D&O policy pay for?

In the UK and Europe, D&O insurers typically pay out more in defence costs for directors and officers than they do for settlements or indemnity payments, but our survey shows more than half of respondents did not know this (Figure 6).

In the US, the majority of large claims payments result from securities actions which will often lead to a settlement. D&O policies generally provide broad coverage that ensures defence costs are paid in full until the limit is exhausted, or the director admits fraud or is found guilty. At that point, coverage will end.

D&O Essentials

Risk professionals need to have an in-depth understanding of the product they are buying and how it will respond in the event of a claim. As emphasised above, time is of the essence, so having a clear plan in place when action is taken against the organisation or a director will pay off.

Collaboration

While risk professionals need to consider and assess the exposures facing their organisation’s directors, it is only through collaboration with the board that they will fully understand the risk profile.

When buying coverage, those directors likely to be the subject of claims under the policy should be involved in the risk strategy and risk mapping process. This will ensure that all stakeholders relevant to the policy will have an early insight into the types of coverage available, and what may be excluded.

Only 38% of respondents believe the board is completely aware of their D&O policy, while 37% said boards were completely aware of the policy limits. There is even less confidence in board awareness of specific risks such as GDPR, social media and the #MeToo movement (Figure 7).

The risks resulting from GDPR, the rise of social media and the #MeToo movement should not be underestimated as these have all resulted in D&O claim notifications.

Review policies and anticipate new threats

The risks facing directors and officers have evolved, and these changing priorities should be reflected in the risk management approach and insurance procured. When asked what topics were of most concern within the boardroom, data security (68%) emerged as the top threat (Figure 8). However, just 59% of respondents believe that the board is aware of the scope of D&O liability cover for GDPR issues. If boards view this risk as a top concern, they need to be prepared and informed of their liability and coverage should an action arise.

Workplace diversity and culture issues also appear low on the boardroom agenda. Since the #MeToo movement began in 2017, it has damaged severely, sometimes fatally, the reputations of numerous high profile business people and their companies. Directors do not need to be the perpetrators to be held to account. Several D&O claims have been brought where boards turned a blind eye to a culture permissive of discrimination or harassment, choosing to protect prominent business leaders or leave the details to HR rather actively manage the risk. Scrutiny and public monitoring of the gender pay gap should also be elevating these issues to the boardroom and be reflected in the attention given to the personal liabilities of individual directors for failure to act on these issues.

The organisation’s D&O risks and the policies bought to protect directors should be reviewed each year. As a part of this process, the legal environment, regulatory change and claims activity in the countries in which they operate should also be assessed to gauge trends and the priorities of national governments and law enforcement agencies. It is not uncommon for the regulatory environment to change and a country that was previously passive on D&O scrutiny to become more aggressive.

Similarly, while corruption and bribery are significantly lower on the boardroom’s priority list (20%), they remain a common (and expensive) source of claims activity.

Governance

Bringing emerging risks to the board’s attention will be more straightforward if other internal changes are made regarding risk culture. Risk committees will benefit from more diverse representation from across the organisation. Only a quarter of respondents said they have restructured risk committees in the last 12 months to include more representation from other functions, such as Public

Relations and Human Resources. Input from these functions would provide greater visibility on workplace issues, such as the #MeToo movement. Similarly, an organisational cultural assessment will bring these topics to the fore. Only 27% of respondents have executed this in the last 12 months.

The investigation, if managed inappropriately, can be as bad for the business as it is for the criminal investigation

Scenario testing

Producing hypothetical scenarios concerning D&O exposures can help risk managers and the board understand any potential coverage gaps and obstacles in the claims process. If the board is given clear examples about how it could be at risk and the situations where liability might arise, it will heighten awareness and encourage the board to stay informed about how its D&O insurance policy works.

Market developments

Despite the D&O insurance market hardening for certain industries immediately after the 2008 financial crises, rates have largely decreased during the last decade, with coverage becoming broader and capacity increasing. The global D&O market saw underwriting results deteriorate in 2016 and 2017, driven by increased claims activity resulting from issues such as securities class action claims in the US, greater cross-border co-operation on investigations, particularly those related to cyber crime, and a string of high-profile corporate scandals such as VW, Petrobas and the Equifax data breach.

More claims are arising and defence costs are spiralling. Costs vary across regions, however, making awareness and regular review of the countries the company is operating in essential. Today, defence costs are particularly expensive in territories one might expect, such as the US and the UK. However, costs can also be eye-wateringly high in territories that boards may not be as focused on, such as South Korea and India. Accordingly, these trends should be monitored across the organisation’s footprint.

Be prepared

As a result, it is more important than ever that risk professionals fully understand the relevant risks to their directors and officers, and ensure the right protocols are in place for good corporate governance that can prevent a claim. Providing ample and accurate information on the evolving exposures, as well as compliance procedures to directors and officers would help elevate understanding. Issues to be covered could include anti-money laundering protocols, insider trading policy, and bribery and corruption training.

Those covered by the company-bought D&O policy should also be in no doubt about how, who and when to notify in the event of a claim. The insurer notification requirements must be clear, but there should also be a well-communicated process about who internally needs to be kept informed. For many companies, a sensible process may be to ensure that the general counsel is made aware of the policy and helps manage this process.

“The C-suite has to understand what a criminal investigation entails and there has to be teaching about it,” says Neil O’May, Partner at Norton Rose Fulbright LLP. “The investigation, if managed inappropriately, can be as bad for the business as it is for the criminal investigation. If it is badly handled, it is a business wrecker. It goes on for too long and ratchets up costs.”

Key takeaways

• Read and understand the impact of the FRC’s latest UK Corporate Governance Code
• Identify and review regularly the personal liability faced by the organisation’s directors and officers
  
• Engage the C-suite and the board from the beginning on D&O risk assessment and insurance design and purchases
  
• Design and communicate a clear notification and claims management process in the event of a claim
  
• Review the risk profile, notification process and coverage as directors and officers change