Recent spikes in D&O claims related to mergers and acquisitions, as well as corruption and anti-competitive practices, have grown. However, almost any executive failing that gives rise to a regulatory investigation or a fall in share value could result in liability and claims made against directors and officers.
Emissions testing allegations in the automotive industry have, for example, highlighted the potential for environmental or climate change related liability claims. Ethical and social issues, like modern day slavery in the supply chain, are another potential source of claims, as are employment or discrimination disputes.
“This can be seen in Germany, where corruption and cartel allegations have dominated executive liability claims in recent years. Almost any issue that arises from non-compliance could create an exposure,” explains Martin Zschech, Regional Head Financial Lines Central & Eastern Europe, AGCS.
Not only could these emerging exposures cause claims, but would expose the company to considerable reputational risk. A 2016 report1 by Deloitte, revealed that reputational damage was identified as the number one threat for large companies. “In Germany, a supervisory board could go after management for all kinds of scenarios. There is a fine line between business risk and a wrongful act,” says Zschech.
A number of fast-rising exposures – and their potential impact for directors – are considered in the following article.
Mergers and acquisitions (M&A) activity continues to be a key driver of D&O litigation and is predicted to continue at a rapid pace in future, as deal makers are motivated by low interest rates, healthy stock prices, good employment numbers and plenty of cash. Activity has been robust. According to industry experts, there were around 44,000 transactions worldwide in 2015, for a total value of $4.5trn and activity is expected to remain strong through 2016 and 2017.
M&A activity represents a critical time for companies and officers, whether as an acquirer or a target. Acquiring companies often face liquidity problems due to high acquisition costs, while targeted companies often face unprecedented scrutiny for past wrongful acts among executives.
As buyers and sellers are not always forthcoming about business operations and inherent risks, however, postsale disputes are common and financial issues surface. Run-off claims can mean holding steep reserves and paying extra premiums for up to six years after the date of the transaction. According to Cornerstone Research, at current pace, M&A-related filings in federal courts in the US will double the annual numbers observed in the last four years.
To help alleviate such matters and facilitate the process for a merger, acquisition, divestiture or other business transaction, parties are increasingly purchasing transactional liability insurance, which offers financial protection (for the company and shareholders) against inaccuracies made about target companies or businesses in connection with mergers, acquisitions and divestitures.
Between 2011 and 2015, reports show that use of transactional liability insurance, which is provided by insurers such as AGCS, has grown 240% globally. “Mergers and acquisitions, but also divestitures, belong to the more riskier moments in the life of a company,” says Bernard Poncin, Global Head of Financial Lines AGCS.
“Expectations are always high, and synergies are easier planned than realized. This unique and specific risk situation has also led to the development of new products. The appetite for transactional liability insurance has increased tremendously over the past couple of years with a global market penetration of 20%”.
Perhaps, the most topical emerging liability risk for executives is technology – cyber risk in particular. According to the 2016 Allianz Risk Barometer, cyber risks feature in the top three corporate risks for the first time. Companies are worried about increasing sophistication of attacks but tend to underestimate the impact of technical IT failure, human error or even rogue employees as cause of costly damages. Data protection rules are becoming increasingly tough as government agencies bolster cyber security. This significantly impacts businesses; penalties for non-compliance can be severe.
Awareness of cyber risk is highest in the US, where strict data protection laws require companies to notify individuals of a breach but a heightened cyber liability focus is seen in the Middle East, Singapore and Australia, while the European Union is also moving ahead with plans to harmonize its rules.
“Cyber and privacy is the number one emerging risk for directors and officers, but awareness and understanding of the risk is not always high,” says Paul Schiavone, Regional Head Financial Lines North America, AGCS.
A serious cyber incident can result in reputational and financial damage, as well as regulatory action. In more extreme cases a cyber security breach could cause a company’s share price to drop, which might in turn see directors sued for breach of their fiduciary duty. “It may be possible to claim substantial damages from directors if there has been negligence in any failure to protect data or a lack of controls,” says Emy Donavan, Regional Head of Cyber Liability North America, AGCS.
There have already been a number of securities class actions and derivative class actions filed in the US related to data breaches involving the theft of personally identifiable data, including those against Target and Home Depot. However, most cases are still pending and there remains little case law in this area. “There is uncertainty in US case law on the issue of directors’ cyber liabilities but that is not to say it can’t happen. It is only a matter of time before someone makes a successful argument that a director was negligent or had not paid attention to cyber security,” she says.
The introduction of tough EU data protection laws in 2018 will increase executive’s liabilities for data breaches or personal data misuse in Europe. Fines for breaching the rules are as high as 4% of global revenues, which could run to billions of dollars.
Several European countries – including France and Italy – have already taken steps to make directors liable if they fail to take reasonable steps to prevent a data breach. Boards are expected to have a detailed strategy for combating cyber risks and may face claims if they fail to do so.
According to law firm Clyde & Co, while to date claims by shareholders against directors in respect of cyber or data breach issues have been rare (in the UK for example, there had been none by mid-2016), as privacy and network security issues are increasingly viewed as a board issue, it may become more difficult for directors to escape liability in the event of a serious loss by the company.
As cyber security becomes a competitive advantage, it also predicts a potential rise in US securities class actions as a result of data breaches. The landscape for directors who do not prioritize data security issues is only going to get tougher on both sides of the Atlantic, and cyber securityrelated D&O litigation is anticipated more widely; in France, Spain, the UAE and Australia to name but a few.
“Exposures also exist where companies with an overreliance of networks and systems do not have viable workarounds. If a director knew about such exposures but failed to put in place appropriate contingency plans, they could be made liable in the event of a sizable loss,” says Donavan. “There are a wide range of scenarios in a which a director could be considered negligent, such as a fund transfer fraud or where a vulnerable network is comprised, leading to significant business interruption, property damage or loss of intellectual property,” she adds.
Directors’ cyber exposures are likely to grow further with the increased reliance on technology in many sectors. “Companies increasingly rely on technology, data and algorithms, which can become corrupted or contain flaws. For an analyst using predictive models to advise customers this could open up huge liabilities,” says Donavan.
Growth in outsourcing and cloud computing is also creating exposures. A breach at, or the failure of, an outsourcing partner could result in litigation if the directors failed to ensure appropriate due diligence and audits were carried out, for example.
The 2013 Target data breach involved a malware attack on one of the company’s vendors, giving hackers access to Target’s online vendor portal.
“Any cyber event that significantly impacts a company’s reputation and its share price could result in shareholder action. The best way that directors and officers can protect themselves is to discuss cyber risk at a board level and address these exposures as part of robust risk management solutions,” Donavan adds.
“Many directors used to see cyber as an IT issue and not an exposure for the board to consider,” says Donavan. “But there is no escaping cyber risk in the context of business judgment. Directors need to be adequately informed, otherwise they leave themselves exposed. While there is still not significant case law addressing cyber for directors and officers, it will not be possible to just plead ignorance. That will not save directors from personal liability.”
Executives are able to gain some protection – both directly and indirectly – for cyber related risks from insurance. Cyber risk is broad and touches on many areas of risk and insurance products, including financial lines, errors and omissions (E&O), professional liability, crime, general liability and kidnap and ransom. “Companies need to sit down and identify gaps in cover and seek solutions,” says Donavan.
Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures and can pay for the cost of important pre- and post-loss crisis management services that can help plan a response and mitigate the impact of a cyber event, she says.
Of particular concern to directors will be the extent of cover for regulatory investigations and legal defense costs available under a D&O policy. Some insurers have moved to include specific wordings for cyber-related executive liabilities. “Buying cyber insurance, or ensuring that cyber is not excluded from the D&O policy, is not sufficient,” says Donavan.
The concept of modern slavery is a broad one, including the like of servitude, forced and compulsory labor and human trafficking. An estimated 45.8 million people are trapped in modern slavery globally, according to The Walk Free Foundation’s 2016 global slavery index2, emphasizing the need for large organizations to focus on this potential risk in supply chains.
According to law firm Clyde & Co, in the UK for example, the Modern Slavery Act 2015 (MSA) is the latest response to this issue. Under the MSA, commercial organizations with a global turnover of £36m ($55.1m) or more, and conducting any part of their business in the UK, are required to publish an annual “slavery and human trafficking statement” – steps (if any) taken to ensure modern slavery is not taking place in its own business and supply chains. The statement must be approved by the board and signed by a director. Although larger companies are affected, suppliers of any size need to take note, as they will undoubtedly come under pressure to ensure their own supply chains are in order.
Legal sanctions for failure to comply are limited – there are no fines or penalties, but the secretary of state is empowered to commence proceedings for an injunction requiring an organization to prepare a statement, with public scrutiny, reputational concerns and the press likely to be the primary drivers of compliance. California has similar legislation and non-governmental organizations are actively engaged in “public shaming” exercises, the law firm notes.
There are key sectoral (such as agriculture, construction, food-processing and home/domestic work) and country risks which will act as drivers for enhanced due diligence for those affected. Procurement policies addressing modern slavery, contractual protections in supply contracts, clear labor and whistleblowing policies will all be important.
While there may of course be repercussions for directors of companies that do not comply, the obligation is on the company, not the director personally. However, directors should ensure they have taken steps to verify the contents of the statement.
There are predictions that there will be considerable litigation arising from the MSA in future, with construction companies operating in Qatar cited as a sector that will be targeted by non-governmental organizations. The Freedom Fund has recently launched a guide which emphasizes the importance of strategic litigation to combat modern slavery.
The Costco litigation in California, brought by a consumer and which sought to represent all California consumers of Costco prawn products under the Californian Transparency in Supply Chains Act, while dismissed, highlights that class actions may be a sign of things to come. The stock drop that followed this litigation should also act as a warning sign to directors.