Risks facing directors & officers - old article

In today’s uncertain world, the risks facing directors & officers (D&Os) have never been greater. Increasingly, there is a trend toward D&Os being held personally liable for numerous wrongdoings. Liability is driven by a range of factors, including legislative changes and an uptick in enforcement activity. Clearly, D&Os cannot afford to turn a blind eye, so it is imperative that they are aware of the risks and exposures, and protect the interests of both themselves and their company in the most effective way possible.

PanellistPhotos_Dr Alexander Mahnke.jpg
PanellistPhotos_Virginia Milstead.jpg
FW: Could you outline some of the key factors currently driving the personal risks facing D&Os? What types of risk are generally being seen on a day-to-day basis?

Bentz: The Yates Memorandum from former deputy attorney general, Sally Yates, signalled a new emphasis on individual accountability for corporate wrongdoing by the Department of Justice (DOJ). Under the Yates Memorandum, in both criminal and civil enforcement matters, in order for a company to receive any consideration for cooperation, the company must completely disclose to the DOJ all relevant facts about individual misconduct. This includes the identification of all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and to provide to the DOJ all facts relating to that misconduct. In addition, the Yates Memorandum makes clear that civil actions should not be governed solely by whether an individual has an ability to pay. We have started to see the impact of this new emphasis on individual accountability. There have been a handful of settlements in the last year, with individuals paying significant amounts to resolve claims brought by the DOJ.

So: The global development of corporate governance rules and regulations and the focus on board accountability have heightened risks for D&Os, whether from regulators’ enforcement actions or civil liabilities arising from lawsuits. In China, a notable development in recent years is the strengthening of anti-corruption laws, with high visibility sustained enforcement actions. In Hong Kong, in November 2016, the Securities and Futures Commission (SFC) publicly stated that it had shifted its investigative focus towards corporate fraud and misconduct. As a result, an increasingly complex legal and regulatory environment has become part of what D&Os have to manage on a day-to-day basis. In addition, D&O lawsuits are now more common. D&Os can be held personally liable for a wide range of offences and breaches of duties or regulatory requirements, including false or misleading disclosure, anti-competition trade practice, fraudulent trading, breach of fiduciary duties, breach of financial reporting requirements, bribery and fraud.

Pflieger: The number of notifications pertinent to D&O policies has increased over recent years. One can link this evolution to intensified investigation carried out by regulatory bodies that are now cooperating and collaborating more across jurisdictions and, on the back of this, civil litigation ensues mainly in the form of shareholder and class actions. The regulators are notably focusing their enforcement actions in the fields of anti-corruption and antitrust. If a US regulator is involved, this also increases related costs significantly. One can see further evolution on the horizon due to the changing collective redress landscape in Europe, influenced by the increased availability of third-party litigation funding and often combined with the involvement of a US law firm. The March 2016 settlement of Fortis investor actions, for example, under the Dutch collective settlement procedures, along with other ongoing high-profile cases, most definitely point towards an increased uptake of collective redress actions in Europe.

Milstead: D&Os face risks of potential personal liability in overseeing and implementing the company’s regulatory and legal compliance. Companies operating in heavily-regulated industries in particular, such as the healthcare or finance industries, are frequent targets for regulatory enforcement or private shareholder actions under the US securities or state fiduciary duty laws. D&Os also face risks as activist shareholders and consumers increasingly scrutinise whether a company is complying with the law.

Flockhart: In many jurisdictions, directors face a more challenging risk landscape than ever. This is both in terms of the legal and regulatory obligations that they face and the expectations that shareholders and third parties have of them. Longstanding legal duties such as fiduciary duties to the company have been joined in recent years by greater regulatory obligations, particularly in the financial sector, and a greater willingness on behalf of regulators to take action against individual directors. One only has to look at the Senior Managers and Certification Regime (SMCR) in the UK financial sector to see that regulators now hold directors and senior executives to a very high standard in terms of their individual regulatory compliance. The general risk landscape affecting companies is also shifting quickly and directors need to adapt to this. Cyber risk, for example, has emerged as a key boardroom concern in recent years, and many directors face real challenges in understanding and mitigating this type of risk.

Mahnke: Other than in common law countries, the major risk for German D&Os lies in their personal liability towards the company. In addition, there is a reversal of evidence applicable. For example, if a company claims for personal liability against one of its directors, this person needs to prove that there was no breach of duty. Furthermore, the liability against board members of stock corporations cannot be waived beforehand, and only three years after the origination of the liability and by decision of the stockholders’ meeting. Even though in the meantime globalisation may have added additional, non-German D&O risks for German board members, we continue to primarily see large ‘insured company vs. insured person’ claims. In general, the perception in our market is that D&Os today face a similarly dangerous personal liability environment as their colleagues in countries such as the US.

“Incorrect financial communications and violations of laws, rules or regulations are still the most common grounds to file against directors and officers.”
— Jonathan Pflieger
FW: In your opinion, have there been any recent, high-profile D&O claims cases in which the outcome proved to be particularly significant? How might such cases impact on how D&Os view the risks they face?

So: Regulatory investigations and inquiries relating to corporate disclosure, corporate misconduct and money laundering could be the greatest risks faced by D&Os in Hong Kong. In Hong Kong, the first decision on breaches of disclosure requirements under Part XIVA of the Hong Kong Securities and Futures Ordinance – which came into effect on 1 January 2013 – was delivered by the Market Misconduct Tribunal (MMT) in November 2016. Developments in liability relating to disclosure requirements have been closely watched by D&O insurers, and this decision demonstrates that the MMT will strictly enforce disclosure requirements and impose potentially heavy fines on listed companies and their D&Os. This decision involving late disclosure of inside information also demonstrates the type of day-to-day risk faced by D&Os.

Pflieger: Last year’s claim against Tesco in the UK for alleged financial misrepresentation illustrates the global rise in collective investor actions outside the US. A group of institutional investors, who had bought shares in Tesco on the London Stock Exchange and had been prevented from joining the US class action, have joined a collective action in the UK supported by a litigation funding firm. Claimants in this case are alleging damages in excess of £100m. The outcome of this claim could potentially have an impact on the frequency and the severity of collective investor actions outside the US.

Mahnke: Each of the large D&O ‘high-profile’ cases in Germany over the last 10 years has contributed to the market’s learning curve. With the perception of an ever-growing personal liability, underlined by D&O claims in all major industries, German D&Os have become very much aware of their risk exposure. One of the major trends is that criminal proceedings against former board members often precede a recourse the company may decide to take against its D&Os.

Milstead: On 26 June 2017, the US Supreme Court, in California Public Employees’ Retirement System v. ANZSecurities, Inc., held that the statute of repose in section 13 of the Securities Act of 1933 barred suits under section 11 of the Securities Act filed more than three years after the securities at issue were offered to the public. Thus, when an investor opted-out of a class action brought under section 11 and brought an individual suit more than three years after the public offering, its suit was time-barred. This holding provides certainty to D&Os of companies that offer securities to the public, that any risk of liability related to the registration statement for such securities will not extend past three years.

Flockhart: Cyber risk is a key topic for D&Os. The D&O implications of large-scale, high-profile cyber attacks were brought into focus by a number of shareholder derivative suits in the US that were brought against directors in the aftermath of large data breaches, essentially alleging that directors had failed to manage and mitigate cyber risk adequately. While we have not yet seen this in the UK, claims of this kind are certainly growing in likelihood as more and more public companies are hit by damaging cyber attacks. The risk here is also exacerbated by the fact that the General Data Protection Regulation (GDPR) will impose much more stringent burdens on companies that process European Economic Area (EEA) citizens’ data from May 2019. If significant penalties are imposed on companies under the GDPR – certainly if we see anything like the maximum penalties of 4 percent of an organisation’s worldwide turnover – shareholders, regulators and others may look to the board to ascertain what went wrong.

Bentz: According to a recent Cornerstone Research and the Stanford Law School Class Action Clearinghouses survey, securities class action lawsuits hit record levels in 2016 and are not showing any signs of slowing down. The report noted that there were 270 securities class action lawsuits filed in 2016. This represents a 44 percent increase over 2015 and is significantly higher than the average number of suits in previous years. Most of this activity was from an increase in merger objection lawsuits but there was also an increase in more traditional securities filings. The report also noted that the risk that a company would have a securities lawsuit doubled in 2016 to 5.6 percent. The average from 1997 to 2015 was 2.8 percent. In short, the risk to D&Os is increasing significantly.

FW: In what ways have the personal risks faced by D&Os changed over the past few years? What major new risks have arisen?

Pflieger: Incorrect financial communications and violations of laws, rules or regulations are still the most common grounds to file against directors and officers. Regulatory enforcement has also increased over recent years and led to more litigation against D&Os. Regarding new risks, cyber related litigation is definitely on the rise, with exposures ranging from regulatory claims based on cyber security disclosure to shareholder claims following a data breach. Although some recent high-profile derivative lawsuits in the US have been dismissed, more D&O litigation in this area is highly likely in the near future. D&O claims related to climate change have also started to materialise, as regulations are increasing rapidly.

Mahnke: With reference to the last financial crisis and its assumed causation by ‘management failure’, the German legislation has introduced a compulsory deductible for members of the management board of stock corporations. This deductible needs to be at least 10 percent of the damage caused and may add up to a maximum of 1.5 times the board members’ net fixed income. The legislators’ hope continues to be that this compulsory deductible will lead to a modification of managerial behaviour even though this deductible may be covered under a separate, personal insurance policy. In the same context, legislation has extended the statutory limitation for board members of stock-listed corporations from five to 10 years. This has created additional concern because once a board member has left the company, he or she can exert no influence over the company’s D&O insurance even though personal liability will not lapse for a longer period of time. Further to these legislative actions, German courts continue to decide on cases involving D&O related questions, thus clarifying issues such as the admissibility of the transfer of the insured’s rights under a D&O policy to the insured company.

Milstead: Over the last few years, D&Os have faced new risks of personal liability related to cyber security breaches. D&Os from Yahoo, Wendy’s Co., Target, Home Depot, Wyndham Worldwide Corporation and Heartland Payment Systems have been named as defendants in derivative or securities class actions alleging that they failed to prevent breaches that resulted in the theft of customer data or made misleading public statements about the state of the company’s data security. Although the claims have a poor track record – no case has yet proceeded past a motion to dismiss – D&Os can expect that the plaintiffs’ bar will continue to pursue these types of claims and pursue new theories of liability, as cyber security threats to companies continue to expand and companies face the constant challenge of protecting against those threats.

Bentz: The increased focus on personal accountability by the DOJ and the increasing number of securities lawsuits being filed have amplified the risks faced by D&Os. In addition, D&Os face new risks related to cyber security. Several data breaches have resulted in lawsuits against D&Os for ‘failure to prevent the breach’. Although none of these lawsuits have resulted in a judgment against D&Os yet, these lawsuits can be expensive and time consuming. It also puts another burden on D&Os to make sure that they can document their cyber security efforts.

Flockhart: There are two main changes affecting personal D&O risks. The first is increased regulatory scrutiny, which we have seen for a number of years now and which is not going to diminish. The second is a more activist approach by shareholders, who are increasingly willing to put pressure on board members – including, in the most serious circumstances, by way of shareholder derivative lawsuits. Lawsuits of this type sometimes treat poor commercial performance as automatically equating to a breach of duty on the part of the director in and of itself. Legally of course, this is not the case, but it demonstrates the aggressive approach that some shareholders are willing to take.

So: How D&Os conduct business is now being scrutinised by regulatory authorities, shareholder activists and the press, among others. Over the past few years, changes to the legal and regulatory framework in Hong Kong and China have increased the likelihood of claims being made against D&Os. In Hong Kong, the SFC has brought legal proceedings to seek disqualification and compensation orders against individual directors who failed to act in the best interest of the company, allowed false or misleading information to be published or failed to exercise reasonable care, skill and diligence in conducting corporate transactions. It is notable that the SFC has shifted enforcement emphasis towards individual directors and senior executives.

“It is regular practice for companies to implement programmes that aim to manage all types of risks that confront the company, including risks to their D&Os. One area of increasing focus is board diversity.”
— Virginia F. Milstead
FW: Have you observed any legal and regulatory changes that could have a significant impact on personal risks to D&Os?

Milstead: Since the creation of the Securities and Exchange Commission (SEC) Whistleblower Program – which provides monetary incentives to employees to report information about possible securities laws violations to the SEC, pursuant to the 2010 Dodd-Frank Wall Street Reform and the Consumer Protection Act – the SEC has awarded more than $100m in awards to whistleblowers. The SEC has also recently taken efforts to penalise companies that the SEC perceives are trying to impede whistleblowers – including by bringing nine enforcement actions over employment agreements that the SEC concluded had restrictive provisions and three enforcement actions related to perceived retaliation. On 28 June 2017, the chief of the Whistleblower Program stated that the SEC’s efforts would continue with the new administration.

Flockhart: The laws around data protection and cyber security are in a period of significant change in a range of jurisdictions. With cyber and data risks emerging as a key threat to companies around the world, this is perhaps the development that will have the greatest impact on how we think about D&O risk in future. One of the biggest challenges here is that many aspects of cyber risk require a working understanding of technology and the use of data – and many company directors do not have this at present.

So: It appears there is a global trend to focus on individual accountability. To cite a recent example, in Hong Kong, the SFC implemented new measures in April 2017 to heighten the accountability of senior managers at all licensed corporations. The new regime requires that an individual be designated by a licensed corporation to be principally responsible, namely the manager-in-charge, either alone or with others, for managing the core functions of the licensed corporation. The regime in Hong Kong is similar to the implementation of the SMCR, a range of policy changes introduced by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) in the UK to increase individual accountability.

Bentz: Many companies have failed to update their corporate bylaws to reflect the new focus on individual liability now facing D&Os. For example, few bylaws allow a director or officer to exercise his or her Fifth Amendment right to remain silent without penalty. This can have a devastating impact on D&Os. Similarly, companies need to make sure that their D&O insurance policies will waive the applicable retention deductible in the event that the company fails or refuses to indemnify a director or officer. Without this important enhancement, individuals may have to satisfy a huge retention on their own before they can access the policy proceeds. If an individual is targeted by prosecutors, or is unable to avoid criminal or civil liability, even after the case against the company has resolved, the corporate bylaw protections and the D&O insurance may represent the executive’s last line of defence.

Mahnke: Other than the introduction of the mandatory deductible for board members of stock corporations in the wake of the financial crisis and the extension of the statutory limitation for board members of stock-listed corporations from five to 10 years, the German legislator had already in 2005 introduced the means for plaintiffs in lawsuits around capital investments to file so-called ‘exemplary actions’. For example, if a group of at least 10 plaintiffs sues for the same underlying legal reasons, the competent court can render a verdict with binding effect for plaintiffs outside of this group. There was apprehension that this may lead to something similar to class actions in the US, but so far this fear has been unfounded. Also, the European Basel and Solvency regimes have been introduced into national law, and it is safe to say that these regulatory rules for the financial markets have led to a higher exposure for D&Os of banks and insurance companies.

Pflieger: The Bank of England has recently required financial institutions to draft Brexit contingency plans and warned them to be ready for all possible outcomes. The outcome of Brexit negotiations is a moving target and it can be difficult for firms to plan for all related contingencies. If financial institutions do not come up with adequate plans, investigations and potential litigation against D&Os could possibly follow. Another change that could have an impact on D&O liability is the review of the Dodd-Frank Act and, in particular, its whistleblower programme, by the Trump administration.

“The choice of the right insurer of the D&O policy is important. It needs to be made along the right criteria, such as financial stability, underwriting expertise, claims management capabilities and international reach.”
— Dr Alexander Mahnke
FW: Are you seeing more companies implement risk management frameworks designed specifically to protect their D&Os against potential court battles, costly settlements and tougher penalties?

So: We observe different levels of awareness about risk management and the measures required to protect D&Os against potential lawsuits and penalties. Generally speaking, there are a number of ways to protect D&Os. Many companies may have exculpation and indemnity provisions that are often contained in the articles of association, which may excuse D&Os from negligent breach of fiduciary duties and allow the company to pay for costs associated with lawsuits. Further, a D&O policy may cover litigation costs, settlement payments and, in some cases, damages. Some companies will also have in place a response plan to deal with lawsuits, execution of search warrants, whistleblower complaints and regulatory investigations. Last but not least, D&Os must not overlook the importance of having in place an adequate internal control system to ensure compliance with laws and regulations.

Bentz: Over the last few years, many companies have implemented incident response plans to deal with their cyber risks. Many of the issues that companies address in their incident response plans, translate directly to the broader risks faced by management. For example, making sure that there is a plan to communicate with the media, a process to notify insurance carriers, communicate with authorities, and so on. Other issues, such as who controls the defence, which law firms and service providers may be used to respond to a breach, and when a matter may be settled, also translate. In other words, companies have used their experience with creating incident response plans to tighten their overall risk management plans.

Mahnke: I have not seen specific risk management frameworks designed to protect against D&O liability. Nonetheless, it needs to be said that compliance frameworks in German companies by nature of the described personal liability always help to also protect the D&Os in charge against their personal liability.

Flockhart: The establishment of regimes in certain sectors, such as the SMCR in financial services in the UK, are seeing companies take additional steps to bolster their executive risk management frameworks. This is being done through both structural and cultural change to reflect the significant emphasis that is being placed on D&Os to assume full responsibility for business areas that fall within their purview. Many directors are now acutely aware that formal means of protection against personal liability – including corporate indemnities and comprehensive D&O insurance – are more important than ever.

Pflieger: D&Os must know the risks they are facing. Risk transfer via a D&O policy is part of a larger equation. Companies continue to enhance toolkits for their D&Os and provide them with regular training on their duties and responsibilities, especially regarding disclosure of material risks. Companies are clearly taking on board best practices and industry standards to further improve their risk management framework. These risk management frameworks are updated frequently in order to adapt to changes in regulation and environment. On the back of the financial crisis, culture and accountability have been top of the agenda in the financial services industry. Firms have monitored the potential risks in company culture and certain entities have carried out conduct change programmes at board and executive management level.

Milstead: It is regular practice for companies to implement programmes that aim to manage all types of risks that confront the company, including risks to their D&Os. One area of increasing focus is board diversity. For example, a July 2015 Oxford University study found that international oil companies with fewer women and people of differing nationalities on their boards were more likely to lack dissenting opinions among their D&Os, and thus more susceptible to making poor investment decisions when it came to assessing emerging risks, such as risks from climate change.

“Very often, D&Os indicate that they wish to have a D&O policy with clear and easy-to-understand terms. That said, D&O policies are seldom written in plain language.”
— Eddy So
FW: In terms of D&O insurance, what steps should companies take to ensure they offer their D&Os an appropriate level of coverage?

Flockhart: Companies and their D&Os should work together to scope the liability risks that the D&Os face globally and should then cooperate to ensure that appropriate protections are in place to mitigate those risks. These protections will most likely take the form of a corporate indemnity and D&O insurance cover. This position, in terms of both the liability risks and the appropriate means of protection, should be kept under constant review, bearing in mind that the risk landscape is anything but static.

Mahnke: The choice of the right insurer of the D&O policy is important. It needs to be made along the right criteria, such as financial stability, underwriting expertise, claims management capabilities and international reach. Also, the right amount of coverage needs to be decided. In this context, benchmarking of D&O limits of peer companies within the same risk group and industry may help, but the choice of the D&O limit remains an individual one. Furthermore, the terms and conditions need to reflect the specific risk exposure of the company that takes out the policy. For example, the right group of insureds has to be discussed. For example, does the company only want to protect the board or should the policy protect all D&Os? Will the policy only cover the holding company or all subsidiaries worldwide? Finally, it is of utmost importance to discuss and explain the content and reach of the policy to the D&Os before a claim arises so that the expectations of all parties can be properly managed.

Bentz: There is no foolproof way to determine the ‘perfect’ amount of D&O insurance to purchase for any particular year. That said, there are factors that can inform insureds. Perhaps the most scientific way to determine the appropriate D&O insurance limit is to consider a claims study. These studies consider the mean and average settlement values for class action settlements, controlling for factors such as market cap, industry and insider and institutional investor holdings. The studies project a range of probable losses for various stock drops based on historical trends. Benchmarking studies provide an insured with information about what limit the insured’s ‘peer companies’ are purchasing. Again, this can be helpful, but there is no guarantee that the insured’s peer companies are purchasing the right limit. Moreover, such studies are typically limited to one broker’s experience, which may or may not include a statistically significant sampling of peer companies. What the insureds can afford is another very real factor in determining what limit insureds should purchase.

Pflieger: Companies should include risks that their D&OS face in the overall risk mapping exercise and, along with their broker, work on the basis of main scenarios to determine the necessary limit of liability. Thereafter, benchmarking can be carried out among industry peers in order to compare limits and retention levels. It is also recommendable to review claims examples in the company’s main jurisdictions and look out for trends in other countries. Furthermore, risk managers should consider if non-admitted insurance is allowed in the jurisdictions where the company is active, whether or not indemnification of individual insureds is allowed and subsequently determine if there is a need to set up an international programme.

Milstead: It is critical that companies have a comprehensive understanding of their risk profile to ensure that an appropriate level of coverage is in place for D&Os. Obtaining robust benchmarking data to see what peer companies are doing with their D&O programmes can be very useful and should be readily available from most brokers. While benchmarking data is an obvious starting point, the evaluation should not end there. It is important that ongoing and prospective exposures that may be unique to a particular company be considered. This often involves cross-functional input from a company’s risk management, legal and business departments as well as the broker and outside counsel. In the end, the level of coverage procured is a business decision that must strike the proper balance between protecting D&Os, as well as the company’s balance sheet, and doing so at a price that makes sense in the circumstances.

So: Nowadays, most D&Os of public companies will ensure that they have a D&O policy, but many of them will not take the time to understand the level of coverage they have until it is too late. Some do not fully understand the importance of D&O insurance and some simply do not want to think about the risks they face. D&Os may want to ask questions about whether the policy maximises coverage or has coverage gaps, because D&O products offered by different insurers vary significantly. To choose the appropriate policy, there are many factors to take into account, including the company’s areas of business, the size and geographical areas of its operations, the regulatory environment and its corporate structure. It is advisable for D&Os to take time to understand the policy terms, especially the exclusions, such as insured vs. insured exclusion and prior knowledge claims exclusion.

FW: How have D&O insurance policies evolved in recent years? Have there been any general changes in terms, exclusions, pricing and so on?

Mahnke: Not so long ago, and with the strong competition between German D&O insurers and brokers in a ‘soft’ insurance market, there was a tendency to stretch the breadth of coverage of D&O policies to its utmost extent. As a consequence, the risk of erosion of the policy limit could become a factor. Only recently have we started to focus on the ‘core’ of the D&O risk again, thus concentrating on having D&O policies respond to the underlying risk in the most appropriate and realistic manner. For example, it needs to be discussed and decided on how the D&O limit is allocated in case there are several claims or, specific to Germany with its dual-board system, there are claims involving the management and the supervisory board. Also, the extension of the statutory limitation for board members of stock-listed corporations from five to 10 years may call for extended reporting periods and eventually for specific solutions that ‘freeze’ the applicable terms and conditions for a former board member until the relevant time lapses.

Bentz: D&O policies continue to evolve and change. Carriers are constantly providing new coverage terms to be more competitive in the marketplace. Most of the focus recently has been on protecting individual D&Os. Some of the more recent enhancements include protecting the D&Os in the event that the company wrongfully fails or refuses to provide indemnification or advancement of defence fees. Coverage for FCPA claims, government investigations against individuals and payment of plaintiff fees in derivative actions are some other recent enhancements. It is very important to work with someone who knows what is available and what other carriers are willing to offer. Minor changes to policy terms can have a significant impact on the coverage.

Pflieger: Wordings continue to broaden but to a lesser extent than the years directly following the most recent financial crisis. One of the most notable developments in D&O policies has been the widening of the trigger of the policy up to pre-investigation costs. This gives the opportunity to monitor developments at an early stage and mitigate, if needed. Furthermore, given the increase in regulatory scrutiny, limits of liability for investigation costs outside of the US have tended to increase, with full limit cover in certain circumstances. Another point worth mentioning is that long-term agreements have become relatively common for commercial risks in some jurisdictions. This allows increasing efficiency in a market where margins are reducing.

Milstead: The D&O marketplace is highly competitive and continues to evolve as insurers seek to differentiate themselves by offering new or enhanced coverages. The past couple of years have seen a downward trend in premiums, which is generally expected to continue but slow in 2017 due to an anticipated uptick in claims activity. Perhaps the most significant broadening of coverage which we continue to observe with increased frequency is the provision or improvement of investigation costs coverage at the entity level, where it was previously non-existent or limited to the D&Os. Other enhancements on the rise include the reinstatement of limits for unrelated claims, increases in excess coverage for derivative investigative costs sublimits and the rebating of a percentage of retentions where the insured is able to achieve an early dismissal of a claim with prejudice. These features all would be welcome add-ons to any D&O programme.

So: From what I have seen from new product offerings provided by some insurers, to a certain extent, policy terms have been updated to respond to increased risks arising from government and regulatory investigations, such as emerging risks from cyber attacks, data breaches and climate change related matters. An example is new policy terms providing mitigation costs cover. Depending on the policy wording, payments of loss, costs or expenses incurred by the insured to avoid or reduce a third-party claim of the relevant type can be mitigation costs. This may be relevant to listed companies, financial institutions or licensed corporations which might be pressured to respond to issues before formal claims are made. Another example is pre-investigation costs cover, which will provide coverage for legal costs incurred in responding to regulators’ requests in the early stages of investigations before a formal claim has been made.

Flockhart: For some time now, there has been ample capacity in the D&O market which has led to generally soft market conditions. This has allowed brokers and organisations that are purchasing D&O insurance to push for broader cover and higher limits than has previously been the case. Many insurers and brokers are also willing and able to work with insured organisations in designing and purchasing D&O products which meet the organisation’s, and their D&Os’, unique liability risks – for example, we have seen the development of D&O programmes providing ring-fenced cover for senior executives or individuals who face particular types of exposure.

“For some time now, there has been ample capacity in the D&O market which has led to generally soft market conditions.”
— Ffion Flockhart
FW: What advice would you give to both companies and D&Os when they are assessing the merits of a particular D&O policy? Which elements are of paramount importance?

Milstead: Companies should seek, for the best cost possible, the broadest definition of what losses are covered, the narrowest exclusions and the lowest self-insured retainer. As for particular issues, companies should examine the extent of coverage for risks related to events other than derivative and securities class action lawsuits, such as regulatory or internal investigations or shareholder activism. And they should be certain that the exclusions do not limit coverage for shareholder claims arising from cyber security breaches.

So: Very often, D&Os indicate that they wish to have a D&O policy with clear and easy-to-understand terms. That said, D&O policies are seldom written in plain language. Exclusions may be in the definitions, and a number of endorsements may be added to modify the standard terms. It is a good idea to take the time to review the terms and, if necessary, consult experienced advisers to ascertain coverage when assessing the merits of a particular D&O policy. Issues to consider include the ability of the insurer to refuse a claim based on non-disclosure and whether the policy covers the costs of early stages of an investigation.

Pflieger: Companies and D&Os must make sure they have an overall understanding of the policy. Considering the increase of collective redress actions, companies can consider implementing a dedicated Side-A cover which sits on top of a comprehensive D&O programme in order to preserve coverage for insured persons. Another important point to look into is the aggregation language when it comes to deductibles and claims. This will be key when analysing how the policy would respond in the context of a potential serial claim. Severability of cover is also worth consideration. It is relevant, for example, for retired directors if there is an investigation against the company, allowing them to have their own defence. Finally, it is fundamental for companies to consider whether a master policy is sufficient to meet their needs based on their corporate structure or whether they should contemplate a supplementary international programme.

Flockhart: It is important that cover triggers early enough. I say this because regulators have in recent years increasingly made enquiries of D&Os in particular circumstances, in a way which falls short of being a full-blown investigation. Ideally, D&O policies should cover any costs incurred in responding to those enquiries, notwithstanding that a formal ‘investigation’ – which was traditionally the trigger for investigation costs cover in many D&O policies – has not been commenced. In addition to this, it is of course essential that any D&O policy has limits that are high enough to reflect the potential risks that all individual insureds are facing.

Bentz: Perhaps the most important factors to consider when deciding which D&O policies to purchase are the terms and conditions of the policy itself. Terms and conditions in D&O policies are not standard. An insured who saves a few dollars in premium by selecting an inferior policy may find themselves ‘penny-wise but pound-foolish’. The claims handling ability of the carrier is also extremely important. Never forget that you purchase a D&O policy to pay claims. Different insurers handle claims very differently. Before deciding to purchase a D&O policy, it is important to know the insurer’s reputation and whether the carrier will be a good partner. Insureds may also find it helpful to know whether the insurer has its own experienced claims staff or whether it uses outside law firms for its claims.

Mahnke: The specific underlying D&O exposure should drive the decision on what policy is to be taken out and which structure and limit are adapted to the needs of the company and its D&Os. The question of the necessity of an international insurance programme needs to be asked and answered. And all parties should prepare for a claim and make sure it is understood what needs to be done and by whom, especially in the context of a potential claim of the company against its D&Os. When a conflict of interest arises, lawyers for the different parties need to be mandated and the insurance will defend the insured persons against the insured company. This helps to manage expectation appropriately and may prevent ‘disappointed expectations’.

FW: In your experience, is there a growing awareness among D&Os regarding the range of personal risks they face, or are there still signs of indifference or ignorance on certain topics?

Pflieger: The risk of being prosecuted or facing a claim has increased in all industries. D&Os are more aware of the liabilities they face. D&O insurance is a mature product in many jurisdictions and D&Os have a general understanding of their personal risks. There is, nevertheless, room for improvement. For example, it is not always clear for D&Os what they should do in the context of an investigation, or the legal distinction between civil and criminal liability. There is also some level of misunderstanding regarding personal fines and penalties and how they could potentially be picked up under a D&O policy.

Bentz: We do see a growing awareness of risk, but D&Os only tend to ask if there is enough insurance. These policies are complicated, confusing and often have multiple endorsements that rewrite the majority of the policy. Few D&Os take the time to really evaluate the terms and conditions. Instead they rely on their insurance broker and hope that they have adequate coverage in the event of a claim. This is a risky approach. The worst time to discover that the policy does not cover what you thought it covered, is when there is a claim and it is too late to fix the problem.

Flockhart: While there does seem to be growing awareness, D&Os do not always fully appreciate the extent of the liability risks that they may be faced with. This is particularly true for those who hold positions on boards in multiple jurisdictions. Although they may be well-informed about the risks they face in certain countries, D&Os should seek to familiarise themselves with the position taken in all jurisdictions in which the company operates. In this regard, it is important to note that there can often be significant differences in the protection available through indemnities or insurance from country to country.

Mahnke: Given the development of D&O exposure in Germany over the last 20 years and the growing maturity of the German D&O insurance market, D&Os have a high level of interest in knowing that there is sufficient and appropriate D&O cover in place and in understanding how this coverage works if they face a D&O claim. In my experience, the question of the D&O coverage in place is often discussed before a new board member signs with the company.

So: Almost all D&Os are aware of the personal risks they face in general terms. However, in my opinion, this may not be sufficient in today’s environment. They may not fully appreciate that the legal and regulatory environment is changing rapidly. For example, in Hong Kong, the new companies’ ordinance came into force on 3 March 2014, bringing about a number of important changes, including the requirement to have at least one natural director of a private company, codification of various directors’ duties and the requirement to disclose indemnities granted to directors. Not every company has fully evaluated the risks affected by the amended laws.

Milstead: While some of the more recent ‘bell and whistle’ coverage enhancements certainly are nice and should be pursued, in evaluating the merits of a particular D&O policy, the primary focus should remain on the basic fundamentals. Initially, companies would be well advised to work with experienced and reputable insurers and brokers. The importance of that really cannot be overstated. And the key terms, conditions and exclusions of the policy should be scrutinised to ensure that they will function as intended by the company when and if a claim comes in. These core provisions include, for example, the coverage grants, the definitions of key terms, the so-called ‘conduct exclusions’ and ‘entity versus insured’ exclusion, and the advancement and priority of payments provisions. Because D&O policies vary widely and in nuanced ways, it is important that they be carefully reviewed by experienced professionals, which often ends up being a team effort between the company, broker and outside counsel. One last thing to keep in mind is that ‘if you don’t ask for it, you won’t get it’. Oftentimes an insurer will not volunteer a coverage enhancement. So, within reason, companies should not hesitate to proactively seek improvements to their D&O programmes.

“One of the most overlooked ways to mitigate defence costs is to partner with the right insurance carrier. Some carriers see far more investigation and enforcement proceeding claims than even the law firms.”
— Thomas H. Bentz Jr
FW: With regulatory investigations and enforcement proceedings often focused on senior management, how can D&Os improve their defence and mitigate the legal costs likely to accrue during this process?

Flockhart: Directors of UK companies can obtain protection by ensuring that they have obtained an indemnity from the company to the fullest extent permitted under the Companies Act 2006. Any such indemnity should be in addition to any D&O insurance that the company has procured on the D&Os’ behalf. Particularly large or exposed companies and their D&Os should also look to their brokers to obtain ring-fenced cover or reinstatements of limits in respect of their most senior or most exposed directors and officers and should ensure that the scope of the D&O cover they are buying is appropriately broad.

Mahnke: In the context of how the D&O policy works in case of a claim, the question of the right legal defence and arising costs need to be discussed between the insured company and the insurer. Panel lists with law firms may be agreed beforehand. Also, there is a discussion around arbitration as a means to manage and potentially limit costs.

So: Besides ensuring that a proper D&O policy with sufficient coverage is in place, D&Os should recognise the need to have an adequate risk management system, review risk exposure regularly and make adjustments accordingly. The five basic elements are exculpation provisions, indemnity provisions, a D&O policy, a response plan and an internal control system. I should emphasise the importance of conducting regular reviews of D&Os’ personal risks in today’s changing and increasingly complex legal and regulatory environment. It is understandable that companies and D&Os may be concerned about legal costs, especially legal costs for an investigation at the early stages.

Bentz: One of the most overlooked ways to mitigate defence costs is to partner with the right insurance carrier. Some carriers see far more investigation and enforcement proceeding claims than even the law firms. In an appropriate case, the carrier’s knowledge about settlement trends, appropriate fees, previous strategies used and even the agency involved, can be invaluable. It can also save the insured significant money. Some insurers are also able to save their insureds meaningful amounts with prenegotiated discounts for certain service providers. Not all insurance carriers are able to provide this kind of assistance. That is why it is so important to partner with a strong insurer.

Milstead: The first way to mitigate risks from regulatory investigations and enforcement proceedings is to make sure the company is in compliance with all legal and regulatory requirements. In addition to implementing appropriate internal controls and best corporate governance practices, D&Os want to foster a culture that encourages open communication and accountability and be proactive in identifying and responding to risks. Boards should also expand their diversity, as hearing from diverse voices guards against the risk of ‘groupthink’. Ultimately, even D&Os who are doing everything right cannot guarantee there will not be an investigation or enforcement proceeding. In those instances, strong D&O insurance coverage is critical.

Pflieger: As a general rule, anticipation can be a good way to mitigate the consequences of an investigation. This means being well aware of regulatory obligations, properly documenting all corporate actions and identifying lawyers who could be a recourse in case of an investigation. If an investigation does take place, D&Os should get in-house support to understand what they need to do and what their rights are. When it comes to mitigating legal costs, these can be significantly reduced if the D&Os agree with sharing legal counsel. Another way to improve defence and reduce costs is to obtain consent from the regulator involved regarding the disclosure of information to the D&Os’ legal counsel and the insurer. This allows for a good defence and the insurer to monitor developments effectively.

FW: How might the personal risks facing D&Os evolve in the months and years to come? To what extent are they becoming more complex, international and unpredictable in scope?

Mahnke: After the German D&O market has become quite mature and awareness grows around risk and how a D&O policy works, there will be slow ongoing evolution. Of course the German legislator remains an ‘unknown’, especially in the dawn of the next elections. The complexity of an international D&O programme will remain high and it needs to be dealt with by insurance professionals with expertise and experience. After all, the development of D&O risk in a global environment will remain unpredictable by its very nature.

So: It is expected that new personal risks will affect the roles of D&Os in the changing legal and regulatory environment. Emerging risks from cyber attacks, data breaches and climate change related matters, though still in the early stages of evolution, have triggered changes to D&O policies and companies’ compliance measures in the relevant jurisdictions. In Hong Kong, ongoing investigations surrounding IPOs and corporate malfeasance suggest increased personal risks and liabilities for the relevant D&Os. Individual accountability appears to have become a global theme in today’s enforcement actions. International cooperation among governments and regulators will lead to more cross-border investigations, enforcement actions and claims.

Bentz: Risk is not going away. From private lawsuits to government investigations, the risks D&Os face are only increasing. Exposure to cyber claims has also made the personal risk for D&Os more complex, international and unpredictable. Many companies are spending more time reviewing their insurance coverage and understanding the ways that they transfer risk. In some cases, that means improving their policy terms and conditions. In others, it means purchasing new or additional insurance to fill gaps in the coverage.

Milstead: D&Os face increasing scrutiny, not only for the financial outcomes of the companies they manage, but also for the company’s social and environmental impacts. As such, with any adverse event at a company, whether an instance of employee misconduct or discrimination, a cyber security breach or negative market development, there may be an activist shareholder or enterprising plaintiff’s lawyer, often with the benefit of hindsight, who seeks to place the blame on the D&Os, either for failing to prevent the event or failing to disclose it. Whether the trends of the past few years will continue into the future will depend on the extent to which D&Os are successful in recognising these risks, managing them and defending the suits they face.

Pflieger: In an environment of change and uncertainty, litigation against D&Os in the short and midterm is a foregone conclusion and we will likely see more claims activity. Among the many factors potentially contributing to this litigious climate are the evolution of collective redress outside the US, the review of the Shareholders Rights directive in the EU, changes in the regulatory landscape in some jurisdictions, improved cross-border collaboration among regulators, the adoption of whistleblowing, self-reporting and DPA frameworks, the recent materialisation of climate change risk and so on. These all set the scene for not only an environment of increased litigation for D&Os but also for one of lengthier, costlier and more complex litigation. More than ever, risk managers and D&Os should count on a specialist insurer with the expertise and depth of knowledge necessary to take on these risks confidently, and let D&Os carry on with developing their business vision freely.

Flockhart: Heightened regulatory scrutiny and higher shareholder expectations are here to stay. The challenge for directors is understanding and dealing with emerging risks, which in many respects are complex and difficult to deal with. Cyber risk is probably the best example of this and, while cyber attacks against companies are the main headlines for now, I would not be surprised if in a little while we are also reading about claims against directors who did not do enough to protect their companies against the cyber threat.

Thomas H. Bentz Jr. practices insurance law with a focus on D&O, cyber and other management liability insurance policies. Mr Bentz leads Holland & Knight’s D&O and management liability insurance team which provides insight and guidance on ways to improve policy language and helps insureds maximise their possible insurance recovery. He regularly publishes articles on D&O and cyber liability insurance and is a frequent commentator on insurance issues. He can be contacted on +1 (202) 828 1879 or by email: thomas.bentz@hklaw.com.

Ffion Flockhart is a dispute resolution lawyer and qualified solicitor-advocate based in London. With an insurance law background, she advises clients across a number of industries on the management of key financial risks, as well as on the resolution of disputes. Ms Flockhart is known in particular for her policy wording work for large corporates and financial institutions, as well as her work on matters involving D&O liability, transaction liability and cyber risk. She can be contacted on +44 (0)20 7444 2545 or by email: ffion.flockhart@nortonrosefulbright.com.

Eddy So is a partner in the commercial litigation department in Reed Smith Richards Butler’s Hong Kong office. His current work focuses on commercial and financial litigation, and financial regulation, including civil, criminal and regulatory matters. His experiences include advising corporate and individual clients in regulatory investigations and enforcement actions. He has successfully helped clients in convincing regulators not to institute enforcement actions or reaching favourable settlements. He can be contacted on +852 2507 9815 or by email: eddy.so@reedsmith.com.

Dr Alexander Mahnke started his career in 1999 at Siemens where he was responsible for the coordination of the group’s global casualty and financial lines insurance programmes. From 2004 to 2010, he held various positions at AON Jauch & Hübener GmbH, and joined Marsh GmbH in 2010 where he became head of financial and professional services and credit and political risks. In April 2011, Dr Mahnke took over responsibilities as CEO insurance at SFS Insurance in Munich. In this position he is responsible for all insurance topics of the Siemens Group. He can be contacted by email: communications.sfs@siemens.com.

Virginia F. Milstead has a broad commercial litigation practice, representing clients in both federal and state courts, with a particular emphasis on securities and takeover litigation, director misconduct and related claims. She has represented clients in matters involving federal securities laws, duties of corporate directors, civil RICO, unfair business practices, and various other contract and tort claims. She can be contacted on +1 (213) 687 5592 or by email: virginia.milstead@skadden.com.

Jonathan Pflieger joined Tokio Marine HCC over 10 years ago, focusing on financial lines underwriting for the French and Benelux markets. Today, he concentrates on the underwriting management of the financial institutions portfolio written out operations in Barcelona and is an authority on this segment for the firm’s international teams. Mr Pflieger began his insurance career underwriting D&O and PI at AXA Corporate Solutions in Paris. He can be contacted on +34 (93) 530 7338 or by email: jpflieger@tmhcc.com.