- Cyber risk is a major emerging risk for directors and officers but awareness and understanding of potential liability is low
- In future it may be possible to claim substantial damages from directors if there has been negligence in any failure to protect data or a lack of controls. Landscape will get tougher
- Robust mergers and acquisitions (M&A) activity a key driver of D&O litigation
- Future development of claims against companies and directors arising out of the disclosure of climate-change related risks to investors likely
- Rise of strategic litigation to combat modern slavery in supply chains
5 top emerging risks
Recent spikes in D&O claims related to mergers and acquisitions, as well as corruption and anti-competitive practices, have grown. However, almost any executive failing that gives rise to a regulatory investigation or a fall in share value could result in liability and claims made against directors and officers.
Emissions testing allegations in the automotive industry have, for example, highlighted the potential for environmental or climate change related liability claims. Ethical and social issues, like modern day slavery in the supply chain, are another potential source of claims, as are employment or discrimination disputes.
“This can be seen in Germany, where corruption and cartel allegations have dominated executive liability claims in recent years. Almost any issue that arises from non-compliance could create an exposure,” explains Martin Zschech, Regional Head Financial Lines Central & Eastern Europe, AGCS.
Not only could these emerging exposures cause claims, but would expose the company to considerable reputational risk. A 2016 report1 by Deloitte, revealed that reputational damage was identified as the number one threat for large companies. “In Germany, a supervisory board could go after management for all kinds of scenarios. There is a fine line between business risk and a wrongful act,” says Zschech.
A number of fast-rising exposures – and their potential impact for directors – are considered in the following article.
Mergers and acquisitions activity
Mergers and acquisitions (M&A) activity continues to be a key driver of D&O litigation and is predicted to continue at a rapid pace in future, as deal makers are motivated by low interest rates, healthy stock prices, good employment numbers and plenty of cash. Activity has been robust. According to industry experts, there were around 44,000 transactions worldwide in 2015, for a total value of $4.5trn and activity is expected to remain strong through 2016 and 2017.
M&A activity represents a critical time for companies and officers, whether as an acquirer or a target. Acquiring companies often face liquidity problems due to high acquisition costs, while targeted companies often face unprecedented scrutiny for past wrongful acts among executives.
As buyers and sellers are not always forthcoming about business operations and inherent risks, however, postsale disputes are common and financial issues surface. Run-off claims can mean holding steep reserves and paying extra premiums for up to six years after the date of the transaction. According to Cornerstone Research, at current pace, M&A-related filings in federal courts in the US will double the annual numbers observed in the last four years.
To help alleviate such matters and facilitate the process for a merger, acquisition, divestiture or other business transaction, parties are increasingly purchasing transactional liability insurance, which offers financial protection (for the company and shareholders) against inaccuracies made about target companies or businesses in connection with mergers, acquisitions and divestitures.
Between 2011 and 2015, reports show that use of transactional liability insurance, which is provided by insurers such as AGCS, has grown 240% globally. “Mergers and acquisitions, but also divestitures, belong to the more riskier moments in the life of a company,” says Bernard Poncin, Global Head of Financial Lines AGCS.
“Expectations are always high, and synergies are easier planned than realized. This unique and specific risk situation has also led to the development of new products. The appetite for transactional liability insurance has increased tremendously over the past couple of years with a global market penetration of 20%”.
M&A activity represents a critical time for companies and officers, whether as an acquirer or a target. Acquiring companies often face liquidity problems due to high acquisition costs, while targeted companies often face unprecedented scrutiny for past wrongful acts among executives.
As buyers and sellers are not always forthcoming about business operations and inherent risks, however, postsale disputes are common and financial issues surface. Run-off claims can mean holding steep reserves and paying extra premiums for up to six years after the date of the transaction. According to Cornerstone Research, at current pace, M&A-related filings in federal courts in the US will double the annual numbers observed in the last four years.
To help alleviate such matters and facilitate the process for a merger, acquisition, divestiture or other business transaction, parties are increasingly purchasing transactional liability insurance, which offers financial protection (for the company and shareholders) against inaccuracies made about target companies or businesses in connection with mergers, acquisitions and divestitures.
Between 2011 and 2015, reports show that use of transactional liability insurance, which is provided by insurers such as AGCS, has grown 240% globally. “Mergers and acquisitions, but also divestitures, belong to the more riskier moments in the life of a company,” says Bernard Poncin, Global Head of Financial Lines AGCS.
“Expectations are always high, and synergies are easier planned than realized. This unique and specific risk situation has also led to the development of new products. The appetite for transactional liability insurance has increased tremendously over the past couple of years with a global market penetration of 20%”.
Cyber risk
Perhaps, the most topical emerging liability risk for executives is technology – cyber risk in particular. According to the 2016 Allianz Risk Barometer, cyber risks feature in the top three corporate risks for the first time. Companies are worried about increasing sophistication of attacks but tend to underestimate the impact of technical IT failure, human error or even rogue employees as cause of costly damages. Data protection rules are becoming increasingly tough as government agencies bolster cyber security. This significantly impacts businesses; penalties for non-compliance can be severe.
Awareness of cyber risk is highest in the US, where strict data protection laws require companies to notify individuals of a breach but a heightened cyber liability focus is seen in the Middle East, Singapore and Australia, while the European Union is also moving ahead with plans to harmonize its rules.
“Cyber and privacy is the number one emerging risk for directors and officers, but awareness and understanding of the risk is not always high,” says Paul Schiavone, Regional Head Financial Lines North America, AGCS.
A serious cyber incident can result in reputational and financial damage, as well as regulatory action. In more extreme cases a cyber security breach could cause a company’s share price to drop, which might in turn see directors sued for breach of their fiduciary duty. “It may be possible to claim substantial damages from directors if there has been negligence in any failure to protect data or a lack of controls,” says Emy Donavan, Regional Head of Cyber Liability North America, AGCS.
There have already been a number of securities class actions and derivative class actions filed in the US related to data breaches involving the theft of personally identifiable data, including those against Target and Home Depot. However, most cases are still pending and there remains little case law in this area. “There is uncertainty in US case law on the issue of directors’ cyber liabilities but that is not to say it can’t happen. It is only a matter of time before someone makes a successful argument that a director was negligent or had not paid attention to cyber security,” she says.
Change in Europe
The introduction of tough EU data protection laws in 2018 will increase executive’s liabilities for data breaches or personal data misuse in Europe. Fines for breaching the rules are as high as 4% of global revenues, which could run to billions of dollars.
Several European countries – including France and Italy – have already taken steps to make directors liable if they fail to take reasonable steps to prevent a data breach. Boards are expected to have a detailed strategy for combating cyber risks and may face claims if they fail to do so.
According to law firm Clyde & Co, while to date claims by shareholders against directors in respect of cyber or data breach issues have been rare (in the UK for example, there had been none by mid-2016), as privacy and network security issues are increasingly viewed as a board issue, it may become more difficult for directors to escape liability in the event of a serious loss by the company.
As cyber security becomes a competitive advantage, it also predicts a potential rise in US securities class actions as a result of data breaches. The landscape for directors who do not prioritize data security issues is only going to get tougher on both sides of the Atlantic, and cyber securityrelated D&O litigation is anticipated more widely; in France, Spain, the UAE and Australia to name but a few.
“Exposures also exist where companies with an overreliance of networks and systems do not have viable workarounds. If a director knew about such exposures but failed to put in place appropriate contingency plans, they could be made liable in the event of a sizable loss,” says Donavan. “There are a wide range of scenarios in a which a director could be considered negligent, such as a fund transfer fraud or where a vulnerable network is comprised, leading to significant business interruption, property damage or loss of intellectual property,” she adds.
Directors’ cyber exposures are likely to grow further with the increased reliance on technology in many sectors. “Companies increasingly rely on technology, data and algorithms, which can become corrupted or contain flaws. For an analyst using predictive models to advise customers this could open up huge liabilities,” says Donavan.
Growth in outsourcing and cloud computing is also creating exposures. A breach at, or the failure of, an outsourcing partner could result in litigation if the directors failed to ensure appropriate due diligence and audits were carried out, for example.
The 2013 Target data breach involved a malware attack on one of the company’s vendors, giving hackers access to Target’s online vendor portal.
“Any cyber event that significantly impacts a company’s reputation and its share price could result in shareholder action. The best way that directors and officers can protect themselves is to discuss cyber risk at a board level and address these exposures as part of robust risk management solutions,” Donavan adds.
“Many directors used to see cyber as an IT issue and not an exposure for the board to consider,” says Donavan. “But there is no escaping cyber risk in the context of business judgment. Directors need to be adequately informed, otherwise they leave themselves exposed. While there is still not significant case law addressing cyber for directors and officers, it will not be possible to just plead ignorance. That will not save directors from personal liability.”
Executives are able to gain some protection – both directly and indirectly – for cyber related risks from insurance. Cyber risk is broad and touches on many areas of risk and insurance products, including financial lines, errors and omissions (E&O), professional liability, crime, general liability and kidnap and ransom. “Companies need to sit down and identify gaps in cover and seek solutions,” says Donavan.
Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures and can pay for the cost of important pre- and post-loss crisis management services that can help plan a response and mitigate the impact of a cyber event, she says.
Of particular concern to directors will be the extent of cover for regulatory investigations and legal defense costs available under a D&O policy. Some insurers have moved to include specific wordings for cyber-related executive liabilities. “Buying cyber insurance, or ensuring that cyber is not excluded from the D&O policy, is not sufficient,” says Donavan.
Several European countries – including France and Italy – have already taken steps to make directors liable if they fail to take reasonable steps to prevent a data breach. Boards are expected to have a detailed strategy for combating cyber risks and may face claims if they fail to do so.
According to law firm Clyde & Co, while to date claims by shareholders against directors in respect of cyber or data breach issues have been rare (in the UK for example, there had been none by mid-2016), as privacy and network security issues are increasingly viewed as a board issue, it may become more difficult for directors to escape liability in the event of a serious loss by the company.
As cyber security becomes a competitive advantage, it also predicts a potential rise in US securities class actions as a result of data breaches. The landscape for directors who do not prioritize data security issues is only going to get tougher on both sides of the Atlantic, and cyber securityrelated D&O litigation is anticipated more widely; in France, Spain, the UAE and Australia to name but a few.
“Exposures also exist where companies with an overreliance of networks and systems do not have viable workarounds. If a director knew about such exposures but failed to put in place appropriate contingency plans, they could be made liable in the event of a sizable loss,” says Donavan. “There are a wide range of scenarios in a which a director could be considered negligent, such as a fund transfer fraud or where a vulnerable network is comprised, leading to significant business interruption, property damage or loss of intellectual property,” she adds.
Directors’ cyber exposures are likely to grow further with the increased reliance on technology in many sectors. “Companies increasingly rely on technology, data and algorithms, which can become corrupted or contain flaws. For an analyst using predictive models to advise customers this could open up huge liabilities,” says Donavan.
Growth in outsourcing and cloud computing is also creating exposures. A breach at, or the failure of, an outsourcing partner could result in litigation if the directors failed to ensure appropriate due diligence and audits were carried out, for example.
The 2013 Target data breach involved a malware attack on one of the company’s vendors, giving hackers access to Target’s online vendor portal.
“Any cyber event that significantly impacts a company’s reputation and its share price could result in shareholder action. The best way that directors and officers can protect themselves is to discuss cyber risk at a board level and address these exposures as part of robust risk management solutions,” Donavan adds.
“Many directors used to see cyber as an IT issue and not an exposure for the board to consider,” says Donavan. “But there is no escaping cyber risk in the context of business judgment. Directors need to be adequately informed, otherwise they leave themselves exposed. While there is still not significant case law addressing cyber for directors and officers, it will not be possible to just plead ignorance. That will not save directors from personal liability.”
Executives are able to gain some protection – both directly and indirectly – for cyber related risks from insurance. Cyber risk is broad and touches on many areas of risk and insurance products, including financial lines, errors and omissions (E&O), professional liability, crime, general liability and kidnap and ransom. “Companies need to sit down and identify gaps in cover and seek solutions,” says Donavan.
Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures and can pay for the cost of important pre- and post-loss crisis management services that can help plan a response and mitigate the impact of a cyber event, she says.
Of particular concern to directors will be the extent of cover for regulatory investigations and legal defense costs available under a D&O policy. Some insurers have moved to include specific wordings for cyber-related executive liabilities. “Buying cyber insurance, or ensuring that cyber is not excluded from the D&O policy, is not sufficient,” says Donavan.
Modern slavery and the rise in strategic civil litigation
The concept of modern slavery is a broad one, including the like of servitude, forced and compulsory labor and human trafficking. An estimated 45.8 million people are trapped in modern slavery globally, according to The Walk Free Foundation’s 2016 global slavery index2, emphasizing the need for large organizations to focus on this potential risk in supply chains.
According to law firm Clyde & Co, in the UK for example, the Modern Slavery Act 2015 (MSA) is the latest response to this issue. Under the MSA, commercial organizations with a global turnover of £36m ($55.1m) or more, and conducting any part of their business in the UK, are required to publish an annual “slavery and human trafficking statement” – steps (if any) taken to ensure modern slavery is not taking place in its own business and supply chains. The statement must be approved by the board and signed by a director. Although larger companies are affected, suppliers of any size need to take note, as they will undoubtedly come under pressure to ensure their own supply chains are in order.
Legal sanctions for failure to comply are limited – there are no fines or penalties, but the secretary of state is empowered to commence proceedings for an injunction requiring an organization to prepare a statement, with public scrutiny, reputational concerns and the press likely to be the primary drivers of compliance. California has similar legislation and non-governmental organizations are actively engaged in “public shaming” exercises, the law firm notes.
There are key sectoral (such as agriculture, construction, food-processing and home/domestic work) and country risks which will act as drivers for enhanced due diligence for those affected. Procurement policies addressing modern slavery, contractual protections in supply contracts, clear labor and whistleblowing policies will all be important.
While there may of course be repercussions for directors of companies that do not comply, the obligation is on the company, not the director personally. However, directors should ensure they have taken steps to verify the contents of the statement.
There are predictions that there will be considerable litigation arising from the MSA in future, with construction companies operating in Qatar cited as a sector that will be targeted by non-governmental organizations. The Freedom Fund has recently launched a guide which emphasizes the importance of strategic litigation to combat modern slavery.
The Costco litigation in California, brought by a consumer and which sought to represent all California consumers of Costco prawn products under the Californian Transparency in Supply Chains Act, while dismissed, highlights that class actions may be a sign of things to come. The stock drop that followed this litigation should also act as a warning sign to directors.
According to law firm Clyde & Co, in the UK for example, the Modern Slavery Act 2015 (MSA) is the latest response to this issue. Under the MSA, commercial organizations with a global turnover of £36m ($55.1m) or more, and conducting any part of their business in the UK, are required to publish an annual “slavery and human trafficking statement” – steps (if any) taken to ensure modern slavery is not taking place in its own business and supply chains. The statement must be approved by the board and signed by a director. Although larger companies are affected, suppliers of any size need to take note, as they will undoubtedly come under pressure to ensure their own supply chains are in order.
Legal sanctions for failure to comply are limited – there are no fines or penalties, but the secretary of state is empowered to commence proceedings for an injunction requiring an organization to prepare a statement, with public scrutiny, reputational concerns and the press likely to be the primary drivers of compliance. California has similar legislation and non-governmental organizations are actively engaged in “public shaming” exercises, the law firm notes.
There are key sectoral (such as agriculture, construction, food-processing and home/domestic work) and country risks which will act as drivers for enhanced due diligence for those affected. Procurement policies addressing modern slavery, contractual protections in supply contracts, clear labor and whistleblowing policies will all be important.
While there may of course be repercussions for directors of companies that do not comply, the obligation is on the company, not the director personally. However, directors should ensure they have taken steps to verify the contents of the statement.
There are predictions that there will be considerable litigation arising from the MSA in future, with construction companies operating in Qatar cited as a sector that will be targeted by non-governmental organizations. The Freedom Fund has recently launched a guide which emphasizes the importance of strategic litigation to combat modern slavery.
The Costco litigation in California, brought by a consumer and which sought to represent all California consumers of Costco prawn products under the Californian Transparency in Supply Chains Act, while dismissed, highlights that class actions may be a sign of things to come. The stock drop that followed this litigation should also act as a warning sign to directors.
Emerging risks – Facts
- 44,000 worldwide M&A transactions in 2015*
- $4.5 trillion total value of M&A transactions in 2015*
- 16% increase in total value of M&A transactions over 2014 total3
- 240% Growth in use of transactional liability insurance over five years4
- £400,000 The record UK data breach fine for Talk Talk in 2016 sends a warning to corporates ahead of incoming tougher rules and higher penalties under EU data protection laws
- 45.8m number of people in modern slavery globally
Viewpoint: Clyde & Co.
Climate change related disclosures
Environmental activists have been ramping up their focus on targeting companies and directors for a number of years and there are signs that, going forward, we may see the development of claims against companies and their directors arising out of the disclosure of climate-change related risks to investors.
Another current trend is an increase in shareholder resolutions filed at company annual meetings related to climate change, the aims of which can include to force the company to disclose more climate change information, for example on greenhouse gas emissions, or to analyze risks and opportunities created by climate change.
In July 2016, the Governor of the Bank of England, Mark Carney, told a Toronto audience that only one third of the world’s top 1,000 companies are offering effective disclosures to investors about the potential impact of carbon pricing on their business.
In the US there has been renewed interest by both regulators and plaintiff’s counsel regarding disclosure of climate change and other environmental risks. In 2015, the SEC reviewed what companies should disclose with respect to climate change, and is currently looking at publishing new rules in that regard.
The energy sector is already being targeted. In November 2015, the New York Attorney General (NYAG) subpoenaed Exxon Mobil regarding the sufficiency of its disclosures on the impact of climate change on their business. In November 2015, it reached a settlement with Peabody Energy in which it agreed to disclose more about climate change risks. There is every chance that these actions could spill over into other industries.
If it turns out that the information disclosed to investors regarding the consequences of climate change risks is incomplete or misleading, the company and its directors could face an array of potential claims, from class actions to shareholder derivative claims (in climate-change related suits, claims could be based on breaches of statutory or fiduciary duties, compensation for lost corporate value attributable to a failure to mitigate or adapt).
Although it is widely accepted that the consequences of climate change are difficult to predict, the weight of scientific and economic evidence available to directors and officers may make it increasingly much more difficult for them to defend themselves on the basis that the effects of climate change were not reasonably foreseeable.
The risks are not confined to the US; there have been a number of claims related to environmental liability disclosures in Canada, and although not a disclosure case, the 2015 Supreme Court of Canada decision in Chevron Corporation v. Yaiguaje illustrates the crossborder reach of corporate environmental liability.
Environmental activists have been ramping up their focus on targeting companies and directors for a number of years and there are signs that, going forward, we may see the development of claims against companies and their directors arising out of the disclosure of climate-change related risks to investors.
Another current trend is an increase in shareholder resolutions filed at company annual meetings related to climate change, the aims of which can include to force the company to disclose more climate change information, for example on greenhouse gas emissions, or to analyze risks and opportunities created by climate change.
In July 2016, the Governor of the Bank of England, Mark Carney, told a Toronto audience that only one third of the world’s top 1,000 companies are offering effective disclosures to investors about the potential impact of carbon pricing on their business.
In the US there has been renewed interest by both regulators and plaintiff’s counsel regarding disclosure of climate change and other environmental risks. In 2015, the SEC reviewed what companies should disclose with respect to climate change, and is currently looking at publishing new rules in that regard.
The energy sector is already being targeted. In November 2015, the New York Attorney General (NYAG) subpoenaed Exxon Mobil regarding the sufficiency of its disclosures on the impact of climate change on their business. In November 2015, it reached a settlement with Peabody Energy in which it agreed to disclose more about climate change risks. There is every chance that these actions could spill over into other industries.
If it turns out that the information disclosed to investors regarding the consequences of climate change risks is incomplete or misleading, the company and its directors could face an array of potential claims, from class actions to shareholder derivative claims (in climate-change related suits, claims could be based on breaches of statutory or fiduciary duties, compensation for lost corporate value attributable to a failure to mitigate or adapt).
Although it is widely accepted that the consequences of climate change are difficult to predict, the weight of scientific and economic evidence available to directors and officers may make it increasingly much more difficult for them to defend themselves on the basis that the effects of climate change were not reasonably foreseeable.
The risks are not confined to the US; there have been a number of claims related to environmental liability disclosures in Canada, and although not a disclosure case, the 2015 Supreme Court of Canada decision in Chevron Corporation v. Yaiguaje illustrates the crossborder reach of corporate environmental liability.
More information
Download the report
SOURCES
1. Reputation Matters, Developing Reputational Resilience Ahead of Your Crisis, Deloitte
2. The Global Slavery Index
3. Source: Institute for Mergers, Acquisitions and Alliances (IMAA)
4. Allianz Global Corporate & Specialty
Newsletter
Keep up to date on all news and insights from Allianz Commercial
