Every fall, I take a step back and survey the most important current trends and developments in the world of Directors’ and Officers’ liability and D&O insurance. This year’s survey is set out below. Once again, there are a myriad of things worth watching in the world of D&O.
How Will the Interrelatedness Issue Continue to Affect D&O Claims?: One of the most vexing issues that can arise in the D&O claims context is the question of whether or not two claims are interrelated. The typical context in which the question arises is that there have been two (or more) claims filed in separate policy periods. If the claims are related, they trigger coverage under only a single year’s policy, with the subsequent claims deemed to have been made at the time of the first related claim. If the claims are not related but instead are separate, multiple policies are triggered.
Because the determination of the interrelatedness issues can have an enormous impact on the amount of insurance available to resolve claims, it is a frequently litigated issue. Another reason the issue is so frequently litigated is that there are few reliable guideposts to help sort out disputes over relatedness. The court decisions in this area are all over the map and often very fact-intensive.
This issue has been around (and has been a problem) for years. Bur for whatever reason, it just seems that more and more lately, the D&O insurance coverage disputes increasingly are focused on interrelatedness issues. A number of recent posts on this blog have involved case developments in lawsuits involved disputes over the interrelatedness issue (refer for example here and here).
One particularly important context in which the interrelatedness issue has arisen in recent years is in the litigation involving the financial crisis. Many of the companies involved in the crisis have been hit with multiple lawsuits, often filed over the course of several years. The question whether these various lawsuits are separate and trigger multiple insurance policies or programs, or whether they are interrelated and therefore trigger only a single policy or program, has arisen in connection with many of the high-profile companies involved in credit crisis litigation.
One noteworthy case that raises these issues and involving the failed IndyMac bank is now pending in the Ninth Circuit. As discussed here, in June 2012, Central District of California Judge R. Gary Klausner concluded, based on the relevant interrelatedness language, that a variety of lawsuits that first arose during the bank’s 2008-2009 policy period were deemed first made during the policy period of the bank’s prior insurance program, and by operation of two other policy provisions were excluded from coverage under the 2008-2009 program. The upshot of Judge Klausner’s opinion is that only a single insurance tower of $80 million will apply to the various claims, rather than two $80 million insurance towers.
Judge Klausner’s coverage decision took on even greater significance in December 2012, when the FDIC obtained a $168.8 million jury verdict against three former IndyMac officers (about which refer here). The verdict may be of little value to the FDIC if only a single $80 million tower of insurance is available for the various claims arising out of IndyMac’s collapse. Prior settlements and defense fees have largely eroded the single $80 million tower Judge Klausner said applies to the various IndyMac claims.
Judge Klausner’s coverage decision is now on appeal to the Ninth Circuit. The parties have been filing their legal briefs over the summer. The bank’s former directors and officers have argued to the appellate court that Judge Klausner erred in ruling that all of the various claims were interrelated and therefore triggered only a single insurance tower. A number of other parties are also challenging the ruling, including the FDIC and the trustee for the bankruptcy of the bank’s holding company. The insurers have argued that all of the claims are interrelated and therefore that only a single tower of insurance was triggered.
The parties are in the final stage of the briefing process and it will be many months before the case is decided. Because of the stakes involved and because of the high profile nature of the case, the Ninth Circuit’s ruling in the case will be closely watched and could be very influential. Just the same, the decision is also likely to be very dependent on the specific circumstances involved. The likelihood is that even after the Ninth Circuit issues its opinion that interrelatedness issues will continue to vex insurers and policyholders alike.
What are the D&O Insurance Implications of the SEC’s New Policy Requiring Admissions of Wrongdoing?: On August 19, 2013, in connection with its entry into a settlement with New York-based hedge fund adviser Phillip Falcone and his advisory firm Harbinger Capital Partners, the SEC for the first time implemented its new policy requiring defendants seeking to settle civil enforcement actions to admit wrongdoing, in contrast to the long-standing practice of allowing defendants to resolve the enforcement actions with a “neither-admit-nor-deny” settlement.
The SEC’s new policy requiring – in “egregious” cases -- wrongdoing admissions in order to settle an enforcement action not only has important implications for the enforcement action itself, but potentially also has important implications for related civil or criminal proceedings. Another issue that inevitably will also arise is the question of the impact of factual admissions on the continuing availability of D&O insurance..
The SEC and the Harbinger defendants, including Falcone, had actually reached an earlier settlement in principle to resolve the case that reflected the traditional “neither admit nor deny” approach. However, in July 2013, the SEC advised Harbinger that the SEC Commissioners had voted to reject the deal. The vote apparently reflected the SEC’s new policy, announced in June by new SEC Chair Mary Jo White, that going forward the SEC would require defendants settling enforcement actions to admit wrongdoing, at least in “egregious” cases.
In the revised settlement, Falcone and the Harbinger entities agreed to extensive admissions of wrongdoing. The factual admissions are set out in a detailed Annex to a Consent that Falcone signed on August 16 on his own behalf and on behalf of the Harbinger entities. The admissions are also set out verbatim in the proposed Final Consent Judgment filed with the Court. Pursuant to the settlement, the defendants agreed to pay a total of over $18 million in disgorgement, civil penalties and interest. As part of these payments, Falcone himself must pay over $11.5 million. Falcone also agreed to a five-year ban from the securities industry.
The admissions in the Consent are comprehensive – the defendants basically admitted all of the SEC’s allegations. Moreover, it appears that in pursuing its new settlement approach, the SEC will be requiring other defendants to provide similar admissions in order to settle SEC actions against them. For example, there are reports that the agency is seeking to require J.P Morgan to provide admissions of wrongdoing in connection with the agency’s actions against the firm in connection with the “London Whale” case.
The SEC’s admissions requirement has a number of significant implications. First, it means that, at least in the SEC enforcement actions where the agency will require admissions that the cases will be much harder to resolve. The defendants, wary of the possible impact the admissions could have in other proceedings, will be reluctant to provide admissions. One consequence of the new policy could be that the SEC will be compelled to try more cases, which could strain the agency’s resources.
A defendant’s provision of admissions potentially could have enormous consequences for related proceedings. The recitation in the Consent that the Harbinger defendants have been provided no assurances about the possibility of criminal proceedings has to be particularly chilling, especially for Falcone. The admissions in the Consent may or may not suffice to draw criminal charges, but at least some commentators have suggested that criminal charges could follow.
Another question about the admissions is their collateral effect in related civil proceedings. As it happens, there is a pending civil action that Harbinger investors had filed against Falcone and the funds that could provide an early test of the civil litigation collateral estoppel consequences of admissions in an SEC enforcement action. In an August 20, 2013 post in her On the Case blog (here), Alison Frankel examines the possible impact that the admissions could have on the fund investors’ pending civil action. As she explains, despite the differences between the cases, the admissions could bolster the plaintiffs’ allegations.
Yet another issue that the admissions raise is the question of their impact on the availability of D&O insurance. The specific question is whether the admissions are sufficient to trigger the fraud and criminal misconduct exclusion in the D&O policy. The wording of these exclusions varies, but they typically preclude coverage for loss arising from fraudulent or criminal misconduct, but only after a final adjudication determines that the preclusive conduct has taken place. If the admissions were found to be sufficient to trigger this exclusion, coverage would no longer be available for the wrongdoer, and the insurer arguably could even have the right to try to recover amounts that had already been paid.
On the one hand, there would seem to be reason to be concerned that a settlement of this type represents a “final adjudication.” The specific factual admission to which the defendants agreed were not only stated in the public court record, but they are incorporated verbatim into the Final Consent Judgment filed with the court. Upon the Court’s entry of the Judgment, there would seem to be grounds upon which it could be argued that there had been a final adjudication. (A related question is whether this adjudication occurred in “the underlying proceeding” as many policy exclusions require.)
On the other hand, there is a question whether the admissions satisfy the exclusion’s misconduct requirement. While the admissions represent an extensive concession that the defendants engaged in wrongdoing – and while the admissions expressly recite that the defendants acted “improperly” and “recklessly” -- at no point do the defendants admit to “fraud” or to any other level of conduct that would expressly trigger the typical D&O policy’s conduct exclusion.
A related issue that could arise is the question of exactly how bound the admitting parties are by their admissions. The Harbinger defendants’ Consent specifically recites that nothing in the agreement affects the defendants “right to take legal or factual positions in litigation or other proceedings or other legal proceedings in which the Commission is not a party.” In effect, the Harbinger defendants seemed to have tried to preserve the right to argue that while they made certain admissions for purposes of the SEC enforcement action, they did not make those admissions for all purposes and for the benefit of all other parties who might seek to rely on them. The Harbinger defendants might well argue that notwithstanding their admissions in the Consent, they have the right to contest the factual matters in other proceedings, including for example, in the context of an insurance coverage dispute.
The Harbinger settlement represents a significant development with important potential implications for other defendants in SEC proceedings. The admissions these defendants may be required to provide in order to settle the enforcement action pending against them could have important collateral consequences, many of which at this point remain uncertain. Among other questions that likely will also have to be addressed is whether admissions of this type have any impact on the continued availability of insurance coverage for the defendants that provide these kinds of admissions.
What are the D&O Insurance Implications of the Massive Derivate Lawsuit Settlements?: In April 2013, the parties to the News Corp. shareholder derivative litigation agreed to settle the consolidated cases for $139 million,to be funded entirely by D&O insurance.
There have been several shareholder derivative suit settlements that were nearly as large as the News Corp. settlement but none quite as big:
- The El Paso/Kinder Morgan merger-related derivative suit settled in September 2012 for $110 million (refer here).
- In 2005, the Oracle derivative suit settled based on Oracle CEO Larry Ellison’s payment of a total of $122 million (refer here and here).
- In September 2009, the parties to the Broadcom Corp. options backdating-related shareholders’ derivative suit agreed to settle the case, as to most but not all of the defendants, for $118 million (as discussed here).
- In September 2008, the parties to the 2002 AIG shareholders’ derivative lawsuit agreed to settle the case for a payment of $115 million (about which refer here).
In addition, in December 2007, the UnitedHealth Group options backdating-related derivative lawsuit settled for a total nominal value of approximately $900 million, as discussed here. However, the value contributed to the settlement consisted of individual defendants’ surrender of certain rights, interests and stock option awards, not cash.
These settlements are all dwarfed by the $2.876 billion judgment entered in June 2009 against Richard Scrushy in the HealthSouth shareholders' derivative lawsuit in Jefferson County (Alabama) Circuit Court, and the $1.262 billion judgment that Delaware Chancellor Leo Strine entered in October 2011 in the Southern Peru Copper Corporation Shareholder Derivative Litigation (about which refer here). Both of these case outcomes involve judgments following trial, rather than settlements.
Aside from the question its sheer size is the fact that the News Corp. settlement was funded entirely by D&O insurance. This large settlement represents not only a serious and unwelcome development for the specific carriers involved but also represents an unwelcome event for the D&O insurance industry in general, for what it might represent as far as the severity potential of shareholders’ derivative litigation.
In the past, going back ten years or so, shareholders’ derivative suits typically did not present the possibility of significant cash payouts for settlements or judgments. As the significant examples above show, that clearly has changed.
This trend gained particular momentum with the options backdating scandal. Many of the options backdating cases were filed as derivative suits rather than as securities class action lawsuits (largely because the options backdating disclosures did not always result in the kinds of significant share price declines required to support a securities class action lawsuit). As illustrated by the Broadcom case mentioned above, some of the options backdating derivative suit settlements included very substantial cash components
The inclusion of a significant cash component has also been a feature of the settlements of some of the merger objection suits that have been filed as part of the current upsurge in M&A-related lawsuit that have been filed in recent years, as illustrated by the El Paso settlement mentioned above.
For many years, D&O insurers have considered that their significant severity exposure consisted of securities class action lawsuits. The undeniable reality is that in at least some circumstances, derivative suits now represent a severity risk as well. And the settlement amounts themselves represent only part of the D&O insurers’ loss costs. The D&O insurers also incur millions and possibly tens of million of defense cost expense in these derivative suits
Another issue is that these settlement amounts represent so-called “A Side” losses. That is, the losses are paid out under the portion or the D&O insurance policy that provide insurance for nonindemnifiable loss. A derivative suit settlement is not indemnifiable, at least under the laws of many jurisdictions, because if it were to be indemnified, the company’s would make the indemnity payment to itself. For the “traditional” D&O insurance carriers, there is perhaps no particular pain associated with the fact that the loss is paid under the “Side A” portion of the policy, as opposed the other policy coverage (that is, the “Side B” or “Side C” coverage that are more typically called into play). But these days many companies carry --in addition to their traditional D&O insurance that includes all three coverages (that is, they include Sides A, B and C coverage) -- additional layers of excess Side A insurance.
The increasing risk of this type of settlement represents a significant challenge for all D&O insurers, but particularly for those D&O insurers concentrating on providing Excess Side A insurance. Those insurers will have to ask how they are to underwrite the risks associated with these kinds of exposures, and how they are to make certain that their premiums adequately compensate them for the risk.
Will By-Law Forum Selection Clauses Withstand Judicial Scrutiny and Help to Diminish the Multi-Jurisdiction Litigation Curse?: Over the past several years, one of the more troublesome litigation trends has been the rise of multiple lawsuits involving the same circumstances but filed in separate jurisdictions. As a way to try to avert the inefficiencies and added expense associated with multi-jurisdiction litigation, reformers suggested that a provision could be added to company by-laws requiring shareholders to litigate claims in a specified jurisdiction (usually Delaware). The boards of a number of companies adopted forum selection by laws.
The first judicial challenge to a forum selection bylaw resulted in a set back for the idea. As discussed here, in January 2011, a judge in the Northern District of California refused to enforce a forum selection by-law that had been adopted by Oracle, because it had not been approved by shareholders, but rather had been adopted only by the company’s board of directors.
However, on June 25, 2013, in a judicial development that may help ease the curse of multi-jurisdiction litigation, Chancellor Leo E. Strine, Jr. of the Delaware Court of Chancery held that forum selection bylaws adopted by Chevron and Federal Express are statutorily and contractually valid. A copy of the Chancellor’s opinion can be found here.
According to Chancellor Strine’s opinion in the Chevron case, in the last three years over 250 publicly traded companies adopted forum selection bylaws. Chancellor Strine recites in his opinion that Chevron’s board adopted the bylaw due to concerns about “the inefficient costs of defending the same claim in multiple jurisdictions” and in order to “minimize or eliminate the risk of what they view as wasteful duplicative litigation.”
Chancellor Strine’s determination that Chevron and Fed Ex’s forum selection by-law are valid is of course far from the final word. The Delaware Supreme Court may yet take a different view. In addition, the question will still remain whether or not the courts of other jurisdictions will enforce the forum selection clause when faced with a motion to dismiss a case pending in their courts. Whether or not the bylaws are valid under Delaware law will not necessarily be determinative of whether the bylaws are in fact enforceable elsewhere.
Nevertheless, in the wake of Chancellor Strine’s opinion, a number of companies have acted to adopt their own bylaws. It will be very interesting to see if these by-law provisions prove to be effective in diminishing the curse of multi-jurisdiction litigation.
How Far Will Courts Extend the Broad Judicial Support for the Enforceability of Arbitration Clauses?: In the latest in a series of decisions in which it upheld the enforceability of arbitration agreements, the U.S. Supreme Court ruled on June 20, 2013 that an arbitration agreement with a class action waiver is enforceable even it meant that an individual’s cost of pursuing a claim exceeded the economic value of the individual’s potential recovery. A copy of the Court’s opinion in American Express Co. v. Italian Colors Restaurant can be found here.
Although the decision is consistent with other recent Supreme Court rulings, it has its own important implications – and it also raises a question of just how far the principle of broad enforceability of arbitration agreements can be taken. In particular, does the broad enforceability of arbitration agreements reach far enough to include the enforceability of arbitration agreements and class action waivers in corporate articles of incorporation or by-laws?
The question about the inclusion of arbitration provisions and class action waivers in corporate by-laws is not far-fetched. In fact, at least one court has already held these kinds of by-law provisions to be enforceable. As discussed here, in May 8, 2013, a Maryland Circuit Court held that Commonwealth REIT could enforce a by-clause requiring shareholders to arbitrate their claims.
In a July 8, 2013 Law 360 article commenting on the Commonwealth REIT decision (here, subscription required), Andrew Stern, Alex J. Kaplan and Jon W. Muenz of the Sidley Austin law firm note that though it remains to be seen how other courts will address the question of the enforceability of arbitration clauses in corporate bylaws, the Maryland decision “should be seen as, at the very least, a significant incremental victory for boards and trustees who view arbitration as an effective means to manage the typically highly public nature of corporate activism.” At a minimum, the authors note, the decision could be seen – at least for Maryland companies -- as “a green light for boards … to include broad arbitration clauses in their bylaws without seeking shareholder approval.”
The Maryland trial court decision has no precedential value and may or may not be followed by other courts. Nevertheless, the fact remains that at least this one court did enforce a by-law arbitration clause. As the law firm memo’s authors state, this decision does represent an “incremental victory” for those who advocate for the inclusion of these types of provisions in corporate bylaws as a way to forestall costly and burdensome shareholder litigation.
With the U.S. Supreme Court’s willingness to enforce arbitration agreements including class action waivers in commercial and consumer contracts, and with case law developments like the one in Maryland, more companies may be encouraged to attempt to use their bylaws as a way to control shareholder litigation. We undoubtedly will see more – both from companies and from the courts – on the topic of arbitration clauses in corporate bylaws.
What Will Be the Impact of the Conflict Minerals Disclosure Rules?: Among the many hundreds of pages of the Dodd-Frank Act was a provision unrelated to the financial crisis that triggered the legislation. Congress included in the Act a provision directing the SEC to promulgate rules requiring companies to disclose their use of conflict minerals originating in the Democratic Republic of Congo (DRC) or an adjoining country. It has taken some time for the regulatory process to unfold, but the conflict mineral disclosure requirements are now in effect. The consequences for companies could be significant.
On August 22, 2012, the SEC adopted the conflict mineral disclosure rules. The SEC’s August 22, 2012 press release can be found here and the rule itself can be found here. The specific minerals at issue are tantalum, tin, tungsten and gold. The countries covered by the disclosure rules are, in addition to the DRC, Angola, Burundi, Central African Republic, the Republic of Congo, Rwanda, South Sudan, Tanzania, Uganda and Zambia (the “Covered Countries”)
The rule applies not just to companies with SEC reporting obligations (including both domestic and foreign issuers) but it also applies to any company that uses the specified minerals if the minerals are “necessary to the functionality or production” of a product manufactured by or “contracted to be manufactured” by the company. Companies are required to comply with the new disclosure rules for the calendar year beginning January 1, 2013, with the first disclosures due May 31, 2014 and subsequent disclosures due annually each year after that.
Many companies had deferred preparations to meet the disclosure obligations in the hope that a pending legal challenge to the rules might succeed. However, in a July 2013 order, Judge Robert Wilkins of the District Court for the District of Columbia struck down the legal challenge. An appeal of the ruling has already been filed. However, as Broc Romanek wrote in a July 24, 2013 post on his TheCorporateCounsel.net blog (here), the ruling means “the SEC's rules go forward as they currently exist (ie. no de minimis exception, etc.).” He adds that, despite the appeal, “with the first report due May 31, 2014, all companies should be operating on the assumption that the rules are indeed the rules and start preparing now.”
In a recent post (here), I detailed how extraordinarily difficult the conflict minerals determinations and disclosures may be for many companies. There is a lot of risk here for the companies involved. First and foremost, companies face a serious potential PR risk. Companies found to be out of position on conflict minerals could face a publicity firestorm from humanitarian groups and activist investors. Although it remains to be seen, adverse publicity could prove to be a problem not just for companies that must declare their use of conflict minerals but even for those that are unable to declare themselves conflict mineral free.
As with any disclosure requirement, there is also a significant litigation risk as well. Companies compelled to reveal their use of conflict minerals could well be the target of shareholder suits. A particularly difficult problem would involve companies that had declared themselves to be conflict free that are later shown have been using conflict minerals after all. The negative publicity and likely share price decline could be followed by a securities class action lawsuit. Activist shareholders could also launch derivative suits against companies based on allegations such as the failure to implement adequate procedures to ensure that the company’s products were conflict mineral free.
Of course, whether any of these kinds of suits actually emerge remains to be seen. However, the disclosure deadline that had seemed so far in the future is now rapidly approaching. In coming months, we will be hearing more about companies’ struggles to ready themselves for the disclosure requirements. In addition, questions surrounding companies’ preparations for the conflict minerals disclosure requirements increasingly will become a part of the D&O insurance underwriting process.
How Will the Mass of Failed Bank Litigation Finally Play Itself Out?: The peak of the recent financial crisis is now nearly five years in the past. Though banks are still continuing to fail, we can hope that the worst of the bank failure wave is now behind us. Along those lines, in its most recent Quarterly Banking Profile, the FDIC reported that the number of “problem institutions” continues to decline -- although still troublingly high.
Though we can hope that the number of bank closures will continue to decline, the litigation that the FDIC is filing against the banks’ former directors and officers continues to mount. As of the agency’s latest report on August 8, 2013, the agency has filed 76 lawsuits against the directors and officers, including 32 so far this year. (By way of comparison, the agency filed 25 lawsuits during all of 2012.)
The number of failed bank lawsuits is likely to grow. As of August 8, 2013, the FDIC has also authorized suits in connection with 122 failed institutions against 987 individuals for D&O liability. The number of suits authorized is inclusive of 76 lawsuits that the agency has already filed naming 574 former directors and officers. In other words, there is a backlog of as many as 46 additional lawsuits yet to be filed. In addition, for some time now, the FDIC has increased the number of lawsuits authorized each month. There could be many more lawsuits yet to be authorized and filed.
The FDIC has already authorized lawsuits to be filed in connection with about 25% of all the 485 banks that have failed since January 1, 2008. (By comparison, during the S&L crisis, the agency filed D&O lawsuits in connection with about 24% of bank failures). With a total of 76 lawsuits actually filed, the agency has now filed suit in connection with about 15% of bank failures.
Given the litigation already filed and the lawsuits yet to come, there is and will continue to be a mountain of failed bank litigation to work its way through the courts. These cases are a burden for the courts and for the litigants. They also represent a challenge for the D&O insurers involved as these claims move toward resolution. The losses associated with these cases will continue to weigh on the insurers’ financial results, which in turn will affect their premiums and their risk appetites.
A mass of D&O litigation was also one of the side-effects of the S&L Crisis. Insurance coverage disputes from those cases contributed many of the important judicial decisions applicable to the interpretation of D&O insurance policies. As illustrated above in connection with the IndyMac case, there likely will be significant judicial interpretations of the D&O policy language as a result of coverage disputes arising from the current bank failure litigation wave as well. In any event, the bank failure related litigation will be working its way through the courts for years.
How Will Cyber Security Threats Affect the Liabilities of Corporate Directors and Officers?: it is not news that cybersecurity risks represent a significant concern for just about every company involved in the current economy. Prior posts on this site (for example, here) have detailed the liability exposures that these risks represent for all of these companies and for their directors and officers. But while these issues are not new, it seems that as time progresses, the volume on these issues has been turned up. It now seems clear that cybersecurity is going to be one of the hot button issues for the foreseeable future, both in the media and for the affected companies.
The heightened scrutiny of cybersecurity issues has a number of important implications for potentially affected companies, and not just from an operational standpoint. These developments also have important implications for public company’s public disclosure statements, and, as a consequence, for the company’s potential regulatory and litigation exposures.
Indeed, according to a February 21, 2013 memo from the King & Spalding law firm entitled “Cybersecurity: The New Big Wave in Securities Litigation?” (here), “it is likely that this issue will continue to gain momentum among both government regulators and opportunistic plaintiff lawyers seeking to catch the next wave of shareholder litigation.” In particular, the failure to promptly disclose a cyber breach “may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits.”
As the memo notes, the SEC “has already taken a firm stand on cybersecurity disclosures, and clearly views this issue as ripe for enforcement actions.” In October 2011, the SEC’s Division of Corporate Finance issued “Disclosure Guidance” on cybersecurity related issues. Among other things, the Guidance clarified that the agency expects companies to disclose the risk of cyber incidents among their “risk factors” in their periodic filings and also expects companies to disclose material cybersecurity breaches in their Management Discussion and Analysis.
The law firm memo notes that so far, the SEC’s Guidance “seems to have had little impact on corporate disclosure,” and that in many instances companies experiencing cyber breaches are “choosing to keep those events confidential.” However, “given the increasing awareness of this hot issue,” it seems “likely” that the SEC “will increase pressure on companies to disclose such events.” The memo adds that “companies that have experienced significant cybersecurity breaches should prepare themselves for potential SEC investigations and lawsuits.”
In addition to the risk of SEC enforcement action, companies experiencing cyber breaches also face the possibility of a securities class action lawsuit. However, the memo notes, a company experiencing a cyber breach “will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company’s share price.” In that respect, it is worth noting that several high profile companies announcing cyber breaches have not experienced a significant drop in their stock price following the announcement. (For example, recent announcements by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices.) Nevertheless, it seems likely that at least some companies experiencing cyber breaches or subject to cyber attacks will also suffer a drop in their share price, and “thus result in securities class action litigation.” (For further analysis of the effect of a cyber breach disclosure on share prices, refer here.)
Companies that do not experience a share price decline following a cybersecurity incident may not get hit with securities class action litigation, but they are still susceptible to derivative lawsuits alleging, for example, that company directors breached their fiduciary duties by failing to ensure adequate security measures. As the law firm memo notes, shareholder may claim that senior management and directors “were either aware of or should have been aware of the breach and the company’s susceptibility to hacking incidents.” Of course, any lawsuit of this type would face significant hurdles, including the requirement to make a formal demand on the board as well as the business judgment rule.
In any event, it is clear that cybersecurity issues are going to be an increasing source of scrutiny for companies and their senior officials. This heightened scrutiny not only means that companies will be under pressure to take steps to ensure that their networks and information are secure, but also means that the companies will face pressure both to “disclose the risks associated with potential cybersecurity breaches and provide timely updates when actual breaches occur.” Companies that fall short on these disclosure expectations “will face a substantial risk of regulatory scrutiny and shareholder litigation.”
As Rick Bortnick discussed in a guest post on this site (here), cyber security disclosures have already been the source of securities class action litigation, in the high profile case involving Heartland Payment Systems. Although that case was dismissed, Bortnick points out how different the circumstances and disclosures involved in that case might look if viewed through the prism of the SEC”s 2011 Disclosure Guidance.
Among other implications from these developments is that cybersecurity disclosure seems likely to be the subject of greatly increased scrutiny, suggesting that this disclosure – particularly precautionary disclosure forewarning investors of the possible adverse effects the company could expect in the event of a serious cyber attack – should become a priority for reporting companies.
Finally, these developments and the possible regulatory and litigation implications underscore the fact that cybersecurity exposures represent an important issue to be addressed as part of every company’s corporate insurance program. Indeed, the SEC itself considered the question of insurance for cybersecurity exposures to represent such a critical issue that, in its Disclosure Guidance, it specifically identified the insurance issue as one of the topics companies should address in their disclosure of cybersecurity issues.
The insurance issues related to cybersecurity include not only the question of whether companies should acquire dedicated cyber and network security insurance, but also includes the question of the protection available to the companies’ senior officials under their management liability insurance policies. These issues relating to the scope of a company’s insurance protection for cyber-related risks present specific questions directors should be asking company management.
How Will These Trends and Developments Affect the Market for D&O Insurance?: As should be apparent from this discussion, there is a great deal happening in the World of D&O. Nor do the above trends and developments noted above represent everything that is happening. The surge in M&A litigation, in which virtually every merger or acquisition attracts at least one lawsuit, continues unabated. The SEC whistleblower program, which recently announced that it had made its second whistleblower bounty award, threatens an upsurge in whistleblower-driven enforcement actions and related securities claims. Anti-bribery enforcement actions are but one of the many regulatory risks involved in an increasingly global economy. And all of these developments arise following the wave of litigation relating to the subprime meltdown and the credit crisis that continues to work its way through the courts.
Given everything that is going on, it is hardly surprising that the D&O insurance carriers might be taking a more defensive position. Indeed, many companies – including both public and private companies -- have seen the cost of their D&O insurance go up at their most recent renewal. The pricing increases are more concentrated in the primary D&O insurance policies; the increased pricing trend is less pronounced for excess insurance coverage.
In addition, in at least some cases and for some kinds of risks, carriers have started to try to pull back on terms and conditions as well. In some instances, this may consist of an attempt to increase retentions. In other cases, carriers have identified certain terms that they will no longer offer.
But though there are some areas where carriers are attempting to pull back, overall the coverage that remains available for most insurance buyers is broad. In addition, ample capacity remains available in the marketplace. Indeed, the sheer number of available market participants, augmented by the arrival of new players, raises the possibility that the premium increase and tightening of terms (however slight) could prove to be short-lived.
How all of this ultimately will play out remains to be seen. The one certainty is that the World of D&O will continue to be interesting to watch.
D&O Diary Readers Get Discount for ACI D&O Conference: On October 21 and 22, 2013, I will be co-Chairing the American Conference Institute’s D&O Liability Conference in New York. The event has a comprehensive agenda covering the current state of the D&O insurance marketplace as well as important developments in the world of directors’ and officers’ liability. The conference will feature an impressive line-up of knowledgeable speakers discussing topics that will be of particular interest to this blog’s readers. Background information regarding the conference, including the program agenda and registration details, can be found here.
Readers of The D&O Diary are eligible for a $200 discount when registering for the conference. In order to obtain The D&O Diary discount, readers should reference “DOD200” when registering by calling 888-224-2480 or online at www.AmericanConference.com/DandO
Have a Look Before You Leave: If you are not a regular reader of this blog, you may not have seen any of the photos that readers have taken of their D&O Diary mugs and that I have been posting on this site over the summer. The pictures are a lot of fun. The most recent post of readers’ mug shots, which contains links to all of the prior galleries, can be found here. Before you leave, take a moment to have a look at the great pictures that readers have been sending in.
Season’s End: According to the calendar, summer does not officially end for another three weeks or so. But for me, summer ends with the last sunset before leaving Lake Michigan for the season. Summer’s end is always bittersweet.But just the same, I welcome autumn’s approaching arrival and look forward to the opportunity to see and greet many of this blog’s readers at a variety of industry events on the calendar this fall..