Numerous questions surround the SEC’s new policy requiring enforcement action defendants in “egregious” cases to admit to wrongdoing in order to settle with the agency, rather than simply agreeing to neither admit nor deny the agency’s allegations. As I discussed in a prior post (here), among the questions is the issue of what the impact from these kinds of admissions may be for the availability of D&O insurance for the defendants making the admissions.


In an October 17, 2013 article entitled “Recent Changes in SEC Enforcement Policy Require Renewed Attention to Directors’ and Officers’ Insurance Terms” (here), Eric Barber and Charles (Chip) Mulaney of the Perkins Coie law firm take a closer look at the insurance issues arising from the SEC’s new settlement approach.


As the authors note, an immediate concern is whether the admissions are sufficient to trigger the conduct exclusions found in D&O insurance policies. These exclusions preclude coverage for claims involving fraudulent or criminal misconduct or the gaining of profit or advantage that is illegal. The authors note that in the event that if an SEC enforcement action defendant were to reach a settlement with the agency that includes admissions of wrongdoing, the defendant’s D&O insurer may argue that the admissions “are sufficient to trigger the conduct exclusion and thus bar coverage in a civil lawsuit arising out of the same set of facts.”


The most direct way to avoid this type of coverage issue may be through the way the settlement itself if structured. As the authors note, in the recent JP Morgan “London Whale” settlement (about which refer here), the company kept its admissions vague on the issue of “who did what wrong” and avoided any mention of intent. The authors also note that in the recent Harbinger/Falcone settlement (about which refer here), the defendants preserved leeway in the agreement to deny the allegations in other proceedings arising out of the same conduct. These kinds of settlement features could allow a company room to contend that its admissions to the SEC do not trigger the conduct exclusions.


In addition, the conduct exclusions in most D&O insurance policies are only triggered “after adjudication” that the precluded conduct has actually taken place; the authors note that if, like the JP Morgan London Whale settlement, the settlement is in the context of an administrative proceeding that does not require or involve court approval, “the insured may be able to argue that, absent court approval, the conduct exclusion has not been implicated.”


The authors also note the importance of so-called severability provisions in the D&O insurance policy. These provisions are found in relation to both the policy exclusions and in relation to the policy application.


With respect to the policy provisions relating to severability of the exclusions, these provisions ensure that the misconduct of one insured person will not be imputed to any other insured for purposes of determining the applicability of a policy exclusion. This could be particularly important in the context of a multi-defendant proceeding where one defendant (say, the corporate defendant) is motivated to pursue settlement and perhaps willing to make admissions to put the matter to rest, while other defendants could be less willing to settle based on an admission. The severability of the exclusions provision ensures that one party’s wrongdoing admissions will not be imputed to another for purposes of determining the applicability of an exclusion.


The severability of the application provision ensures that any one individual’s knowledge of facts pertaining to an application misrepresentation will not be imputed to any other person. Application severability could be critical if the D&O insurer were to contend in reliance on admissions in an SEC settlement that the D&O insurance application contained misrepresentations. The severability provision could ensure that another party’s admissions would not serve as a basis for the insurer to try to rescind the policy as to other parties.


The authors also note that if SEC enforcement action defendants were to provide admissions in an SEC settlement that an insurer contends are sufficient to preclude coverage, the D&O insurer might also seek recoupment of defense fees that the insurer has already paid. The authors note that insurers “have met with mixed success on this issue,” but that the insurers might well seek recoupment in a larger case where millions of dollars have been spent. The authors suggest that insureds “should pay careful attention” to whether the policy explicitly grants the insurer the right of recoupment of previously paid defense costs and whether the insurer has explicitly reserved its right to seek recoupment when it starts making defense cost payment at the outset of the claim.


In my view, the possibility that the insurer might seek recoupment of defense costs that have already been paid is a particular concern. There are enough recent cases where insurers have obtained to right to recoupment defense fees, for example, following a criminal conviction (refer, for example, here) to raise the concern that the insurers might seek recoupment in the event of admissions of wrongdoing in an SEC settlement. (For an overview of the issues surrounding the insurer’s right of recoupment, refer here).


It is relatively rare for a D&O insurer to seek recoupment. Often by the time the legal proceedings have reached the point where the insurer has a basis on which to try to seek recoupment, the individual from who it would seek recoupment has few remaining assets from which the insurer might recover. In addition, many insurers understand that it is a poor public relations move to be seen suing your own customer trying to recover amounts you previously paid under a contract of insurance.


Though recoupment is rare, it comes up often enough to be a concern. The law in this area is not entirely uniform. In some jurisdictions, the courts have held that, if at the outset of a claim the carrier has reserved the right to seek recoupment in the event of a determination of noncoverage, the carrier has the right to seek to recoup defense costs incurred in connection with claims that are not covered under the policy. Court that follow this approach reason that allowing the insurer to recoup the defense costs where a timely reservation of rights was issued promotes the policy of ensuring that defenses are afforded even in questionable cases. Other courts following this line have reasoned that it would be inequitable for the insured to retain the benefits of the defense without repayment where there was no coverage under the policy.


On the other hand, other courts have held that the policy itself must specificly address the carrier’s right to seek recoupment and that the mere fact that the carrier has reserved its rights to seek recoupment is not sufficient to create a right that is not otherwise found the policy.


In light of these various concerns, it seems likely that there will be a renewed focus among D&O insurance practitioners on the potentially implicated policy provisions. I am just speculating here for now, but given these developments, I can imagine the debate with the industry involving the following.


First, I suspect that there will be a renewed focus on the wordings of the conduct exclusions. Among other things, policyholder advocates will try to restrict the fraud exclusion trigger to “deliberate fraudulent or criminal misconduct,” with an emphasis on including the word “deliberate” and eliminating any reference in the exclusion to “dishonesty.” I would also expect policyholder advocates to try to tinker with the “after adjudication” requirement; for example, there might be an effort to include language requiring that the “adjudication” to take place in a judicial proceeding (as opposed to an administrative proceeding).


Similarly, there is likely to be a renewed focus on the question of whether or not there are express policy provisions relating to the insurer’s right to recoupment. Although one approach might be simply to try to have the insurer remove policy provisions of this type, the removal of the provision alone (even if the insurers were to agree to it) might not be sufficient to address policyholder concerns about the possibility of the insurer seeing recoupment in the event of wrongdoing admissions in an SEC proceeding.


Another approach policyholder advocates might take would be to try to include express policy language to the effect that the insurer will not seek recoupment in the event of admissions in an SEC enforcement action; I would expect that even if the insurers were willing to consider the possibility of including this type of language, there would still be a significant debate over what type of carve outs would be added. That is, the insurer would likely still want to preserve the right to seek recoupment in the event of certain kinds of admissions.


The SEC’s new policy is still new and we are all still in the position of seeing how the new policy will be implemented. The agency’s actual practices will have a significant impact on how the D&O insurance industry ultimately responds. But in the meantime, there will likely be a significant debate among D&O insurance practitioners over what the right response will be from an insurance standpoint to the SEC’s new policy. 


The Cyber Risk “Governance Gap”: Numerous observers (including this blog) have noted the growing liability exposures facing boards of directors arising from cyber breach risks. Still other commentators have suggested the measures boards should be taking in light of these risks. Yet, at least according to a recent paper summarizing several recent research studies, at all too many companies, there is a “cyber risk governance gap” – that is, a “gap” between “the legal exposure presented by cyber risks and the ability of corporate boards to address these risks effectively.”


In a recent Bloomberg Law article entitled “Cyber Risk and the Board of Directors – Closing the Gap” (here), Michael Gold of the Jeffer Mangels Butler & Mitchell law firm explores what he describes as the “cyber risk governance gap.” He cites research from Carnegie Mellon focused on the energy and utilities industries as showing that 71 percent of surveyed boards rarely or never review privacy and security budgets; 51 percent of boards rarely or never review security program assessments; and 54 percent rarely review top level policies. He also notes that industrial companies showed only “modestly better” in a study conducted by the U.S. Department of Homeland Security on companies that experience cyber breach events in 2012.


Gold suggests that boards of many companies may be “timid about engaging cyber risk” because these risks have “no real parallel in the experience of most corporate directors.” He notes that many directors, particularly those at mature companies, “are older and are not as comfortable with digital technologies.” Compounding this issue is the fact that the complexity of the technology and the act the frequent use of jargon raise barriers even more.


Gold also notes that, perhaps ironically, for many board members the problem may not be too little information, but too much; he notes that the “sheer volume of information” which leaves board members with “cyber security fatigue,” which all too often leads to the default mode characterized by the blanket excuse that “we have a good IT staff.”


Of arguably greater concern is that, according to a study Gold cites from the National Association of Corporate Directors, is that many board members are “simply unaware of the operational risks at their company” because they “do not know enough to ask the necessary questions of the right people to obtain the information they need.”


Based on these concerns, Gold suggests some steps companies and their boards can take to address the “governance gap.” First he suggests mandatory cyber education for board members, with an emphasis on developing cyber expertise at the board level, including through the consideration of candidates with appropriate expertise. He also suggests creating a board level reporting system that gives directors “timely and usable information to permit a reliable high-level evaluation of the company’s cyber risk profile, defensive strategies and infrastructure.”


I found Gold’s article interesting, both in and of itself, and as yet another example of a growing volume of commentary underscoring the fact that many companies seem to be slow off the mark in addressing cyber risks. This message is consistent with the related concern noted in a recent post on this site that despite SEC guidance directing reporting companies to incorporate greater cyber risk disclosure in their periodic filings, many companies have not yet modified their disclosure to address cyber disclosure.


Readers interested in a more detailed perspective on the actions boards of directors should be taking and the questions directors should be asking about cyber risks will want to take a look at the prior guest post on this site by D&O insurance industry veteran Dan Bailey discussing director’s “new focus” on cyber risk issues. In any event, as discussed in a separate post (here), one particular question companies should be asking company management is the extent to which the company has secured dedicated insurance to protect the company in the event of a cyber breach or privacy event.


Plaintiffs Withdraw Appeal of Forum Selection Bylaw Case: Defense advocates were heartened in June when Delaware Chancery Court Chancellor Leo E. Strine, Jr. entered an order upholding forum selection bylaws adopted by Chevron and Federal Express as statutorily and contractually valid. It was hoped at the time that the ruling validating the forum bylaw provisions might help to reduce the curse of multi-jurisdiction litigation by requiring shareholder claims to be litigated in Delaware. However, a concern at the time was as a lower court ruling only, Chancellor Strine’s decision could be overturned on appeal by the Delaware Supreme Court. The plaintiffs did in fact file an appeal and court watchers had been eagerly anticipating the appellate court’s consideration of the case.


As it turns out, the court watchers can relax – – the plaintiffs have decided to drop their appeal. As discussed in an October 16, 2013 post by Widener University Law Professor Lawrence Hamermesh’s on the school’s Institute of Delaware Corporate & Business Law blog (here), the plaintiffs in the Chevron and Fed Ex cases voluntarily dismissed their appeal of Chancellor Strine’s ruling.


Professor Hamermesh comments that he thinks this is a “tactically intelligent move” on the plaintiffs’ part. It was widely believed that the appellate court would affirm Chancellor Strine’s opinion. By dropping their appeal, the plaintiffs arguably preserved “at least a residual crack of daylight … to argue, in cases brought outside of Delaware, that exclusive forum bylaw provisions are generally unenforceable.” The professor did note his “disappointment” that the Delaware Supreme Court will now not get the chance to consider the case; he had been hoping for a strong opinion endorsing the enforceability of the provisions.


Speakers’ Corner: On Monday October 21 and Tuesday October 22, 2013, I will be co-chairing the American Conference Institute’s 17th Forum on D&O Liability in New York. The two-day conference includes an outstanding cast of speakers. It should be a great session. Information about the conference can be found here.


If you will be attending the conference, I hope you will make a point of saying hello to me while we are there, particularly if we have never met previously.


Owing to my attendance at the conference, there may be an interruption in The D&O Diary’s publication schedule. Normal publication should resume later in the week.