The directors’ and officers’ liability environment is always changing, but 2024 was a particularly eventful year, with important consequences for the D&O insurance marketplace. The past year’s many developments also have significant implications for what may lie ahead in 2025 – and possibly for years to come.  I have set out below the Top Ten D&O Stories of 2024, with a focus on future implications. Please note that on Wednesday, January 15, 2025 at 11:00 AM EST, my colleagues Marissa Streckfus, Chris Bertola, and I will be conducting a free, hour-long webinar in which we will discuss The Top Ten D&O Stories of 2024. Registration for the webinar can be found here. I hope you can join us for the webinar.

Trump 2.0 Set to Launch Early in the New Year

The top news story overall in 2024 was also the top story in the world of D&O liability insurance as well – that is, that in the November 2024 U.S. Presidential Election, Donald Trump was elected to a second term as U.S. President. He is set to be inaugurated on Monday, January 20, 2025. On the basis of his announced policies and proposed cabinet and other political appointments, Trump’s second term seems likely to usher in a period of significant social, economic, and political change. As a result, there could also be significant changes ahead in the D&O insurance and liability arena as well.

One important way the upcoming Trump administration will likely impact the D&O arena is through the Presidential power to appoint federal judges. During his first administration, Trump appointed 234 federal judges, including three U.S. Supreme Court justices and 54 circuit court judges. Sitting Trump appointees currently represent about 26.2% of all authorized federal judge slots , including one-third of the sitting U.S. Supreme Court justices.

In a second administration, Trump will have the opportunity to further shape the federal judiciary, with the possibility that by the end of his upcoming term, about half of the sitting federal judges could be Trump appointees. Indeed, the day Trump takes office again, he will have as many as 45 federal judge seats to fill. Depending on how events unfold, he could also have the opportunity during his upcoming term to further shape the U.S. Supreme Court, as well.

In his first administration, Trump tended to appoint judges who were young and conservative. If, as seems likely, he follows this same judicial appointment approach in his second term, his judicial appointments potentially could shape federal jurisprudence for the next generation. There are many potential implications of a federal judiciary largely composed of Trump appointees, including for example with respect to, say, civil rights, environmental law, or consumer protection issues; from the perspective of potential D&O liability, a Trump-appointed judiciary potentially could be beneficial for companies and their executives, as Trump-appointed judges so far have tended to be business-friendly and conservative.

Trump’s cabinet and other political appointments could also have an important impact on the D&O liability arena. One appointment that in particular could have a significant impact on the D&O liability arena is his appointment of the new Chair of the SEC. As discussed in detail here, President-elect Trump has announced that he will nominate former SEC Commissioner Paul Atkins as SEC Chair. This appointment, if confirmed, could result in a significant change of direction at the SEC, which in turn could have important implications for the world of D&O.

The SEC under the outgoing SEC Chair, Gary Gensler, is generally perceived to have been aggressive from an enforcement standpoint, and certainly was very active in issuing new regulations as well. It seems likely that certain regulatory priorities of the agency under Gensler will be rolled back or deemphasized under the new administration.

The Wall Street Journal in a December 4, 2024, editorial referred to Atkins as the “Anti-Gensler,” saying that Atkins is the “opposite of Gensler in temperament and regulatory ambition.” Atkins, as Politico commented in article about Atkins’s nomination, has “sharply criticized what he considers to heavy-handed policymaking for the last two decades” and as an “outspoken critic of everything from the reform measures enacted in the wake of the 2008 financial crisis to corporate penalties to climate-related disclosures.”

One area on which the agency under Gensler focused that is likely to also be a priority under Atkins is with respect to cryptocurrency. A variety of high-profile crypto firms and crypto agencies previously hired Atkins’s consulting firm, and Atkins himself is not only well known to the crypto community but he has served, according to the Wall Street Journal (here), as its “trusted consigliere.” The crypto community, the Journal reports, “expects to see clearer guidelines that define digital assets as securities or commodities,” and they also expect that under Atkins the agency will “dismiss the dozens of lawsuits that the agency has filed against companies under the current chair, Gary Gensler.” As a more general matter, Atkins is likely to move the agency away from what has been criticized (particularly with respect to crypto) as the “agency’s habit of regulation by enforcement.”

Atkins has, according to Politico, “sharply criticized what he considers heavy-handed policy making over the last few years.” One area in which he has a long track record is with respect to ESG. In its editorial about Atkins appointment, the Journal observed that Atkins “was an early critic of how asset managers and proxy advisers used environmental, social and governance (ESG) standards to bully public companies” and suggests that one of Atkins’s “top priorities” will be “rolling back Mr. Gensler’s 885-page climate-change disclosure rules.” As discussed here, other commentators have suggested that Atkins may also seek to withdraw or narrow the cybersecurity disclosure guidelines that went into effect in December 2023.

As a general matter, Atkins likely will steer the agency away from regulating in order to address social policies. Cydney Posner, in a post on the Cooley law firm’s PubCo blog (here), cites a prior statement by Atkins that “The SEC, CFTC or whatnot can look at its own patch, but it really can’t change the world. There are certainly enough societal and economic problems that need to be addressed. I think the agencies have got to figure out what is the highest and best use for them, and let Congress and others figure out what the public policy should be.”  

The agency under Atkins will of course continue to fulfill its role protecting investors and the financial markets. The agency’s efforts likely will focus on more traditional areas, such as including issuer accounting and disclosure matters, offering fraud, market manipulation, insider trading, and similar matters. One issue the agency will have to continue to deal with in the months ahead is the fallout from U.S. Supreme Court’s June 2024 decision in the SEC v. Jarkesy case, in which, as discussed in greater detail below,  the Court struck down the agency’s use of administrative tribunals in civil penalty actions. Due to this ruling is that the agency has curtailed its use of administrative tribunals, which has in turn may result in reduced enforcement activity overall.

Finally, the upcoming Trump administration’s economic and trade policies could potentially have a significant impact on companies’ operations and financial performance, which in turn could affect the D&O liability and claims environment. The new administration’s commitment to deregulation and lower taxes potentially could have a salutary benefit on the business environment, at least in the short run. However, the administration’s trade and immigration policies could create challenges for at least some companies. Trump’s proposed tariff increases could risk a global trade war, which could in turn could impair supply chains and increase costs for businesses and consumers. Trump’s proposed deportation of unauthorized immigrants potentially could disrupt certain industries, such as agriculture, construction, and hospitality, and could also drive up labor costs.

These macroeconomic considerations are relevant not just for the business environment in which companies must operate, they could also significantly affect D&O claims activity. Readers will recall that in the wake of the global pandemic, macroeconomic factors such as supply chain disruption, labor supply shortages, and economic inflation led to significant numbers of D&O claims. And as is discussed in detail below, geopolitical issues, such as trade and sanctions, can also contribute to D&O claims exposures, as well. Time will tell how the new administration’s economic, trade, and immigration policies will play out, but among the risks and uncertainties is the possibility for a new wave of D&O claims arising from macroeconomic and geopolitical factors’ impact on company operations and financial performance.  

Federal Court Securities Suit Filings Increased in 2024

D&O insurers closely track the annual number of securities class action lawsuit filings. The number of annual filings can provide some indication of the insurers’ ultimate loss costs for the year. The current year’s filing patterns can also inform the insurers’ efforts to try to determine the profit-making price for their insurance product.

The number of federal court securities class action lawsuits filing increased in 2024 for the second year in a row, to the highest level since 2020. The increased number of federal court securities suit filings during the past year is due to several factors, including continuing filings relating to ongoing trends such as new lawsuit filings relating to SPACs, COVID-related suits, and cryptocurrencies.

There were 222 federal court securities class action lawsuit filings in 2024, compared to 212 in 2023, representing about a 4.7 % increase. The 222 federal court securities suit filings represent the highest annual number of federal court filings since 2020, when, due to significant number of federal court class action merger objection lawsuit filings that year, there were 313 federal court securities class action lawsuit filings. Please note that these numbers reflect only federal court securities suit filings; the numbers do not include state court securities class action lawsuit filings.

There were five federal court class action merger objection lawsuit filings in 2024, meaning that there were 217 “core” or “traditional” lawsuit filings during the year. The number of federal class action merger objection lawsuit filings has declined significantly since the 2016-2020 time frame, resulting in significant decrease in the overall annual number of federal court securities suit filings since that time. It is important to note that significant number of federal court merger objection lawsuits continue to be filed; however, in more recent years, plaintiffs’ lawyers, for tactical reason, have chosen to file these actions as individual lawsuits rather than as class actions, and as a result these filings do not show up in the class action filing numbers.

The 2024 federal court securities class action lawsuit filings were first-filed in 40 different federal district courts. The federal district court with the highest number of first-filed securities suit complaints in 2024 was the Southern District of New York, which had 50 class action securities suit filings. The district courts with the next highest number of first-filed securities suit complaints were the Northern District of California with 38, and the Central District of California, with 23.

Of the 222 federal court securities class action lawsuits filed in 2024, a total of 66 were filed in district courts in New York, representing about 29.8% of all 2024 federal court securities suit filings, and 64 were filed in district courts in California, representing about 29% of all 2024 federal court securities suit filings. Of the 222 federal court securities lawsuit filings, a total of 130 were first-filed in either California or New York federal district courts, representing about 59% of all 2024 federal court securities class action lawsuit filings.

The 2024 federal court securities class action lawsuit were filed against a wide variety of different kinds of companies. The 222 federal court securities class action lawsuits were filed against companies in 100 different Standard Industrial Classification (SIC) codes. The SIC Code with the highest number of 2024 filings was the SIC Code Category 7372 (Prepackaged Software), which had 24 federal court securities class action lawsuit filings in 2024, representing about 10.8% of all 2024 federal court securities suits.

The SIC Code Group with the highest number of 2024 securities suit filings was the 283 SIC Code Industry Group (Drugs), which had 37 securities suit filings during the year, including 22 in the 2834 SIC Code category (Pharmaceutical Preparations). In addition to the 2024 filings in the 283 Industry Group, there were an additional ten securities suits filed in the 384 SIC Code Industry Group (Surgical and Medical Instruments). Together lawsuits against companies in these two groups totalled 47 federal court securities suit filings in 2024, meaning that 21.1% of the total number of 2024 suits were filed against biotechnology companies.

Companies in the SIC Code group 737 SIC Code Industrial Group (Computer Programming and Data Processing) collectively had 36 securities lawsuit filings in 2024, meaning that lawsuits filed against companies in the high technology industry represented 16.2% of all 2024 federal court securities class action lawsuit filings.

There was a total of 83 securities lawsuits filed in 2024 against companies in the biotechnology and high tech industry groups taken collectively, meaning that during 2024, lawsuits against companies in these two industry groups represented 37.3% of all federal court securities class action lawsuit filings.

Of the 222 federal court securities class action lawsuit filings in 2024, 37 were filed against companies either organized under the laws of a country outside the United States or that have their principal place of business outside the U.S. The companies named in these suits represented 16 different countries. The countries with the highest number of 2024 securities suit filings were the United Kingdom, with 7; and Israel and China, with five each.

2024 was an Active Year for U.S. Supreme Court Securities Law Cases  – Although Not Nearly as Active as it Promised to Be

2024 was an active year for the U.S. Supreme Court’s consideration of securities law cases – although not nearly as active as it looked like it was going to be. The Supreme Court did issue opinions in two important securities law cases, as discussed below. But in connection with two other cases the Court had agreed to consider during the current term, the Court dismissed the cases – without issuing substantive opinions – after the cases had been fully briefed and argued.

The first of the cases in which the Court did issue an opinion during 2024 was Macquarie Infrastructure Corp. v. Moab Partners L.P.  As discussed in detail here, on April 12, 2024, in a short, unanimous opinion written by Justice Sonja Sotomayor, the U.S. Supreme Court held that a failure to disclose information required under Item 303 of Regulation S-K, standing alone, is not an actionable omission under Section 10(b) of the Exchange Act and Rule 10b-5 thereunder. The Supreme Court said that in the absence of an affirmative statement rendered misleading by the omission, an Item 303 violation alone is not sufficient to state a claim under Rule 10b-5. As the Supreme Court opinion put it, “pure omissions are not actionable under Rule 10b–5.”

This Macquarie case had the potential to produce a significant holding that could have affected many liability actions under the U.S. securities laws; if the Court had ruled in favor of the plaintiffs and held that pure omissions cases were actionable, it could have significantly affected many cases and indeed could have perhaps encouraged many more cases to be filed.

As it turned out, however, with the Court rejecting the position that the plaintiffs had urged the court to adopt, the case likely will have a more modest impact. At a practical level, the court’s opinion rejecting plaintiffs’ attempt to rely on Item 303 is unlikely to affect the number of securities cases filed. While plaintiffs’ lawyers frequently include Item 303 omission allegations in securities complaints, their complaints rarely allege only Item 303 omissions (indeed, the complaint in the Macquarie case itself alleged multiple violations of which the alleged Item 303 omissions were only one).

The likeliest impact is that the decision in this case will cause plaintiffs’ lawyers to alter the way they plead Item 303 allegations – plaintiffs’ lawyers are likely to replead Item 303 omissions cases as “misleading statement” cases. Intriguingly, by emphasizing that it was only considering pure omission cases, the Court expressly did not consider the pleading requirements with respect to cases alleging “half-truths,” leaving an issue for another day.

The second of the two cases in which the Court issued substantive opinions during 2024 was the SEC v. Jarkesy case. As discussed in detail here, on June 27, 2024, the U.S. Supreme Court held in the Jarkesy case that, in light of the Seventh Amendment’s right to a jury trial, the SEC must pursue enforcement actions seeking civil penalties in a jury trial proceeding in federal court rather than in an action before an administrative law judge.

The Court’s opinion in the Jarkesy case is a landmark decision with important implications for the SEC’s future enforcements efforts. As Justice Gorsuch noted in his concurring opinion in this case, the SEC has frequently used its in-house administrative courts to pursue enforcement actions, where it has prevailed with much greater frequency than it has in civil actions in federal court. According to Justice Gorsuch, the SEC has won about 90% of its contested in-house proceedings compared to 69% of its cases in court. Without the ability to pursue claims in what has been for the SEC a more hospitable forum, the agency at a minimum may not prevail as frequently, and perhaps might even pursue fewer enforcement actions.

The Court’s Jarkesy decision could also have important ramifications for other agencies’ abilities to pursue proceedings within their bailiwick in their own administrative courts. As Justice Sotomayor noted in her dissenting opinion, Congress has enacted more than 200 statutes authorizing dozens of agencies to impose civil penalties for violations of statutory obligations. At least in statutory proceedings involving actions that are analogous to common law claims, the defendants in these actions potentially could argue that they are entitled to a civil court jury trial rather than an administrative proceeding and seek to have their claims dismissed. Potentially, the enforcement efforts of federal agencies generally could be significantly undermined, or at minimum substantially altered. 

The Court addressed the Macquarie and the Jarkesy cases as part of its prior court term, ending in June 2024. As part of the Court’s current term, which commenced in October 2024, the Court had agreed to take up two additional securities law cases. Corporate and securities law observers and commentators were excited that the Court had agreed to take up the two cases – the Facebook Cambridge Analytica case and the Nvidia case – as both had significant potential to provide insights about securities lawsuit pleading standards and processes.

However, as noted here, in November 2024, the court dismissed the Facebook Cambridge Analytica case. Then, in a terse, one-line December 11, 2024, order, the Court dismissed the Nvidia case, the second of the two cases, meaning that instead of addressing two securities law cases during the current term, the Supreme Court did not and will not consider any securities cases. A copy of the Court’s December 11, 2024, order in the Nvidia case can be found here.

The Facebook case had arisen out of the Facebook-Cambridge Analytica User Data Scandal. Cambridge Analytica allegedly improperly used Facebook user data to target voters in connection with the 2016 U.S. Presidential election. Whistleblower-based news report revealed the extent of Cambridge Analytica’s use of the data, and its continued use of the data even after Facebook had become aware of the misuse and had asked Cambridge Analytica to destroy the data. In the consolidated securities litigation that followed, the claimants raised several allegations; of greatest relevance to the issues the Supreme Court agreed to take up, the plaintiffs alleged that the company in its risk factor disclosures had referred to the risks to the company of an unauthorized user data disclosure, but had presented the risk as hypothetical when in fact it has already materialized.

In the Nvidia case, the plaintiff shareholders alleged that Jensen Huang, the company’s CEO, knowingly understated the extent to which demand for certain of the company’s GPUs was being driven by cryptocurrency miners (as opposed to demand from gamers). In order to support their claims, the claimants cited not internal documents or witness statements, but rather relied on expert witnesses to analyze public data about activities of the crypto mining companies, using assumptions about the amount of computing power needed to facilitate the disclosed activities, and from that estimating the number of GPUs needed for the activity and what percentage of those GPUs would have been NVIDIA’s. Among other things, the Court agreed to take up the question of the extent to which claimants may satisfy the PSLRA’s requirements to plead falsity in reliance on expert testimony. The court also agreed to take up the question whether a plaintiff relying on documents to plead scienter must specify the contents of those documents.

Both cases were fully briefed and argued. (The court heard oral argument in both cases in November 2024.) However, in the days following oral argument, the Court entered nearly identical terse one-line order dismissing the cases, saying only that the writ of certiorari in the cases had been “improvidently granted.” As is customary with such actions, the Court provided no further explanation.

The immediate practical effect of the Court’s dismissal of the cases is that the Ninth Circuit’s rulings in the two cases, in which the appellate court had in each case sustained the plaintiffs’ cases, at least in part, will stand. The portions of the two cases that the appellate court had sustained will now go forward for further proceedings.

The other immediate practical effect of the Court’s dismissal of the two cases is that the Supreme Court will now not be issuing substantive opinions on the issues that the two cases raised. The dismissals mean that important legal questions regarding securities fraud and disclosure requirements remain unresolved at the highest judicial level. This could lead to continued uncertainty and variability in how lower courts interpret and apply securities laws. The lack of definitive rulings from the Supreme Court in the two cases potentially could encourage more securities litigation, as plaintiffs may feel emboldened by the Ninth Circuit’s rulings in the two cases that were left standing.

There arguably is another important potential implication from the Court’s dismissal of the two cases. The dismissals could be interpreted to suggest a possible hesitance by the Supreme Court to engage in securities law disputes. If this view is correct, the implication could be fewer securities law cases being taken up by the Court in the near future.

AI Emerges as a Significant Corporate and Securities Litigation Risk

Since OpenAI launched ChatGPT in November 2022, the race to capitalize on emerging artificial intelligence (AI) technologies has super-charged the financial markets. The stock prices of AI-associated companies, such as Nvidia and Broadcom, have soared. Several AI-related companies  — such as, for example, Astera Labs and Rubrik —successfully completed IPOs in 2024, one of the main reasons that the IPO market showed signs of life during the year.

With interest in AI surging in the financial markets, many companies want to try to catch some of the lightning for themselves. However, what companies say about AI, their AI capabilities, and their AI prospects could have significant consequences for the companies’ corporate and securities litigation risks, as well as for their risks of regulatory scrutiny. During 2024, a number of different companies faced either SEC enforcement action or private securities class action litigation based on their alleged statements about their AI-related capabilities or prospects.

In December 2023, SEC Chair Gary Gensler specifically warned against AI-related misrepresentations, and cautioned reporting companies against so-called “AI-washing,” echoing concerns about climate change-related “greenwashing,” and referring to companies that attempt to burnish their investment profile with outsized claims about their AI-related opportunities. More recently, then-SEC Enforcement Director Gurbir Grewal warned about the potential for AI-washing to mislead investors, harm consumers, and violate the securities laws.

These warnings have been followed by SEC enforcement activity, including at least one enforcement action involving a publicly-traded company. As discussed here, in September 2024, the SEC filed a civil enforcement  action against the former Chairman and CEO of Kubient, alleging that in connection with the company’s IPO and in other statements, the CEO and others had inflated the company’s revenues and also mispresented the capabilities of its supposedly AI-powered product which the company promoted for its alleged ability to detect ad fraud in the digital advertising industry. The SEC alleged that the company’s claims about its product were false. Interestingly, the SEC’s civil action was accompanied by a parallel U.S. Department of Justice action against the former CEO.

In addition to the action against Kubient, the SEC has also brought a number of other enforcement actions against investment advisers (as discussed, for example, here) and other commercial companies (see, for example here), in each case alleging that the target companies mispresented their use of AI or the AI-related capabilities of their products or services.

The Federal Trade Commission (FTC) has also been active in pursuing companies for allegedly false AI-related claims. As discussed here, in September 2024, the FTC announced that it had launched an initiative called Operation AI Comply as part of a “crackdown against deceptive AI claims and schemes.” The agency also announced five enforcement actions the agency has launched against “operations that use AI hype or sell AI technology that can be used in deceptive and unfair ways.” The agency’s initiative highlights the regulatory scrutiny companies can face with respect to the AI-related operations and marketing.

In addition to the SEC’s and FTC’s enforcement actions, there also were a number of AI-related private securities class action lawsuits filed in 2024. According to the Stanford Law School Securities Class Action Clearinghouse website (here), there were a total of 13 AI-related securities class actions filed in 2024. A typical example of these suits is the securities class action filed in July 2024 against the Israeli-based online cosmetics company Oddity. As discussed here, the claimant alleges that the that the company overstated the extent to which AI processes and tools enhanced its delivery of consumer services.

The Oddity lawsuit, along with most of the other AI-related securities lawsuits filed in 2024, all were more-or-less AI-washing-type suits. That is, the plaintiffs in these cases alleged that the defendant companies had overstated their AI capabilities or prospects. Obviously, there is significant risk that more of these cases could be filed in the months ahead. There is another, different type of AI-related lawsuit that could materialize in the future, and that is a lawsuit based not on a company’s overstatement of its AI-related capabilities or prospects, but rather that the company understated its AI-related risks. The risks involved might not only relate to the company’s own use of AI, but also to the company’s competitor’s use of AI.

An example of the kind of circumstances that might be involved in these kinds of lawsuits pertains to the online homework services company, Chegg. Chegg’s fortunes rose during the pandemic, as stay-at-home students became dependent on the company’s homework help services. However, more recently, the company’s prospects declined and its share price has dropped more than 99%. As discussed in a November 9, 2024 Wall Street Journal article (here), the company’s former and prospective future customers have turned to ChatGPT, which has provided AI-powered homework help that seemingly captured the market. There has been no lawsuit filed against Chegg based on these events, but the sequence shows how AI-related risks can affect a company, and highlight the fact that AI-related risks are not limited solely to the company’s own use of AI.

There are other potential sources of AI-related risk for companies, having to do with regulatory and legislative initiatives, particularly the EU’s Artificial Intelligence Act, which the European Parliament approved in March 2024. The Act seeks to classify and regulate AI applications based on their risk to cause harm, with the highest risk level uses banned entirely, and other high-level risk uses subject to security, transparency, and quality requirements. The Act applies to both suppliers and users of AI within the EU. It can apply to companies from outside the EU if they have products or services within the EU. Many of the Act’s provisions will stage in over the next two years. The newly created EU AI Office will oversee the Act’s implementation and enforcement. The consequences for noncompliance can be significant, ranging from penalties of up to €35 million or 7 percent of global revenue, depending on the type of violation and size of the company. With potential penalties that large, the risk attendant to the Act extends not only to enforcement but also to the possibility of a follow-on civil action brought by investors alleging that management misrepresented their company’s compliance with the Act or violated their duty of care with respect to the implementation of the Act.

There have also been AI-related legislative developments in the U.S. While there is no comprehensive AI-related legislation at the federal level, the legislatures of several U.S. states – including California, Colorado, Illinois, New York, Utah, and Virginia — have enacted or are considering legislation that seeks to regulate AI in some way. These laws generally focus on transparency, accountability, and protecting consumer rights, particularly regarding data privacy and protection against discrimination. They often require businesses to disclose AI usage, obtain consent, and ensure their AI systems do not produce biased or unfair outcomes.

In short, as companies attempt to navigate their way through the rapidly evolving technological environment, they also face a host of corporate and securities litigation-related risks, as well as a complex regulatory environment. The likelihood is that we will continue to see AI-related litigation, as well as regulatory enforcement action, in the months and years ahead. A wild card, of course, it the extent to which the policies of the incoming administration will impact the regulatory and enforcement environment.

ESG as a Source of D&O Risk Continued to Evolve in 2024

ESG has been a perennial D&O hot topic for years, but the nature of ESG as a source of D&O risk exposure has changed significantly during that time. When ESG first emerged as a D&O concern several years ago, it arose because companies felt pressured to burnish their sustainability qualifications. However, some companies soon faced so-called “greenwashing” claims, in which it was alleged that the companies had overstated their green credentials. In addition, an ESG “backlash” developed in certain U.S. states, with conservative politicians pushing back against a supposed ESG agenda. At that point, some companies found it expedient to try to lower their ESG profile, a development that has been called “greenhushing.”

ESG as a topic and as a source of potential D&O exposure continued to evolve in 2024. Perhaps no development symbolizes the change more than the news, which emerged in September 2024, that the SEC had quietly disbanded its ESG and Climate Change Task Force. The Task Force had been announced with a great deal of fanfare in March 2021, with the mission of developing “initiatives to proactively identify ESG-related misconduct.”  At the time the disbanding of the Task Force became public, the agency tried to message that notwithstanding the dismantling of the Task Force, its ESG enforcement efforts would continue. But the closing down of the Task Force arguably symbolizes the extent to which the profile on ESG initiatives has changed.

Another 2024 development showing how the environment for corporate ESG initiatives has changed is that during the year, a number of prominent U.S. companies – for example, Ford, Harley-Davidson, and Walmart – under pressure from conservative activists, walked back or closed down their DEI initiatives. These efforts from conservative activists sustained a significant amount of momentum from the U.S. Supreme Court’s 2023 decision in Students for Fair Admissions v. Harvard College, in which the Court ruled that race-based policies should not be used in university admissions. As discussed in a December 28, 2024, Wall Street Journal article (here), the pressure against companies relating to DEI could increase in the Trump Administration.

Yet another significant ESG-related development during the year was the December 2024 decision of the Fifth Circuit, sitting en banc, striking down the SEC’s approval of Nasdaq’s board diversity guidelines, as discussed here. The Nasdaq guidelines were one of several high-profile initiatives announced in 2020, after the death of George Floyd, to address diversity concerns in corporate America. Prior court decisions had previously struck down other board diversity requirements; for example, both federal and state courts had previously stuck down California’s board diversity statute. With the Fifth Circuit’s decision, it appears that mandated board diversity requirements are pretty much dead.

There were also significant developments in 2024 with respect to anti-ESG litigation, as well. For starters, and as discussed here, in November 2024, a coalition of eleven conservative states’ attorneys general filed an anti-ESG action against the three largest institutional investors — BlackRock, Vanguard, and State Street — alleging that as part of their ESG-related efforts the three conspired in violation of the antitrust laws to restrict the U.S. production of coal.

With respect to pending anti-ESG litigation, and as discussed here, in the securities class action lawsuit filed against Target in connection with the company’s disclosures of its Pride Month-themed marketing initiative, in December 2024, the court denied the defendants’ motion to dismiss, holding that the plaintiff’s allegations were sufficient to survive the initial pleading hurdles.

However, and characteristic of the way ESG has developed over time, not all of the 2024 ESG developments pointed in only one direction. For starters, the SEC brought a number of ESG-related enforcement actions – including several filed after the ESG Task Force was disbanded. For example, in September 2024, the SEC filed a settled enforcement action against Keurig Dr. Pepper, in which the agency alleged that the company had misleadingly claimed that its single-serve pods, known as K-Cups, could “effectively” be recycled. The company neither admitted nor denied the allegations but did agree to pay a $1.5 million civil penalty. The agency also filed at least two enforcement actions against investment firms after it disbanded the Task Force in connection with the firms’ allegedly misleading statements about its ESG-related funds or investments, as discussed here and here

There were also important developments, contrary to the overall anti-ESG narrative, in other pending ESG-related lawsuits. For example, and as discussed here, on August 29, 2024, the DC Court of Appeals reversed a lower court’s dismissal of an action brought against beverage company Coca-Cola, in which the advocacy group plaintiff, Earth Island Institute, alleged that the company had violated the DC Consumer Protection Procedures Act (CPPA). The advocacy group had alleged that the company’s efforts to promote its sustainability efforts and goals amounted to greenwashing.

In addition, and as discussed here, in November 2024, a plaintiff shareholder filed a derivative lawsuit against the board of the athletic clothing company Lululemon, alleging that notwithstanding the company’s adoption of a DEI program, the company’s efforts were not “structured so as to meaningfully combat discrimination” at the company and that as a result the company’s employees continued to experience discrimination.

There were also other ESG-related lawsuits filed in 2024 that were contrary to the general run of anti-ESG actions. For example, as discussed here, in August 2024, the publishing and data company RELX was sued in a “greenwashing” lawsuit in which the claimant alleges the company misled investors about the company’s climate commitments and its climate-related actions.

In addition, and also in August 2024, in a lawsuit involving the “S” ESG pillar, the online retail platform firm PDD was sued in a securities lawsuit in which it was alleged that the company allowed products made in China using forced labor to be sold on its platforms, as discussed here.

In other words, notwithstanding the ESG backlash, companies are still being sued for failing to live up to the values that the ESG concept represents.

Indeed, other regulators are also continuing to pursue enforcement actions that reflect ESG supportive values. For example, in February 2024, the New York Attorney General sued Brazilian the meat company JBS in connection with the company’s sustainability claims, including specifically the company’s net zero claims, as discussed here. Similarly, as discussed here, the Australian securities regulator has brought, and in March 2024, won, a “greenwashing” enforcement action, in which the regulator established that Vanguard’s Australian affiliate made misleading statements about its ESG-sorting processes for one of its index funds.

There is one other 2024 development that will have important ESG-related ramifications in 2025 and beyond, and that is the November 2024 election of Donald Trump as the next U.S. President. As noted in the first section above, Trump has already indicated his intent to nominate Paul Atkins as the next SEC Chair. Observers and commentators uniformly seem to believe that under Atkins one step the agency seems likely to take is the withdrawal of the agency’s Climate Change Disclosure guidelines. The agency only just finalized the guidelines in March 2024, and since that time have faced a legal challenge. The expectation is that under the new administration the guidelines will be withdrawn. Commentators also expect the agency under Atkins to be less focused on ESG-related enforcement actions.

However, even if the SEC guidelines are withdrawn, that is not the end of potential climate change disclosure requirements for many companies. The climate change disclosure guidelines that the California legislature adopted for companies “doing business” in the state remain on the books, for now at least. To be sure, the California statutes do face ongoing legal challenge.

But perhaps even more significantly, and notwithstanding the potential withdrawal of the SEC’s climate change disclosure guidelines and the pending legal challenge to the California laws, many U.S. companies will continue to face the E.U.’s disclosure requirements. On July 31, 2023, the European Commission adopted the first set of European Sustainability Reporting Standards (ESRS), as part of the EU’s Corporate Sustainability Reporting Directive (CSRD). The first set of reporting standards require EU and non-EU companies with specified levels of EU activity to file annual sustainability reports with their financial statements. The standards will soon become law and apply in all 27 EU Member states, with some compliance requirements effective as early as 2025 for the 2024 reporting period. The ESRS set out detailed reporting requirements for EU companies, including general reporting requirements; a list of mandatory disclosure requirements related to the identification and governance of sustainability matters; and ten ESG-related topics on which disclosure is required, subject to a materiality assessment. It is estimated that as many as 3,000 North American companies will have to comply with the EU sustainability reporting requirements.

In other words, notwithstanding the anti-ESG backlash, ESG-related issues are not going away any time soon. It may be that ESG-related initiatives as such may change; it may even be that the ESG label itself will fade as it become politically expedient to drop the term. But even if ESG by that name disappears, it seems likely that the underlying initiatives will continue. Companies will continue to face competing pressures both from events and from competing interest groups. And companies likely will continue to face litigation and other investor or activist group initiatives, relating to climate change, social justice, and corporate governance issues.

Cybersecurity Remains an Important D&O Risk Exposure

Just as is the case with respect to ESG, Cybersecurity has also been a perennial D&O hot topic in recent years. And just as the corporate risks associated with ESG have evolved in recent years, so too has the cybersecurity-related D&O risk changed as well.

One good place to start with respect to the question of cybersecurity as a source of D&O risk in 2024 is with the $350 million February 2024 settlement of the Alphabet Google+ securities class action lawsuit. As discussed here, the lawsuit related to the company’s disclosures concerning alleged exposure of personal profile data of users of the Google+ social media site. The case had initially been dismissed, but after the Ninth Circuit reversed the dismissal, the parties reached the $350 million settlement, which is as far as I know the largest ever cybersecurity-related securities class action lawsuit settlement.  The Alphabet Google+ settlement certainly underscores the fact that cybersecurity remains a significant source of potential corporate and securities litigation exposure.

Settlements like the one in the Alphabet case will continue to motivate the plaintiffs’ lawyers, and indeed, as detailed on the Stanford Law School Securities Class Action Clearinghouse website (here), the plaintiffs’ lawyers have continued to file these kinds of suits. To be sure, while these kinds of lawsuits do continue to be filed, they have never really been filed in the volume that many have long expected. It seems that the circumstances involved when many companies announce a data breach lack a key factor the plaintiffs need to pursue these kinds of cases; that is, because the financial markets are so inured to news of a data breach, the share price of the target company often does not move significantly in response to news of the breach. The plaintiffs’ lawyers are not simply less interested in a prospective lawsuit that does not involve a significant share price decline.

What has been interesting in recent months has been the way that the kinds of things the plaintiffs’ lawyers allege has changed. Arguably, this change has simply followed events.

First, in late July 2024, the cybersecurity firm CrowdStrike was hit with a securities class action lawsuit related the massive global IT outage for which CrowdStrike is alleged to have had responsibility. The plaintiff in the case alleges that the company’s market capitalization fell by $12 billion in the wake of news surrounding the outage. The complaint alleges that during the class period, the defendants misled investors as they “repeatedly touted the efficacy” of the company’s Falcon software platform, “while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified.’”

It could be argued that the new CrowdStrike lawsuit is not a cybersecurity-related lawsuit at all, as it does not involve an intrusion or breach, nor does it involve a hostile actor. Nevertheless, the underlying incident did involve massive IT systems’ disruption – not in the defendant company’s own systems, but rather in the systems of the company’s customers and other third-parties. The involvement of the systems disruption does at some level make the new lawsuit network systems security-related. The absence of underlying hostile actions by a malicious third-party actor makes the lawsuit an interesting new variant in the evolution of network security-related litigation.

Second, in August 2024, the ecommerce company PDD Holdings (formerly known as Pinduoduo) was sued by investors in a securities class action lawsuit which alleges that apps that the company developed and maintain introduced malware into the company’s customers’ devices. The malware allegedly overrode the devices’ security controls and allegedly allowed the company to access user information on the devices, including text messages. When these allegations came to light in news reports, the company’s share price declined. The plaintiff in the case alleges, among other things, that the company misrepresented its protocols and processes for protecting user privacy and for complying with applicable privacy-related laws and regulations.

The new lawsuit against PDD also represents an interesting new variant in cybersecurity-related securities litigation. This new lawsuit also does not involve a hostile third-party actor, as no third-party action is alleged. Instead, the hostile actor involved allegedly is the defendant company itself, which allegedly installed malicious malware on its customers devices. These two new cases reflect different types of circumstances not involving an intrusion or a hostile third-party actor but that nevertheless resulted in IT security related claims.

In addition to the changing trends in cybersecurity-related securities class action litigation, there have been developments in SEC cybersecurity-related enforcement activity as well.

For example, and as discussed here, in July 2024, the SEC brought a settled civil enforcement action against the U.K.-based and U.S.-listed business communications provider R.R. Donnelly & Sons, in which the agency alleged in connection with cybersecurity incidents the company suffered in late 2021 that the company’s accounting and disclosure controls were deficient. The company, which the SEC credited for its cooperation and remedial measures, agreed to pay a $2.125 million civil penalty and voluntarily adopted corrective processes and procedures.

Second, in a July 2024 decision in SEC’s enforcement action against SolarWinds, the district court presiding in the action dismissed a claim nearly identical to the one asserted in the R.R. Donnelly case. The court held that the failure to detect a cybersecurity deficiency cannot reasonably be construed as an accounting problem. The court held that internal accounting controls are controls to ensure that companies “accurately report, record, and reconcile financial transactions and events,” and a “cybersecurity control” does not “naturally” fit within the term “internal accounting controls.” The court dismissed the SEC’s allegations that the company had ineffective accounting controls. Though the court did allow some claims related to misleading statements in SolarWinds’ “Security Statement” to proceed, the court’s decision in the SolarWinds case is a setback in the SEC’s efforts to enforce corporate cybersecurity controls.

In addition, and as discussed here, in October 2024, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000.

Probably the most important cybersecurity development during 2024 with respect to D&O risk has been the implementation of the SEC’s new cybersecurity disclosure guidelines, which took effect in December 2023. The guidelines are complex but have two general requirements – first, the companies must regularly report on their cybersecurity governance and oversight processes; and second, that companies must report cybersecurity incidents within four days after the companies have determined that the incidents were material. A comprehensive December 2024 survey by the Paul Hastings law firm showed that between December 18, 2023 and October 31, 2024, 48 companies made 75 cyber security incident disclosures, representing, according to the survey, a 60% increase in the number of cyber incidents reported to the SEC.

Cybersecurity is yet another area where there are questions about what approach the incoming administration will take. A number of public commentators have suggested (as discussed, for example, here), that the SEC under Paul Atkins may withdraw or non-enforce the cybersecurity disclosure guidelines, or at least some of its specific aspects or requirements. It also seems likely that the agency will take a different enforcement approach in at least some respects with respect to cybersecurity enforcement. Several of the enforcement actions discussed above featured dissenting opinions from the agency’s Republican Commissioners criticizing the agency’s actions. For example, In the R.R. Donnelly case the dissenters criticized the agency’s action in treating cybersecurity controls as accounting controls (which of course was one of the concerns in the SolarWInds case discussed above). The dissenting opinions suggest that in the incoming administration the agency will take a different enforcement approach with respect to cybersecurity than under outgoing chair Gary Gensler.

The bottom line is that cybersecurity as a source of D&O risk has changed and likely will continue to change in the months ahead. The one thing is for sure is that cybersecurity will remain a hot button issue. It also seems likely that plaintiffs’ lawyers will continue to push the envelope in certain cases when it comes to information and network security and privacy issues.

Breach of the Duty of Oversight Claims Remain a Hot Topic

For many years, Delaware’s courts emphasized that duty of oversight claims (often known as Caremark claims) involve “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” However, in a line of cases beginning with the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, Delaware courts have sustained a number of different plaintiffs’ assertion of breaches of the duty of oversight. 

The high water mark for these kinds of cases arguably was the Boeing 737 Max air crash case, which survived a motion to dismiss and ultimately settled for $237.5 million (all of which was funded by D&O insurance). During 2024 there was also yet another significant breach of the duty of oversight case settlement; as discussed here, in October 2024, the parties to the Walmart opioid-related shareholder derivative claim, which raised claims for the breach of the duty of oversight against Walmart’s board, settled for $123 million. 

The success of some Caremark claims encouraged more claimants to file duty of oversight claims, a development that apparently set off alarm bells in the Delaware courts. The more recent result has been a series of cases in which the Delaware Chancery Court has emphatically shot down would-be duty of oversight claims.

For example, as discussed here, in December 2023, Vice Chancellor Lori Will granted the defendants’ motion to dismiss in the Segway case. Similarly, in February 2024, and as discussed here, VC Will granted the defendants’ motion to dismiss in the Walgreens Boots Alliance case. These two cases are similar in that in each case the court emphasized the high bar to establish liability in Caremark cases. In the Walgreens case, VC Will bemoaned the “proliferation” of lawsuits alleging breach of the duty of oversight, observing that while there may be the “rare event” when directors “cross the red line of bad faith,” and liability can arise, “more harm than good comes about if Caremark claims are reflexively filed” whenever the company “encounters an adverse circumstance.”

Similarly, in July 2024, in the Bricklayers Pension Fund of Western Pennsylvania v. Brinkley (Centene), Vice Chancellor Morgan Zurn granted the defendants’ motion to dismiss the plaintiff’s breach of the duty of oversight claims against the Centene board, in yet another opinion that emphasizes the high bar for Caremark liability. The board, she found, had accepted management’s statements that the compliance risks “were being handled,” and the board “did not make a conscious decision to violate the law” adding that “A bad outcome, without more, does not equate to bad faith.”

While these three recent Delaware Chancery Court decisions dismissing breach of the duty of oversight cases highlight the difficulty for claimants of maintaining breach of the duty of oversight claims, there nevertheless have been subsequent rulings in which breach of the duty of oversight claims have been sustained.

For example, as discussed here, in September 2024, in a breach of the duty of oversight case filed against the board of Wells Fargo, the court denied in part the Wells Fargo defendants’ motion to dismiss in the case. Of importance here, the court in that case sustained the claimants’ allegations that the Wells Fargo directors breached their duties by failing to oversee the company’s allegedly discriminatory lending practices. It is worth noting that while the court applied Delaware law in reaching the ruling, the court that sustained the breach of the duty of oversight claims was not the Delaware Court of Chancery, but rather the United States District Court for the Northern District of California.

Similarly, and as also discussed here, in August 2024, the United States District Court for the Northern District of Illinois, applying Delaware law, sustained breach of the duty of oversight claims against the board of Abbot Labs with respect to the safety of the company’s infant formula products.

The bottom line is that notwithstanding recent Delaware Chancery Court skepticism toward breach of the duty of oversight claims, there is life for these kinds of suits, at least in some cases – including in cases filed outside of the Delaware state courts.

The potential continued viability of these kinds of suits may be relevant in another way; that is, there has been a been a great deal of speculation that oversight duty breach cases could emerge from the current litigation risk exposures, such as, for example, with respect to cybersecurity, ESG, and AI. There could well be future claims involving these issues and alleging the breach of the duty oversight. Whatever else might be said, it seems to remain the case that breach of the duty of oversight claims remain difficult to sustain.

Geopolitical Concerns Increasingly Contribute to D&O Risk

We live in a time of significant geopolitical risk, from the highly volatile conditions in the Middle East, to the ongoing war in Ukraine, to continuing tensions in the South China Sea, among many other concerns. As I noted in the first section above, the incoming Trump administration’s trade policies, including the imposition of tariffs, could exacerbate geopolitical tensions. These concerns have important ramifications, including, among other things, as a source of potential D&O liability exposure. In prior posts on this site (for example, here), I have highlighted ways that geopolitical issues, such as, for example, trade sanctions, can translate into corporate and securities litigation. During 2024, there were additional concrete examples were these kinds of factors contributed to corporate and securities litigation.

As discussed here, in October 2024, plaintiff shareholders filed a securities class action against the technology company Super Micro Computer. The lawsuit filing followed, and significantly relied upon, the publication of a short seller report which alleged a variety of alleged financial shortcomings at the firm. In addition to the alleged accounting misconduct, the report also alleged that the company had violated U.S. export controls. The report alleged that despite the company’s claims of having halted sales to Russia following the 2022 invasion of Ukraine, the company, the report alleged, had circumvented U.S. export controls between February 24, 2022, and June 30, 2024. During this period, the report alleged, the company’s sales to Russia surged, allegedly with $210 million in products shipped to the country.

A separate securities class action lawsuit filed in December 2024 provides another example of the ways in which trade and sanctions issues can lead to securities litigation. The case involves Joint Stock Company Kaspi.kz, a Kazakh based firm whose operations include a bank and an online consumer product sales platform. The lawsuit against Kaspi.kz also followed a negative report from a short seller. As discussed at length here, in its SEC filings, the company claimed it had no exposure to Russia or Russian businesses. The short seller report alleged that the company’s platforms were being used for unlawful purposes, including assisting Russians with evading sanctions in the wake of the 2022 Russian invasion of Ukraine. The short seller report also alleged that the company’s banking services were being used by Russians for money laundering purposes.

In addition to these two 2024 examples, in a post I published in late 2023, I noted the securities class action lawsuit filed against memory storage device company Seagate Technology Company, after the company agreed to a $300 million Department of Commerce penalty for violation of export control violations pertaining to the Chinese company, Huawei.  

The litigation risk arising from geopolitical concerns is not limited just to issues involving export controls. International trade regulatory regimes have become increasingly important for companies and their executives. These regulatory regimes include U.S. sanctions, anti-money laundering (AML), and anti-bribery and corruption laws. Recent developments, such as the War in Ukraine, trade tensions with China, and issues involving digital assets have heightened these concerns. Violations of these regimes can result in regulatory enforcement actions as well as in related civil litigation. The cases discussed above show how these concerns can translate into securities litigation.

As I have previously pointed out, the prospect for securities litigation arising out of trade sanctions and export control-related issues is not necessarily new; there have been examples of corporate and securities lawsuits arising out of trade sanction and export control issues over the last several years. However, in the current tense geopolitical environment, all of these concerns loom larger.

Not only that, but the topic of geopolitical risk is one that is about to get a lot more complicated, if, for example, incoming President Trump follows through on his threats to impose tariffs on many U.S. trading partners. Any move along those lines could hazard a global trade war, and an already complex geopolitical risk environment would become even more fraught – which among many other things could contribute significantly not only to operating risks but also to potential corporate and securities litigation exposures for many companies.

In short, while I have long thought that geopolitical risks represent an important area of corporate and securities litigation risk, that risk could become significantly greater as we head into 2025 — and beyond.

D&O Insurance Buyers Enjoy A Favorable Marketplace, For Now

With all that is going on in the D&O liability arena, it might well be expected that underwriters might pull back or even seek to raise prices in the months ahead. However, and despite everything discussed above, the D&O insurance marketplace remains competitive, with most buyers enjoying relatively advantageous pricing for relatively broad terms and conditions.

To understand what is going on, we have to go back a few years, to the 2019-2021 timeframe. Following years of underpricing and after years of claim reserve strengthening, the D&O insurers were experiencing widespread underwriting losses. For most buyers during this period, their D&O insurance costs increased, in some cases dramatically, and in many cases their self-insured retentions increased as well. In short, the industry was in what is known as a “hard market.” The hard market conditions coincided with a boom in the financial markets, including significant IPO and SPAC activity, meaning there was significant demand for insurance as well.

The insurance business is cyclical, and the hard market conditions that prevailed during the period 2019-2021 eventually gave way as the industry moved to the next phase in the cycle. The hard market pricing conditions attracted new capital and new market participants. The arrival of the new capacity coincided with the collapse of the market for IPOs and SPACs, meaning that as insurance supply expanded, insurance demand declined. Abundant supply and diminished demand meant that competition returned to the D&O insurance marketplace. Starting in early 2022, many buyers saw their management liability insurance costs drop compared to the hard market years.

The softening market conditions that began in 2022 continued through 2023 and on into 2024, although the extent of the pricing reductions for many buyers has levelled off somewhat in more recent periods. Most D&O insurance buyers are continuing to see their overall insurance costs decline slightly, with even companies that have had issues or complications seeing flat renewals. Of course, financially troubled companies, companies in certain disfavored industries, and companies with complex claims histories may face a more challenging marketplace, but for most other buyers the D&O insurance marketplace has been and remains relatively benign.

There are some industry observers who have been saying that they anticipate the possibility of marketplace tightening in 2025. There are voices in the D&O space (as there always are when the insurance market is in the soft phase of the cycle) saying that the price decreases have gone too far and have fallen below risk-based pricing levels. Perhaps these concerns could cause the D&O insurance market to shift to the next phase of the cycle. However, it is important to remember that — at least historically — the soft market phase of the cycle generally lasts a lot longer than the infrequent and usually brief hard phases of the cycle. It probably should also be noted that the most important cause of the current softer market conditions – that is, abundant insurance capacity – remains fully in place, meaning that a significant move toward a harder market in 2025 could be unlikely.

The laws of supply and demand generally control the D&O insurance marketplace, and at the current moment supply remains ample. For the moment, at least, generally competitive conditions remain in effect, and it remains a favorable pricing environment for most D&O insurance buyers. What the future may bring remains to be seen.

A Final Note: Those of you keeping score at home may have noticed that although this post’s title refers to the “Top Ten” stories, I have only set out nine stories above. To try to bring the number up to a nice, round total of ten stories, I had drafted up two alternatives for the tenth slot. But in the end I decided to reject both alternatives, as I didn’t think the topic of either qualified as a “top” story, and I also feared that including either would make an already lengthy blog post even longer. I kept the traditional article title though, because “Top Ten” has a better ring to it than “Top Nine.” I apologize to anyone that feels short-changed.