In the following guest post, Stephen Hourigan presents his view that Delaware’s courts have reimagined the role of Corporate Boards’ Audit Committees, yet the D&O insurance underwriting approach has yet to catch up to these changes. Stephen is the Founder and CEO of Penguin AI. We would like to thank Stephen for allowing us to publish his article as a guest post on this site. Here is Stephen’s article.

*****************************

“Tools D&O Carriers Use to Assess Governance Risk Were Built for a Doctrine That No Longer Exists”

For D&O carriers, the audit committee has always been the linchpin of governance risk assessment. A functioning audit committee — independent, well-composed, meeting regularly — has been the primary indicator that a board is exercising meaningful oversight. It is the structure that governance rating agencies score, that renewal questionnaires probe, and that underwriters use as the proxy for whether a board actually knows what it needs to know.

That proxy is no longer sufficient. The four most consequential governance failures of the past decade prove it.

The Structural Problem No Rating Captures

Every major Caremark claim of the past decade traces to a single structural failure: the audit committee did not receive the information it needed, when it needed it, through a channel independent of management. Not because the committees didn’t exist or weren’t independent. But because every reporting system available to them passed through the management layer before it reached the boardroom — and in each case, that management layer had both the motive and the authority to shape what arrived.

MSCI, ISS, and carrier renewal questionnaires assess structural governance characteristics. They ask whether the audit committee exists, has independent members, meets with appropriate frequency, and whether the company has an ethics hotline. These are meaningful questions. They are also the wrong questions for the risk environment Delaware’s courts have created.

Boeing and Wells Fargo: The Pattern Established

By 2016, Boeing’s engineers were raising written concerns about the 737 MAX’s MCAS system. The signals were specific, documented, and traceable. They stopped at program management. The board’s Safety Committee met regularly and never saw them. The DOJ resolution reached $2.5 billion; the Caremark derivative settlement reached $237.5 million — at the time one of the largest in Delaware history.

Boeing’s governance ratings were strong the day before the crashes. Every structural indicator said the board was functioning. The functional reality was the opposite.

Wells Fargo’s fake accounts scandal ran from at least 2011 through 2016. The ethics hotline was operational. Every channel functioned as designed — routing employee intelligence through the Community Banking management layer whose compensation was tied to the very targets driving the fraud. The board’s first material signal about the conduct’s scope came from the Los Angeles Times, more than two years after the pattern was established in the company’s own systems.

The OCC’s response was unprecedented: civil money penalties assessed against individual board members. The regulatory message was unambiguous — the existence of a reporting system is not sufficient. The question is whether that system is structurally independent of the management layer being reported against. Wells Fargo’s governance infrastructure satisfied every conventional metric. The DOJ resolution reached $3 billion.

Walmart and McDonald’s: The Doctrine Hardens

In Walmart’s case, the company’s own internal investigator concluded in 2005 that bribery allegations in Mexico were credible and recommended aggressive independent investigation. Senior legal leadership redirected the investigation back to the implicated executives. The audit committee operated for six years on a version of events management had prepared for it.

The Delaware court’s response produced what is now the governing standard: a compliance program that management can bypass is not a functioning monitoring system. Boards cannot satisfy Caremark obligations through reporting structures management controls.

McDonald’s extended that requirement further still. The 2023 Delaware Chancery ruling established that individual officers carry direct Caremark liability for compliance failures within their own domains. The defendant universe in governance litigation expanded materially — every named C-suite officer whose area includes a compliance function now carries personal fiduciary exposure for the same structural failure that produced board-level claims in Boeing, Wells Fargo, and Walmart.

The Question Carriers Should Be Asking

The carriers writing D&O coverage for public companies today are pricing governance risk against a Caremark doctrine that was last updated in their underwriting methodology before Walmart’s real-time monitoring mandate, before McDonald’s officer liability extension, and before Boeing’s $237.5 million demonstration that a structurally isolated audit committee is not a defense — it is the claim.

The static annual governance snapshot — whether from MSCI, ISS, or a renewal questionnaire — was adequate for a legal environment where Caremark claims were rare. It is not adequate for the environment Delaware’s courts have created over the past decade.

The right question at renewal is not whether the audit committee exists and meets. It is whether the audit committee has access to management-independent, authenticated, real-time intelligence from the organizational front line — and whether a contemporaneous record exists demonstrating that management actually responded to what the board’s oversight system surfaced.

Each of the four companies in this analysis would have answered no to that question. Their governance ratings would have suggested otherwise.

The gap between what Delaware requires and what carriers currently assess is unpriced risk sitting in every D&O book today. The carriers who close that gap first will see the next Boeing or Wells Fargo in their renewal data rather than in their claims reports.

The audit committee has been reimagined by the courts. The underwriting methodology hasn’t caught up yet.

Stephen Hourigan