When we prognosticated on D&O risks at the start of 2016, we highlighted three developments we thought could change the game for directors and officers (D&O) risk: economic headwinds, individual accountability and disruptive change. (See “A Perfect D&O Storm”). We were right – 2016 was a tough year. Securities claims, anticorruption enforcement and M&A litigation exposure trended up; enforcement responded to the promise of the Yates Memo; and several industries faced disruption: the energy industry from sustained low oil prices and traditional brick and mortar retail from the cloud. The one thing we might change from last year—the title. Individual accountability and disruptive change proved far less transient than any storm.
Disruptive regulatory change
Looking forward, last year’s macro concerns still largely hold true, but we can layer on new, potentially enduring exposure developments driven largely by political change. No crystal ball is required to predict monumental regulatory and enforcement change. The new administration and Congress have begun pursuing an agenda with stated goals of reducing administrative burdens and complexity in order to help spur economic growth. While less aggressive enforcement would help reduce D&O exposure, those expecting an overall decline in D&O exposure from reduced federal enforcement might be in for a few surprises.
- If administrative burdens and complexity are reduced at the federal level, we may see a new form of “balkanization” as enforcement activity cascades to states and foreign regulators. If that happens investigation costs could skyrocket as investigations could involve multistate or multinational enforcement authorities each with their own regulatory framework, information demands, politics and agendas.
- Where state and foreign regulators and enforcement do not fill the gap, we are likely to see the pendulum of D&O risk swing from the post-financial crisis environment of heightened federal regulatory enforcement toward increases in private litigation. So as the economy heats up, look for D&O claims frequency and severity to heat up as plaintiffs opportunistically seize upon stock drops from record markets (see below).
- Some action has already been taken. It has been reported that the SEC recently revoked subpoena authority from about 20 senior enforcement officials and limited that authority to the enforcement division director.
- In 2009, the first year after the SEC delegated subpoena authority to these senior officials, the number of formal orders of investigation more than doubled, from 233 to 496.
- By 2016, the SEC had authorized 681 formal orders of investigation.
Pulling back subpoena authority may not, however, result in fewer or less expensive SEC investigation responses. Rather, it could merely mean that insureds will spend more time and money responding to informal investigations and inquiries. With respect to D&O exposure, this authority pullback does reverse a trend in recent years that had made informal investigation coverage somewhat less important. For this year’s D&O coverage review, informal investigation exposure needs to be reexamined.
There is some good news. To the extent current efforts yield meaningful regulatory relief, D&O exposure should decline. We could then see the current competitive marketplace push entity investigation cost solutions even harder and on better terms than ever before. Where entity investigation coverage had been priced too high or too complexly designed or too narrow for many buyers, today’s market may offer real opportunity. Coverage is getting broader, conditions more attractive and pricing more reasonable. While the opportunities vary across the marketplace and underwriting may still vary considerably from account to account, transferring enforcement response cost risk via insurance could make savvy buyers into heroes.
Assessing “animal spirits” risk
Equity markets seem to keep setting new highs as the U.S. expects reflation, rising rates, and renewed growth. Last year marked a record for securities class action filings — driving public company D&O frequency — a trend that seems to be continuing this year. Record markets could drive both D&O claim frequency and loss severity due to a greater opportunity for plaintiffs’ firms to profit from downside movement.
With about the same degree of certainty that we expect the sun to rise in the morning or gravity to cause things that go up to fall down, we can expect a market correction, and when that happens, plaintiffs’ firms will sue — especially when the stock drops are precipitous and company-specific information gets updated. Record-setting markets are likely to be another factor leading to higher D&O risk.
With respect to mathematical expectations, we note that analytics have evolved considerably since Keynes wrote in 1936. Today’s D&O risk quantification can provide policyholders with insights into their D&O risk — even if that risk is driven by animal spirits.
Cyber in the boardroom — cybersecurity disclosures risk update
[C]ybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant . . . appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
From the SEC’s CF Disclosure Guidance: Topic No. 2, Cybersecurity (2011)
In 2017, cybersecurity and cybersecurity disclosure timing may overtake individual accountability as the top emerging risk in D&O liability. The reported SEC investigation of a global internet information company that suffered two massive data breaches and the timing of its disclosures could become a watershed event.
Background: The SEC’s position on disclosure requirements for issuers around cybersecurity risk is not new. The SEC guidance quoted above, which detailed the SEC’s minimum expectations, was issued in October 2011. D&O risk experts watched for signs that the SEC or plaintiffs’ bar would use it as a springboard for a new wave of class action litigation. However, those concerns fizzled as securities lawyers worked their wording magic and effectively took the wind out of the class action sails.
An SEC investigation into cybersecurity disclosures is also not new. The SEC has investigated multiple companies over whether they properly disclosed breach events. Those investigations include headline-making security breaches like those of a large retailer that suffered catastrophic security breaches in 2013 that compromised up to 70 million credit and debit card accounts.
Why this one is different: A two-year delay between the breach and disclosure seems on its face bad enough. Add to that the fact that during the delay that the issuer’s core business was being acquired for $4.83 billion, and the disclosure of the security events led to a $350 million decrease in the purchase price. We can see ample reason for the SEC to take game-changing action.
What will the SEC do? Too soon to tell, but any SEC action could provide a basis for the plaintiffs’ bar to successfully pursue cybersecurity-based securities class actions.
Cyber disclosure-based class action: At least one firm has not waited. A securities class action has been filed against the company, together with its CEO and CFO, alleging that during the class period, the company made false and misleading statements over multiple quarters. The defendants allegedly failed to disclose over two years that hackers had stolen information in two distinct incidents involving more than 500 million and one billion accounts respectively. Plaintiffs are seeking recovery based upon Securities Exchange Act Section 10(b), 15 U.S.C. § 78j(b), and SEC Rule 10b-5, and for control person liability under Exchange Act Section 20(a).
Critical action items
With robust D&O risk to contend with, and disruptive change becoming a constant, keeping up with D&O risk dynamics and ensuring D&O coverage will perform well when needed has never been more critical. Here are some steps to take in the coming months.
- Assess the value of entity investigation coverage, and compare the entity investigation coverage you currently have (if any) against the opportunities in the market. The difference in cost between rudimentary and robust coverage may be modest.
- The risk of regulatory balkanization can be countered with an effective platform for global D&O coverage. In some countries, local coverage is required; in some situations there may be a compelling advantage to a single, global policy. Review your multinational insurance needs.
- Run or update analytics. Take advantage of the speedy new tools available and run the models on several datasets to see how potential risk factors can impact exposures and the value of insurance. Ideally, run the models live in order to get the most out of your models and your advisors.
- Review your program with your broker and other risk advisors. Coverage structure can matter as much as wording and capacity. For companies with multiple layers of D&O coverage consider having dedicated Side-A coverage, too.
Click here to learn more about comprehensive cybersecurity from Willis Towers Watson.