Public Company D&O Insurance Guide & Risk Assessment
Public companies operate in a complex, constantly shifting risk environment. Emerging compliance requirements, regulatory enforcement trends, precedent setting court rulings, and trending follow-on claims are just a few examples of shifts in the GRC landscape that can significantly alter the risks public company directors and officers must navigate. Below we summarize the current risk environment while addressing public company D&O insurance and its role in protecting both the corporate entity and its executives. Those interested in skipping directly to the D&O insurance guide can locate that just below risk assessment (half way down).
Securities Claims: Securities class action filings are at record high for 2017 & 2018. According to Cornerstone’s 2018 Mid Year Securities Class Action Assessment, this is due in large part to the large number of merger objection claims, which account for roughly half of all claims brought against public companies. The sectors most affected by class action filings include: 1) consumer cyclicals, 2) communications & tech, 3) financial & real estate, and 4) healthcare & bio-pharma. Despite these record high filings however, there may be some good news – according to LexMachina’s Securities Litigation Report, damages & settlements are down significantly, and it appears defendant wins and dismissal rates are up. While this may be comforting to the c-suite, when discussing public D&O insurance it’s important to remember that despite the increase in defendant wins, significant costs can still be incurred while defending against such claims. In fact, some experts are citing increasing defense costs despite the high dismissal rates.
Investigations & Enforcement Actions: Public company boards regularly cite regulatory/administrative investigations and proceedings as a primary concern. The Yates Memo however has heightened that concern by emphasizing personal accountability and the aggressive pursuit of individual wrongdoers. While SEC enforcement initially appeared to be significantly down for the first half of 2018, the SEC's recent enforcement report indicates a sharp increase in the second half. In summarizing the current regulatory environment, we refer to Cornerstone’s 2018 SEC Enforcement Report:
- The majority of actions filed against public companies were brought as administrative proceedings (accounting for roughly 85% of all actions)
- Issuer Reporting & Disclosure allegations combined with FCPA allegations account for approximately 47% all enforcement actions. An additional ~ 45% can be attributed to allegations against broker-dealers and investment advisors/companies.
- Roughly 1/4 of all actions filed also included at least one individual director or officer
- The average monetary settlement for 2018 was ~ $35 Mill with a mean settlement of ~ $3 Mill. These settlement figures appear to be largely fueled by FCPA settlements.
- The sectors most affected by SEC enforcement actions were: Financial/Insurance/Real Estate Companies accounting for half of all enforcement actions. This is followed by Manufacturing companies (20%) and Services (11%)
- Per the SEC’s 2018 Dodd Frank whistleblower report to congress: Whistleblower tips and awards are both at record highs. In fact the total number of tips received in FY2018 increased roughly 20% from FY2017 (and over 70% from FY2012). Tips related to disclosures/financials, offering fraud, and manipulation topped the list.
FCPA Enforcement: When discussing FCPA enforcement trends, the risks to individual directors and officers is greater than ever. The number of enforcement actions are already up as of Q3 2018 (compared to 2017) and the DOJ is continuing their aggressive pursuit of individual wrongdoers, often with criminal charges. On a more positive note for public company entities however, the Benczkowski Memorandum signals a significant shift in enforcement tactics, as the DOJ appears to be scaling back its usage of corporate monitors - a costly, time consuming, and resource-draining endeavor for organizations. This is also evidenced by the fact that there was only a single action as of Q3 2018 that resulted in the implementation of a corporate monitor. In addressing M&A due diligence within the context of FCPA enforcement, companies engaged in mergers and acquisitions will now need to approach their transactions with a stronger focus on compliance, as the DOJ has recently extended FCPA enforcement to successors in M&A transactions. For those interested in a more in-depth assessment of FCPA enforcement trends, Arent Fox has a well-researched report (here).
Cyber & Privacy Risk: Cyber-security failures and privacy failures pose significant risks to public companies and their boards. While cyber-security failures are generally well understood, privacy failures are a bit less understood, yet quickly becoming an emerging risk. These failures generally revolved around unauthorized collection of, sharing of, or access to, data – in violation of any privacy or opt-in agreements. The FTC action and subsequent class action against Vizio for its unauthorized collection of users’ private viewing data is a strong example of such failures. The financial and reputational damage inflicted by data breaches and privacy events however, are often just the tip of the iceberg. These failures can quickly trigger shareholder litigation in the form of class action lawsuits or derivative actions - a trend that is expected to grow. They have also attracted the attention of regulators who have responded with increased compliance & disclosure requirements, investigations and hefty fines. As we outline below, cyber/privacy risks to public companies are multi-faceted.
- Financial Risk: The most obvious risk posed by cyber-crime is direct financial loss resulting from lost income, reputational damage, forensic costs, restoration costs, theft of IP, and lost funds resulting from social engineering schemes (also known as CEO Fraud). Many of these risks are best insured through a comprehensive cyber risk insurance policy and accompanying social engineering fraud crime endorsement. We should note however, insurance for theft of IP and reputational damage is generally unavailable at the current time. Lastly, with M&A data being targeted, companies engaged in mergers and acquisitions also need to be cognizant of the risks posed by cyber criminals seeking to alter (or gain access to) materiel non-public information.
- Shareholder Litigation Risk: In addition to potential consumer class action suits, cyber related shareholder litigation can take one of two forms: derivative actions (alleging breaches of fiduciary duties), or securities class actions following stock drops or the announcement of enforcement actions. These claims generally allege misleading security representations, inadequate security controls and/or inadequate cyber disclosures. Patterson Belknap has a good post here, explaining the different categories of cyber-security shareholder lawsuits. While the plaintiffs’ bar has been fairly unsuccessful due to high pleading standards, many experts consider such litigation the next bit wave, citing cases like the Home Depot, Yahoo, Wendy’s and Equifax lawsuits as a precursor of things to come. Whether litigation is successful or unsuccessful however, companies can incur significant costs in defending against such claims, which is why public companies should pay particular attention to addressing/negotiating any cyber exclusions when reviewing their D&O policies.
- Regulatory Risk: In an effort to protect investors, the SEC has been quick to respond to cyber-crime with the formation of a “Cyber Unit” and “Retail Strategy Task Force” in 2017. They have also issued regular alerts and guidance reports since. Investigating potential insider trading (following a data breach) is just one item on their agenda, as evidenced by the case against Equifax which resulted in insider trading charges against a former executive. Inadequate or misleading cyber-security controls can also result in enforcement and fines. Shortly after the SEC filed charges against Voya for violating the “Safeguards Rule” and “Identity Theft Red Flags Rule”, the commission released a report warning companies of the risks posed by social engineering fraud, and the need for adequate internal controls to protect against such schemes. They also warned; those that fail to implement proper controls may become subject of future enforcement actions. Lastly, failing to disclose a breach can also attract regulatory action. In 2018 Yahoo was fined 35 Mill for failing to disclose a breach, which was a first for the SEC. When addressing cyber disclosures, companies also need to be aware that such disclosures may be subject to regulation FD. In an effort to assist public companies with their cyber-security disclosures, the SEC has a nice guidance report (available here). In addition to specific SEC enforcement, companies should also be aware of: emerging regulations (such as GDPR), industry specific compliance requirements (such as HIPAA), emerging FTC enforcement (addressing privacy failures), and the potential for cyber whistleblowers – an emerging risk which we addressed in a 2 part series for NYU PCCE (here).
Sexual Misconduct Claims: In addition to shareholder claims following cyber/privacy incidents, event driven securities claims are also being fueled by shareholder suits and derivative claims following allegations of sexual misconduct. CBS, Guess, Wynn Resorts, National Beverage and Signet Jewelers are just a few companies that have encountered such litigation, and the list is growing. In response to these emerging claims, public company boards’ should carefully review the terms and conditions of their D&O policies, while negotiating any problematic exclusions and necessary carve-backs, as discussed in our recent post.
Emerging Industries: Companies engaged with cannabis, crypto-currencies, or ICO’s (initial coin offerings) face considerable challenges. Operating in an unpredictable and turbulent regulatory environment, companies in this sector are encountering aggressive regulatory scrutiny while becoming an emerging source of class action claims. While D&O insurance is available for both cannabis companies and those engaged with ICO’s, companies engaged in this space will encounter some significant challenges. In addition to high premiums and a small pool of insurers, coverage for regulatory actions/investigations and securities claims against the entity (Side-C Coverage) may be entirely unavailable. For those operating in this space, we have previously published some guidance on D&O placement (here) and (here).
New IPO’s and Secondary Offerings: The Cyan ruling, means that plaintiffs can now pursue SEC ’33 act claims in state courts which historically have been viewed as more plaintiff friendly. According to Cornerstone’s securities report which we linked above, there has been no noticeable pattern in plaintiffs’ forum selection just yet, but it’s likely still too early to tell. Companies and their directors should however be aware that this ruling can result in increased defense costs, particularly when securities claims are brought concurrently in multiple courts. For this reason, companies undertaking an IPO or secondary offering should carefully assess the limit adequacy of their D&O programs and consider purchasing higher limits when able.
Side A (Director Liability): Provides direct, first dollar coverage (in the form of defense costs and damages/settlements) for claims asserted against the company’s directors and officers when the company is unable to indemnify them. Most commonly, this is either due to financial insolvency, or being legally prohibited due to laws or statutes, such as during a derivative claim (alleging breach of fiduciary duty), or a claim which asserts allegations against a director that are deemed to have been committed in “bad faith”. For those interested, Chubb has a nice brochure with numerous Side A claim examples (here).
Side B (Corporate Reimbursement): The Side B insuring agreement provides protection for the corporate balance sheet by reimbursing or advancing the costs associated with indemnifiable claims against its directors and officers. Examples may include: civil proceedings (such as merger objection claims against the board), regulatory investigations & proceedings, and potentially criminal proceedings.
Side C (Entity Coverage): Coverage for defense costs and damages/settlements for claims asserted against the entity. In contrast to the broad entity coverage provided to private companies, public company D&O Side-C coverage is limited solely to securities claims. That would of course, include securities class actions following; enforcement actions, cyber-security failures and allegations of sexual misconduct as discussed above.
Side D (Derivative Investigation Coverage): Provides coverage for investigative costs and costs associated with books and records requests, following shareholder derivative investigations.
Traditional D&O Endorsements:
- Crime & social engineering insurance: Protects the corporate balance sheet against theft of funds, employee dishonesty, computer fraud and social engineering schemes, among others.
- EPLI: Employment practice liability provides coverage against allegations of employment related misconduct such as wrongful termination, harassment, discrimination and retaliation. 3rd party EPLI coverage extends such coverage to claims or harassment or discrimination asserted by 3rd parties such as users/clients, vendors, etc.
- Fiduciary Liability: Protection against errors and allegations of negligence or mismanagement in the administration of employee benefit plans, such as failure to enroll, calculation errors and erroneous advising.
Side A DIC: Side A DIC (difference in conditions) is a unique product that provides; 1) excess side-A coverage, effectively increasing the overall limit available for non-indemnifiable claims against directors and officers, and 2) broader primary side-A coverage which “drops down” to fill any gaps in the underlying carriers form. Side-A DIC policies are also able to bypass standard “presumptive indemnification” clauses, granting executives direct coverage if the corporate entity refuses to indemnify them. Combined with its broader coverage terms, this makes Side A DIC a valuable tool during investigations and enforcement actions against named individuals who would otherwise be forced to meet a high retention before accessing coverage under the underlying D&O policy. As a true risk multi-tool for the c-suite, incorporating a Side-A DIC policy provides a number of additional benefits as well, which we summarize in our recent article here.
IDL/ODL: With numerous directors and officers sharing one policy limit, even a single claim can quickly exhaust coverage. This is particularly true when individual insureds hire their own counsel resulting in inflated defense costs. Independent and outside directors may have concerns that they may be the last in line to receive coverage. As its name would suggest, independent director / outside director liability policies are Side-A only policies entirely reserved for claims made against independent and outside directors.
Cyber Insurance: As evidenced by multiple surveys, Cyber-security and privacy failures have become a leading risk concern among the boardroom – in some surveys, surpassing concerns of regulatory actions and investigations. Cyber insurance provides coverage for costs arising from cyber-security failures, such as lost income, forensic costs, network restoration costs, ransom demands, regulatory costs, and more. With both cyber-related shareholder litigation and cyber enforcement on the rise (and expected to increase), it’s becoming increasingly important to assess the scope of the organization’s cyber insurance policy along with any cyber exclusions embedded within the company’s D&O policy in order to ensure coverage is in-tact.
M&A Insurance (Reps and Warranties): Reps and warranties insurance provides both buyers and sellers, protection against claims resulting from unintentional breaches made in the representations and warranties, during a transaction.
Specialized Investigation Policies: With regulators aggressively pursuing individual wrongdoers, and increasing concerns over potential FCPA actions and costly SEC investigations, it’s no wonder public companies often inquire about the ability of their D&O policies to respond accordingly. Coordinating a D&O policy to effectively respond to regulatory actions and investigations, while possible (to a certain extent), can be difficult. This is particularly true for informal investigations and those brought solely against the entity itself, as opposed to investigations brought solely against individual directors or officers. Even when coverage appears in-tact, damages such as “costs to produce documents” may be excluded or other requirements may need to be met in order to trigger coverage. Some insurance companies have identified the demand for thorough coverage, and responded by introducing specific endorsements and/or specialized policies particularly for investigations
Premiums: Premiums for public company D&O generally begin at an annual premium of 20k for a 1 Mill limit. It’s important to note that this is a minimum premium and applies to all companies regardless of size (whether a nano-cap OTC filer or mid-sized company). Premiums will increase from there, sometimes significantly. While the premium will greatly depend on the financial strength of the company, there are a number of underwriting criteria factored when determining pricing and acceptability, including: limits being purchased, prior claims, industry risk, ownership structure, and high risk events such as financial restatements.
Application process: Due to public filings, much of the information required to underwrite a public company is already publicly available which eases the process to a certain degree. Companies should however be ready to provide the following:
- D&O Application
- Schedule of subsidiaries
- Copies of existing D&O policies
- Explanation of any distressed financials and plans for future funding
Time Frame: Whether you’re in the market for a first time D&O placement or approaching a renewal, it’s important to start the process early. While quotes can be obtained in some cases as soon as 2 weeks, its generally best to allow for 1-2 months in order to allow enough time to receive proposals from all of the carriers and allow sufficient time for coverage/term negotiations. Companies contemplating a future public offering are also best advised to purchase a private D&O policy well in advance of any potential offering or roadshow.