The purpose of this Airmic guide is to consider:
- Evolving and emerging directors and officers liability (D&O) risks and liabilities
- D&O claims trends
- The risk strategy and buying process
- The role of D&O insurance
- Who is at risk: What is an officer/director/non-executive director (NED)/outside director?
- How to get the most from your insurance
- The purpose and value of corporate indemnities and how they dovetail with insurance as part of the risk management strategy organisation
Much has changed since the Airmic Guide to Directors and Officer Insurance was published in 2012. The risk environment internally and externally has changed materially in recent years and continues to change at an escalating pace. Specifically, more demanding governance responsibilities, new regulations and evolving risk challenges have informed this new and updated Guide. The risk manager must address a world of more complex and connected risks and the challenges this presents.
Risk managers, especially those operating in a multinational environment, face a growing raft of compliance responsibilities, indicative of an increasingly unforgiving regulatory environment. Investigations are taking longer, fines and penalties are rising and in many instances, regulators have demonstrated their ability to work together across borders to achieve significant outcomes.
Where regulators have limited resources, whistle-blowing and self reporting is being encouraged. In the UK, Deferred Prosecution Agreements (DPAs) were introduced by the Crime and Courts Act 2013 as a means through which an organisation could avoid prosecution for economic offences by entering into an agreement on negotiated terms. However, such self reporting does not protect directors and officers from future prosecution (see case study box).
Since the Global Financial Crisis (GFC), there has been increased scrutiny on the decisions and culpability of senior management. Post-crisis there was a sense that the individuals behind the problems leading to the crisis had not been held to account. Since that time, regulators such as the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) in the US, and the Financial Conduct Authority (FCA) in the UK have indicated an intent to focus more on the activities of individuals.
Claims statistics show a steady rise of ex-US shareholder action against European directors and officers
One of the more common questions for senior managers in the post-GFC world is whether sufficient systems and controls are in place to prevent wrongdoing or errors from occurring. This has been enshrined within new laws.
In the UK, for instance, the Senior Managers Regime published by the FCA requires senior individuals within financial institutions to demonstrate they are taking reasonable steps to do the right thing. Proposals are currently underway to extend the regime to nearly all regulated firms. In the US, the Yates Memo published by the DOJ focuses on individual misconduct in corporate organisations. Recent company failures have also put senior management conduct in the spotlight.
The rising tide of European collective actions
A quick look at the headlines shows the rising severity of collective action against companies and their directors. The €1.2bn settlement announcement in March 2016 of claims against Ageas (formerly Fortis) made by shareholders group Stichting Investor Claims Against Fortis (SICAF) was enabled by the Dutch collective settlement procedure known as ‘WCAM’.
In December 2016, lawyers representing claimants against the Royal Bank of Scotland (RBS) reached a partial settlement whereby RBS agreed to pay £800m. It was followed, in early June 2017, by a £200m agreement to settle with a further 24,000 corporate and individual investors. The successful lawsuit is expected to pave the way for similar group litigation cases to be brought against banks and other large corporates in the future.
Data Protection law also comprehensively changed when the European Union General Data Protection Regulation (GDPR) came into force in 2018. The purpose of the law is to protect individual privacy by placing increased responsibility on organisations that collect, store or use personal data relating to EU and UK citizens. To ensure that data protection becomes a board-level issue, the penalties for non-compliance are strict - up to 4 per cent of global turnover. In the event of non-compliance, as well as a company’s reputation being at stake, its directors could face criminal charges, or suits from company shareholders alleging that they failed to exercise reasonable care and diligence.
Furthermore more generally, shareholder plaintiffs are using a company’s cybersecurity practices as a foundation for asserting allegations against the company’s directors and officers in the wake of a data breach disclosure, and with corresponding drop in the company’s stock price.
While the tort environment remains the most punishing in the US, litigiousness is spreading globally, evidenced by the latest wave of collective actions across Europe. In 2013, the European Commission published a recommendation that those Member States that had not yet done so, adopt a framework for collective redress by no later than 11 June 2018.
Claims statistics show a steady rise of ex-US shareholder action against European directors and officers. This is partly driven by an increase in litigation funding throughout Europe, which migrated from Australia, where it has been very successful. Litigation funding is provided to claimants in return for either a multiple of the funds advanced or a percentage of recovery, if the litigation or arbitration is successful.
Litigation funding has been behind some of the largest non-US D&O claims in recent years. The net effect of this is that, if claimants have a strong case it makes it much easier (and less risky) to pursue claims. There is also potentially an increase in claims severity, as funder-supported claimants are more likely to pursue companies and their directors more aggressively.
Gender Pay Gap Reporting
Under the Gender Pay Gap Reporting Rules, employers in the UK with 250 staff or more are required by law to report the difference in pay between men and women by 4 April 2018. The Gender Pay Gap records the discrepancy between the average and mean wage earned by men and women at a company, regardless of their position. This is different to equal pay, which is the legal requirement that men and women be paid the same amount for equal roles under the Equal Pay Act 1970. Failure to comply with equal pay laws is deemed “an unlawful act” and the Equality and Human Rights Commission can take enforcement action against offending organisations.
Gender pay reporting will further heighten awareness of equal pay issues. The statistics are likely to be used by employees to question things such as whether they are being paid equally and whether their bonus payments are tainted by sex discrimination.
As well as potentially facing claims under the Equal Pay Act, companies reporting a gender pay gap could face reputational damage, leading to disgruntled shareholders claiming that senior management failed to properly manage the risk.
We could also see a rise in claims against those employers stemming from perceived gender discrimination, lack of work/life balance, or pregnancy/maternity leave discrimination. As well as claims against the corporation itself, disgruntled employees may bring claims again senior managers personally alleging that they failed to put appropriate procedures in place.
Meanwhile, an era of social media and instant communication can make or break reputations or send share prices spiralling. The new Gender Pay Gap reporting rules may also have an impact on a company’s reputation (see Gender Pay Gap Reporting Box) This, along with the rise of activist shareholders, litigation funders and collective action frameworks, are producing enhanced exposures for companies and their directors. In addition, issues arising from mergers and acquisitions (M&A), employment liability and cyber risks means directors and officers of organisations are exposed D&Os to litigation in a way they were not in the past.
The FRC Corporate Governance Code places the onus firmly on the board of directors to set the appropriate tone for their organisation and to take on greater personal accountability. Issues such as risk and company viability, workforce interaction, culture, executive pay, board composition and duration of board tenure have risen up the agenda and all the while the corporate world continues its steady march towards a more globalised and interconnected operating environment.
In this more complex, uncertain and risky world, organisations are less immune from global upheavals on the other side of the world. Multinational exposures have never been more relevant to management liability and there has never been a greater need for consistency in an organisation’s global approach to managing, mitigating and transferring their management liability risks.
By partnering with AIG and Marsh to produce the guide, Airmic intends to equip risk managers with the information, tools and guidance they need to address the liabilities of the directors and officers of their organisation.