Exposures for directors and officers (D&Os) continue to evolve globally
June 2019 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
June 2019 Issue
From #MeToo to the move towards more collective redress regimes outside the US, to failure to manage cyber risk, exposures for directors and officers (D&O) continue to rise. The environment and landscape directors and officers navigate on a daily basis is becoming more complex and risky. Regulator, investor and public expectation of boards continues to intensify and personal accountability for not meeting these expectations is increasing.
The shift from corporate responsibility to personal responsibility continues at pace. D&Os are facing increasing exposure with the growing willingness of both investors and regulators to hold them accountable. When expectations are not met, the propensity to litigate is now given extra fuel by the increased use of collective actions, capital flow into shareholder activism and the growth of litigation funding. The latter has become an alternative asset class producing high returns, further spurring the level of litigation activity.
Collective redress gains ground in Europe
Financial lines claims, including those related to D&O insurance, are growing more complex, according to our recent Global Claims Review report, based on the analysis of 14,130 insurance industry claims between July 2013 and July 2018. Particularly for international companies, large claims are more likely to involve multiple parties and multiple jurisdictions.
A number of EU countries already allow for collective redress. Notably, the Netherlands allows consumers and investors to use representative collective actions or class settlements to obtain mass damages. There have been a number of collective actions by investors or consumers in the Netherlands, as well as Germany and the UK.
Cyber threats and the adoption of FinTech increasingly become D&O issues
Boards operate under a spotlight in uncertain economic and political times where equity and asset price volatility is the norm. The emerging challenge for directors is understanding and dealing with emerging risks, which in many respects are only going to become increasingly complex and difficult to deal with. Cyber risk is probably the best example of this and, while cyber attacks against companies dominate the main headlines for now, it would not be surprising if within a short period of time we are also reading about claims against directors who did not do enough to protect their companies against the cyber threat.
Today, cyber risk translates to a D&O risk. It is not just an issue of breaches against the organisation and its IT department; it has become a management and a board-level issue.
In the wake of mega data breaches and privacy scandals, major IT outages and the introduction of tighter data protection rules in the European Union and other countries, cyber risk is now a core concern for businesses in 2019 and beyond. According to our Risk Barometer 2019, which surveyed nearly 2500 risk experts from 86 countries, cyber incidents (37 percent of responses) are neck-and-neck with business interruption (BI) (37 percent of responses) as the top business risk globally.
Increasing concern over cyber incidents follows a watershed year of activity in 2018. Cyber risk has been a major risk for a number of years, but as with any new risk it has struggled with awareness. We have now reached a point where cyber is as equally concerning for companies as their major traditional exposures. Cyber incidents are increasingly likely to spark litigation, notably securities class actions in the US. Data breaches or IT outages can generate large third-party liabilities as affected customers or shareholders seek to recoup losses from companies. Implementation of robust data security and cyber resilience frameworks is now a key aspect of company management.
Technological exposures are becoming more prominent and carrying a higher risk than in recent years. These should not be confined to IT departments or tech specialists – company boards also need to ensure they understand and can effectively oversee these very particular risks.
The financial services industry has seen fast-growing adoption of financial technology (FinTech), which brings greater efficiency to custody, payments and securities trading. These technological developments, however, add new challenges to the control of operational risks, including cyber risk, and we expect more attention on security standards going forward, including from regulators.
Data protection violations are one of the most common and more serious reasons for cyber-related notifications. British companies have fallen victim to more than 10,000 data breaches since the General Data Protection Regulation (GDPR) came into force in May 2018, according to a report from DLA Piper. The report found that Britain reported the third highest number of breaches, trailing only the Netherlands (15,400) and Germany (12,600). As a result of such breaches, the UK and Europe are seeing more collective actions. Having to comply with the GDPR in Europe and related financial reporting has also led to shareholder actions in the US, where legal action has been taken against individual D&Os as well as the companies themselves.
The growth in collective redress and the evolution of cyber threats often encourages companies to consider purchasing standalone transactional risk cover and new or increased cyber insurance coverage. With financial institutions operating in multiple jurisdictions, we also observe the need for a more effective execution of international programmes, which provide the crucial framework for compliant global coverage. Ultimately, there is no ‘one size fits all’ response to risk. Risk management frameworks benefit from regular review and stress testing to ensure they are actively mitigated and managed.
The responsibility for managing risk does not start and end with the risk management function. Boards, risk committees and senior management have to embrace and understand the impact of technological innovation, cyber risks, changing consumer preferences and even climate change on their business models and risk profiles.
Stefania Davi-Greer is regional head of Financial Lines, Terry FitzGerald is head of Financial Institutions and Commercial Directors and Officers Insurance for UK and Matthew Lamplugh is regional head of Claims for Financial Lines at Allianz Global Corporate & Specialty (AGCS). Ms Davi-Greer can be contacted on +44 (0)20 3451 3410 or by email: firstname.lastname@example.org. Mr FitzGerald can be contacted on +44 (0)203 451 3636 or by email: email@example.com. Mr Lamplugh can be contacted on +44 (0) 203 451 3679 or by email: firstname.lastname@example.org.
© Financier Worldwide
Stefania Davi-Greer, Terry FitzGerald and Matthew Lamplugh
Allianz Global Corporate & Specialty (AGCS)