Executives Examine D&O Claim Trends, Cyber Exposure
A number of industry executives spoke with Insurance Journal recently to share their observations on the current directors and officers liability insurance claim trends. Executives also spoke about a new potential D&O exposure that’s been getting a lot of attention — cyber.
“Just speaking from the perspective of claim trends out there, we’re in an interesting time in the D&O world,” said Todd Greeley, head of claims for the Executive and Professional Lines Product at Berkshire Hathaway Specialty Insurance.
Speaking at the Professional Liability Underwriting Society (PLUS) D&O Liability Symposium in New York in February, Greeley said the 10b-5 class actions are always a major exposure, the biggest exposure in the public company D&O — but there are, more than ever now, additional exposures out there.
“I’m going to look at that as the pie of losses in the D&O world. The 10b-5 slice is getting a little bit smaller. It’s still the biggest,” Greeley observed. But one growing area he also spoke about is the shareholder derivative lawsuit.
“That has been always a part of the exposure landscape in D&O. It gained greater prominence when the stock option backdating scandal a number of years ago. The plaintiffs’ bar saw the derivative lawsuit as more than just something to piggy back on the 10b-5 lawsuit,” said Greeley.
“The shareholder derivative lawsuits are continuing to gain momentum,” he observed. “We’ve seen in the last several months some real blockbuster derivative settlements, nine-figure settlements.”
Greeley explained the reason that’s of interest to D&O carriers — in addition to the size of the settlements — is that for the most part, settlements of non-derivative lawsuits are non-indemnifiable. That type of a settlement is going to impact a Side A product in the D&O world, he said, and those are significant losses for the Side A product.
“One of the settlements that recently happened also had a pretty unique feature where the company, which is the beneficiary of the settlement dollars in a derivative lawsuit, actually agreed to take those funds and pass it through to the shareholders in the form of a special dividend,” said Greeley. “That was a pretty unique feature. No sense of whether that’s a trend or if that was unique to that case.”
“The fact that we are seeing some bigger settlements, and if you were to go back and look at the biggest derivative settlements, I think most of them probably you’ll see in that list occurred in the last five to 10 years — that seems to be an increasing area of exposure for D&O,” he said.
Another area Greeley spoke about is the regulatory exposure, government investigations post-financial crisis. “We continue to see and have seen this ramp up by regulators both in the U.S. and internationally in terms of investigations,” he observed. “A variety of things are focused on, ranging from bread-and-butter accounting issues that the U.S. Securities and Exchange Commission might be looking at, to foreign corrupt practices of violations or alleged violations.”
Greeley said the bottom line is global market regulators are more staffed up than ever before. “Generally speaking, their funding is increased, especially post-crisis, so they have more resources to go after and investigate public companies. We’ve seen that. The impact in the D&O world was really on the defense cost front. Those costs can be enormous. They can be nine-figure costs.”
Turning to the topic of cyber as a new potential D&O exposure, Greeley noted this issue has been getting a tremendous amount of attention. “Every D&O conference you go to, and every D&O blog you might follow, there is almost a daily reference to cyber. Cyber is a potential new D&O exposure. But I don’t think cyber presents something unique in terms of an exposure,” said Greeley.
“If the director or officer were to be sued in connection with a data breach at the company, for whatever reason, it could be because the stock dropped, or because shareholders alleged there was a breach of fiduciary duty — or a regulator came in and said you are responsible for failing to protect the company’s information,” he said.
“So long as that individual is acting in their capacity as a director or an officer, that’s something that a D&O policy should cover. So I don’t see any need to change the D&O form to respond to it. The D&O form is essentially an all risk policy for directors and officers in their official capacity,” said Greeley. “As a source of losses, or a type of D&O loss, it’s obviously a new thing, and getting a tremendous amount of attention. The SEC has commented with increasing frequency about the need for directors to make sure that the company is prepared for attacks on their data.”
Greeley advised corporate boards to be proactive in implementing cyber defense measures. “Boards that aren’t being proactive about making sure that they have the right procedures and processes in place, the right tools in place, and a game plan to deal with a breach if it were to happen — you’re risking a serious problem, and accusations that you didn’t meet your fiduciary duties,” he said. “So that’s something that’s been a topic of a lot of discussion in the D&O world lately.”
Kevin LaCroix, executive vice president at RT ProExec, a division of R-T Specialty LLC and an insurance intermediary focused on management liability issues, said plaintiffs’ lawyers are trying to figure out what their opportunity is going to be in this area.
“We’re all very aware of the high profile breaches at Target, Home Depot, and Sony. We’re aware of the possibilities of lawsuits by consumers and others who feel like their privacy has been violated,” said LaCroix. “In addition to all the other burdens, costs, and expense that a company may experience as the result of a cyber breach, there may also be a lawsuit against the directors and officers of the company.”
LaCroix said the directors of Target were hit with a derivative lawsuit, and also Wyndham Worldwide, the hotel chain, has also been hit with a lawsuit brought by investors against the directors, alleging a violation of their duties.
“I think we’re still in the phase where the plaintiffs’ lawyers are trying to figure out what their opportunity is going to be, but I think they have a huge incentive to search. I’m not sure which direction it’s going to go for sure,” said LaCroix. “But if I had to make one prediction for 2015 and beyond, I would say we’re going to see developments where there will be lawsuits against directors and officers as a result of a data breach, or some other cyber event, at a public company.”
James Skarzynski, current president of PLUS and chairman at law firm Skarzynski Black LLC who specializes in D&O and other forms of professional liability coverages, added that cyber is perhaps one of the most significant exposures facing the professional liability insurance community.
“There have been several very large cyber losses in recent times that have caught the attention, not just of the financial press and the government regulators, but obviously of the underwriters, when you have situations such as Target and Home Depot having catastrophic-size losses,” said Skarzynski. “One of the things that I think everyone who is involved in the cyber product is grappling with is, how to calculate the risks, estimate the exposure, predict the frequency of claims, and I think it’s very, very difficult.”
Skarzynski said that instead of claims being made by plaintiffs’ lawyers whose actions are fairly predictable, there are attackers whose identities are unknown in many cases. “From reports in the press, it appears that the government authorities are still trying to sort out the parties responsible for the attacks on Target and Home Depot, among other institutions,” he said. “In my opinion, it makes the exposure difficult to gauge. I think there certainly are significant risks there.”