D&O risks to watch in 2024

Board members are having to steer businesses through a challenging environment after a series of social, political, and economic shocks over the last few years. We’ve summarized here the main risks for boards in 2024 — as outlined in a December 2023 Lockton webinar — and the consequences these may have from an insurance perspective.

  • Insolvency risk

Corporate revenues are declining amid lower pricing power and weaker global demand. At the same time, elevated costs are squeezing profitability. High energy costs are impacting some sectors more than others, with transportation, hospitality, food and beverage companies, and chemical companies among those facing the greatest pressure.

The number of registered company insolvencies in England and Wales in November 2023 was 21% higher than in the same month in the previous year, according to the UK’s Insolvency Service (opens a new window). Similarly, US bankruptcy filings grew 21% year-on-year in November 2023, according to the American Bankruptcy Institute (opens a new window). Commercial chapter 11 filings increased 141% during this period.

Furthermore, global business insolvencies are set to increase by +6% in 2023 and +10% in 2024, according to trade credit insurer Allianz Trade (opens a new window). Corporate liquidity positions are worsening and unlikely to improve before 2025, and fresh capital is less available following a series of interest rate hikes in major economies around the world. As a result, businesses need to preserve cash. Continuing supply chain challenges are being further complicated through economic sanctions and import controls (tech, semiconductors).

Risk monitoring

In this challenging economic environment, investors are closely watching what directors and officers are doing to protect assets and their valuations and may consider bringing suit against management if they suspect wrongdoing. To help mitigate potential litigation, managers could consider placing particular attention on creating a resilient supply chain with buffers and alternative suppliers for core materials.

Furthermore, businesses need to maintain state-of-the-art sanctions controls that reflect the rapidly changing geopolitical environment. Violations of sanctions regimes can result in administrative penalties, criminal proceedings, and securities claims. Businesses that have expanded rapidly in recent years should confirm they have governance processes in place appropriate for their size.

From an insurance perspective, Side B of the D&O policy covers the liability of directors when they are indemnified by the organization and Side C covers the corporation’s own liabilities related to securities’ grievances. When the corporation becomes insolvent, however, Side A — which protects directors and officers against financial liabilities where indemnification is not available — claims can quickly arise. Accordingly, it is imperative to ensure that you have appropriate Side A, B and C limits in place to fit your risk exposures.

  • Regulatory disclosures

Regulators and investors have been increasing scrutiny over companies’ environmental, social, and governance (ESG) disclosures, demanding additional transparency. Currently, disclosure laws differ according to jurisdictions, but the IFRS Sustainability Disclosure Standards (IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information (opens a new window) and IFRS S2 Climate-related Disclosures (opens a new window)) are increasingly becoming the standard for sustainability reporting.

The Corporate Sustainability Reporting Directive (CSRD) (opens a new window) entered into force in Europe in January 2023, strengthening the rules concerning the social and environmental information that companies have to disclose. Further, a broader set of large companies, as well as listed small- and medium-sized enterprises (SMEs), will now be required to report on sustainability. The new rules will be applied for the first time in the 2024 financial year, for reports published in 2025. A two-year delay (opens a new window) has been agreed for certain features, primarily the adoption of the European Sustainability Reporting Standards (ESRS).

The ESRS are the rules and requirements which obligate companies to report on sustainability-related impacts, opportunities, and risks under the CSRD. EU companies will now have substantially more time before being subject to requirements to provide sector-specific sustainability disclosures, and certain non-EU entities will be brought within the scope of the CSRD two years later than originally proposed.

In the US, the Securities and Exchange Commission (SEC) is expected to release (opens a new window) its rules for requiring companies to disclose climate-related risks like scope 1, scope 2 and scope 3 emissions and their risk management practices in April 2024. The SEC climate disclosure rule proposal includes several extensive, standardized and prescriptive requirements and is intended to provide investors with consistent, comparable, decision-useful information that is reliable.

California, meanwhile, has enacted a first-of-its-kind mandatory climate emissions disclosure rule (opens a new window) in October 2023. The rules, which are coming into force in 2026, demand that companies have clear accountability roles for climate reporting and create cross-functional teams within their finance, legal, and other units. Unlike the SEC’s proposal for public companies, California’s rules apply to both public and private companies that do business in the state and meet certain annual revenue thresholds.

Risk monitoring

Disclosure rules will place more scrutiny on information released by directors, officers and the companies they serve. Stakeholders and regulators may decide to challenge certain disclosures, potentially leading to regulatory investigations and proceedings, criminal proceedings, and civil actions, including security claims and derivative actions.

Disclosures regarding the “S” in ESG can be quite challenging. Even businesses that are trying to do the right thing from a diversity, equity, and inclusion (DEI) perspective, may face litigation. Recent cases include a pharma company that was sued (opens a new window) in the US by an advocacy group opposing diversity initiatives in medicine. The NGO claimed that the pharma company’s fellowship program to improve diversity discriminates against white and Asian-American applicants.

Similarly, a conservative activist investor filed a lawsuit (opens a new window) against the board of a coffeehouse chain over its hiring goals for black and other people of color, awarding contracts to "diverse" suppliers and advertisers, and tying executive pay to diversity. The investor claimed that those policies require the company to make race-based decisions that violate federal and state civil rights laws. Doing too little or too much on the diversity front can both result in legal challenges, making it very difficult for directors and officers to make decisions.

There has also been a recent rise in the number of US derivative claims relating to social issues. Such claims often result in large settlements, some in the hundreds of millions of dollars. Derivatives suits are being seen as an alternative to a securities class action in the absence of share price movement.

In addition, regulators have generally become more active after a slowdown during the pandemic. A flurry of changes proposed under the umbrella “ARGA” Accounting Reform and Governance Authority is forcing directors and officers to place more focus on the “G” in ESG. Some industries are attracting particular attention. These include construction material manufacturers, food and beverage companies, gas and water companies, and utilities companies in general, industrial metals and mining companies, as well as the retail sector.

The scrutiny comes in the wake of high-profile failures, particularly in the UK and Europe. Company boards will need to prepare for the regulatory changes and ensure protection is in place to avoid potential breaches. An increase in regulation does mean that there are more regulations to potentially break.

There are also new and forthcoming regulations requiring companies to self-report cybersecurity incidents to regulators and shareholders. An example is thenew SEC regulation (opens a new window) in the US requiring public companies to disclose “material” cybersecurity incidents they experience within four business days after determining that it is material. For directors and officers this will mean that speed and accuracy of what they report to the public will be crucial. There is a significant risk that companies may fail to meet the deadline or that the information they release is incomplete or incorrect, potentially putting them at risk for both regulatory action and shareholder securities class actions.

One potential defense for companies alleged to have violated the new SEC cybersecurity rules will be the interpretation of the word “material”, but it might be that the term is likely to encompass more than just an impact on share price, but also impact on the balance sheet, and on a company’s reputation. The new reporting rules will require a rethink of how companies assess and report cyber breaches and incidents. Cyber subcommittees may need to meet more often to assess the risk, review crisis plans, and ensure quick access to the relevant information required for disclosure.

Given the ESG and heightened cybersecurity exposures associated with directors, officers and the companies they serve, it is imperative that companies review their current D&O programs, not only to ensure the appropriate limits but to ensure that certain potentially problematic exclusions are either eliminated or narrowed where possible.

  • Emerging risks

The deployment of AI technology is likely to introduce new risk from a D&O liability perspective as it will add vulnerabilities that may need to be disclosed. The integration of AI tools into existing systems may add new entry points for cyber criminals. AI tools may also create wrong output if the data it was trained on is biased. Criminals may use AI to create not only synthetic text, but also audio, and video to scale targeted phishing campaigns. In addition, there is the risk that directors and officers may overstate or understate the risks, threats, challenges and opportunities in what is referred to as “AI washing”.

If you want to find out more, please watch the replay of the webinar here (opens a new window), or visit the Lockton Management Liability page (opens a new window). Alternatively, please contact:

Sarah D. Katz Downey, Managing Director, U.S. Financial Services

E. sdowney@lockton.com

Michael Lea, Partner, Head of Management Liability

E. michael.lea@lockton.com