Earlier this month, I spent a week in the birthplace of D&O insurance, London. In addition to moderating a panel at Advisen’s European Executive Risks Insights Conference, I met with many energetic and talented D&O insurance professionals, both veterans and rising stars, to discuss U.S. securities litigation and regulatory risks. Themes emerged on some key issues. What follows is a collection of my impressions and opinions about three of them—not quotes from any particular company or person.

1. Greater frequency of securities class actions against smaller public companies gives D&O insurers an opportunity to innovate.

As I’ve observed over the past several years, a significant risk to companies is that ever-increasing securities defense fees no longer match the economics of most cases, and are quickly outpacing D&O policy limits. In the past, securities class actions were initiated by an oligopoly of larger plaintiffs’ firms with significant resources and mostly institutional clients that tended to bring larger cases against larger companies. But in recent years, smaller plaintiffs’ firms with retail-investor clients have been initiating more cases, primarily against smaller companies. Indeed, in recent years, approximately half of all securities class actions were filed against companies with $750 million or less in market capitalization. As a result, securities class actions have shrunken in size to a level last seen in 1997.

Yet at the same time, the litigation costs of the typical defense firms (mainly firms with marquee names) have increased exponentially. This two-decade mismatch—between 1997 securities-litigation economics and present-day law-firm economics—creates the danger that a company’s D&O policy will be insufficient to cover the fees for a vigorous defense and the price to resolve the case. Indeed, in my view, inadequate policy proceeds due to skyrocketing defense costs is the biggest risk directors and officers face from securities litigation—by far.

D&O insurers face a double-whammy: They are paying defense costs on smaller claims that are out of proportion to the actual risk because the lion’s share of cases against all companies, both large and small, are defended by the typical defense firms. At the same time, insurers are unable to charge a sufficient premium for this risk, due to the softness of the market.

I strongly believe the solution lies in a more tailored D&O insurance option for smaller public companies. Today, every public company buys some form of D&O indemnity insurance, which allows the company to choose their own lawyers and control their defense strategy. Under this approach, securities litigation defense lawyers effectively control the D&O insurance claims process; even the most veteran in-house lawyers are almost always securities litigation rookies. Is that in the insureds’ interest? Is the one-size-fits-all D&O insurance model right for smaller public companies, whose insurance proceeds are being disproportionately being spent on defense costs? Is there demand for an optional product that gives insurers greater control, up to and including an optional duty to defend D&O product for smaller companies?

London insurers and brokers are working through these issues. I’m extremely hopeful that there will be innovation for smaller public companies and their directors and officers—insureds who most need the guidance and protection of their insurance professionals.

2. In the wake of Morrison, greater strategic control is needed to deal with the risk of separate actions around the world.

In Morrison v. National Australia Bank, 561 U.S. 247 (2010), the U.S. Supreme Court held that the U.S. securities laws only apply to “transactions in securities listed on domestic exchanges, and domestic transactions in other securities.” In the aftermath of the decision, it was widely assumed that the frequency of U.S. securities class actions against foreign issuers would decline. Yet it has not. For more background, I refer you to Kevin LaCroix’s September 26, 2016 post in his blog, The D&O Diary.

Despite Morrison, foreign issuers whose securities are traded in the U.S. are still subject to a securities class action with respect to those securities. To add insult to injury, plaintiffs’ lawyers are also bringing separate actions around the world to recover for losses suffered from securities purchased outside of the U.S. The result is vastly more expensive claim resolution due to multiple actions around the world, with many lawyers madly working in each jurisdiction, and a greater practical settlement value due to the “let’s just get this over with” dynamic—but with uncertainty about the ability to obtain a worldwide release. So insurers now face a world in which claims are more severe, and in which the anticipated decline in the number of claims has not materialized.

London insurers and brokers are grappling with how to bring some order to this chaos. I don’t see an easy fix. As long as U.S. courts can’t accommodate all claims, worldwide litigation can’t be “won”—it can only be managed and settled as efficiently as possible. This requires strong strategic control of the overall litigation, both to orchestrate settlements in the most efficient fashion and to avoid lawyers in every jurisdiction doing duplicative and unproductive legal work.

Critically, strong strategic control must be imposed by an independent lawyer—someone who would obviously be paid for his or her time, but who otherwise has no financial interest in the worldwide work. Independence would give the strategic lawyer freedom from law-firm economics when making decisions about which lawyers should be doing what—and which lawyers should be doing nothing—as well as about when to settle. In other words, if Dewey Cheatham & Howe is worldwide defense counsel, with multiple offices and dozens of lawyers working on the case, the strategic leader should not be a Dewey Cheatham & Howe lawyer.

But who would play such a role? Although many companies of course have excellent in-house lawyers, very few have in-house lawyers who formerly were prominent securities litigators. So should the strategic quarterback be a securities litigator from a firm other than the worldwide defense firm? Should it be the broker? Should it be a lawyer for the primary or a low excess carrier? These are all good possibilities. And how can this arrangement be put in place before the litigation defense is already beyond control? Having the discussion is an important first step, and London insurers and brokers are working hard to figure this out.

3. The danger of a wave of D&O claims relating to cyber security remains real.

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cyber security will become a significant D&O liability issue. Although many practitioners and D&O insurers and brokers have been bracing for a wave of cyber security D&O matters, to date there has been only a trickle. Yet among D&O insurers and brokers in London and elsewhere, there remains a concern that a wave is coming.

I share that concern. To date, plaintiffs generally haven’t filed cyber security securities class actions because stock prices have not significantly dropped when companies have disclosed breaches. That is bound to change as the market begins to distinguish companies on the basis of cyber security. There have been a number of shareholder derivative actions asserting that boards failed to properly oversee their companies’ cyber security. Those actions will continue, and likely increase, whether or not plaintiffs file cyber security securities class actions, but they will increase exponentially if securities class action filings pick up.

I also worry about SEC enforcement actions concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk. But directors and officers should not assume that the SEC will announce new guidance or issue new rules before it begins new enforcement activity in this area. All it takes to trigger an investigation of a particular company is some information that the company’s disclosures were rendered false or misleading by inadequate cyber security. And all it takes to trigger broader enforcement activity is a perception that companies are not taking cyber security disclosure seriously. As in all areas of legal compliance, companies need to be concerned about whistleblowers, including overworked and underpaid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

In addition to an increase in frequency, I worry about severity because of the notorious statistics concerning a lack of attention by companies and boards to cyber security oversight and disclosure. Indeed, the shareholder litigation may well be ugly: The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.

Cyber security has improved, albeit not enough, in part because of the thought leadership and product development by insurers and brokers. So even if there is never a wave of D&O cyber security matters, the excellent work by insurers and brokers in London and around the world will have been worthwhile.

The Roots of D&O Insurance

London insurers and brokers are also focused on finding the right coverages for entities and individuals in the Yates-memo regulatory environment. This of course can create tension between entities, who would like their investigations costs covered, and individuals, for whom D&O insurance was created.

I am a D&O insurance fundamentalist—director and officer protection should always be our North Star. But a company can find the right path to protection of both individuals and the company with good communication between and among the company, its directors and officers, broker, and insurers—both at policy inception and when a claim arises.

It was a privilege to discuss this fundamental D&O insurance question, and many others, with thoughtful D&O insurance professionals who work just down the street from Edward Lloyd’s coffee house.