More than four years after the financial crisis, exposure to investigations and lawsuits remains real for individuals serving as directors and officers of public companies. Fortunately, the general rule still holds true that directors and officers rarely contribute to settlements and judgments out of their personal assets. However, the last four years have brought a steady wave of litigation and an increased enforcement focus from regulators. In addition to ongoing litigation stemming from the financial crisis, public companies have faced an uptick in shareholder litigation involving M&A transactions, claims brought in foreign jurisdictions, lawsuits challenging their executive compensation practices and proxy disclosures, and record levels of enforcement activity under the Foreign Corrupt Practices Act. The FCPA is just one of several areas where the Securities and Exchange Commission and the Department of Justice have been active in their enforcement efforts, and these efforts are likely to continue. Indeed, the SEC recently announced that under its new leadership, the Commission intends to begin to target more individual directors and officers in future enforcement actions, and in appropriate cases to compel directors and officers to admit liability even when settling these enforcement actions. Clearly, the stakes for directors and officers have been raised significantly, and the need has increased for enhanced protections under their companies' D&O insurance policies.
Additionally, a new decision from the U.S. Court of Appeals for the Second Circuit serves as a reminder of the potential exposures facing public company directors and officers concerning their insurance coverage for major claims. In Mehdi Ali v. Federal Insurance Co.1 the Second Circuit affirmed a lower court holding that the former directors and officers of Commodore International Limited had no coverage under several of the company's excess D&O insurance policies based on the appellate court's reading of the policies. The circumstances that led to this result are somewhat unusual: after Commodore filed for bankruptcy in 1994, two of the insurers in its D&O insurance program became insolvent. However, the Second Circuit's decision illustrates the importance of a careful review and consideration of D&O policy wording, and evaluating whether better terms and conditions can be achieved. Indeed, in recent years a number of new forms of coverage have been introduced that strengthen protections for directors and officers when faced with catastrophic situations such as a bankruptcy.
Public companies and their boards also are well advised to revisit the indemnification provisions in their charter documents (certificate of incorporation and bylaws), consider the need for indemnification agreements if they don't already have them, and insure that there are no significant gaps between the protections afforded directors and officers from their statutory or contractual indemnification rights on the one hand, and their D&O insurance rights on the other hand. The "Overview" section below provides a bullet point summary of the important issues that companies and their boards should consider, followed by a more detailed discussion of each of these points.
a. Look at the whole package of protections for directors and officers: provisions in the certificate of incorporation limiting personal liability to the corporation, indemnification and insurance. Understand the benefits and limits of each, and evaluate whether any material gaps in the overall protection scheme exist. (See section 2 below).
b. Consider the nature and extent of the indemnification protections the company intends to provide and make sure the relevant documents reflect those rights, including protections in the event that a director or officer leaves the company, or in the event of the company's insolvency. Think about which groups (such as directors and officers) should receive mandatory indemnification, and consider providing indemnification agreements if the company does not already have them. (See sections3, 4 and 5 below).
c. Consider "priority" issues--who will be responsible for paying first--in situations where there are multiple sources of indemnification, or if the company files for bankruptcy or is placed into receivership or a liquidation proceeding. Address priority issues in advance. (See section 6 below).
d. Pay attention to the specifics of D&O insurance, and understand the structure of the D&O insurance program. Remember that policy language is critical and that it is negotiable. Understand what the "state of the art" terms and conditions are for the most effective D&O insurance protection. (See sections 7 and 8 below).
e. Review the terms of excess D&O insurance policies carefully. In today's market, D&O insurance products and policy language are available that can protect against outcomes like the one in the Second Circuit's decision involving Commodore. (See section 9 below). Also be vigilant that the company's D&O insurance adequately addresses the risks presented by shareholder derivative litigation, and regulatory investigations and proceedings, whether in the U.S. or foreign jurisdictions.
f. Consider the scope of coverage for cyber liability. Understand the cyber risks facing the company and the extent to which insurance may provide protection in the event of a major cyber incident. (See section 10 below).
g. Review D&O insurance coverage annually with assistance from qualified professionals, including both insurance and legal advisors. (See section 11 below).
2. Look at the whole package of protections.
Most companies rely on a combination of three liability protections for their directors and officers: (a) so-called "exculpatory" charter provisions that limit or eliminate directors' personal monetary liability to the corporation and its stockholders; (b) indemnification, both in charter documents and contractual agreements; and (c) insurance. In evaluating these liability protections, public companies should consider the protections as a package and understand the benefits and limits of each. In discussing the first two, this client alert will focus on Delaware law due to the number of public companies incorporated there.
"Exculpatory" charter provisions adopted under Section 102(b)(7) of the Delaware General Corporation Law and equivalent statutes in other jurisdictions generally insulate directors from liability for monetary damages for breaches of the duty of care, but not breach of the duty of loyalty or actions found to be in bad faith.2 If a complaint alleges only a breach of the duty of care, a 102(b)(7) exculpatory provision adopted by a Delaware corporation (or analogous exculpatory provisions under the corporations laws of other states) provides the basis for dismissing the complaint at the outset of the litigation, while a complaint alleging a breach of the duty of loyalty or conduct in bad faith would proceed to trial. This distinction was readily apparent in two recent decisions from Vice Chancellor Noble of the Delaware Court of Chancery involving the acquisitions of Novell, Inc. and BJ's Wholesale Club, Inc. Both cases involved similar allegations--that the companies' directors breached their fiduciary duties by according favorable treatment to the successful bidders during the acquisition process--but resulted in different outcomes. In the Novell case, the Chancery Court held that the plaintiffs stated a bad faith claim based on the directors' "unexplained, extremely favorable treatment" of the buyer.3 As a result, the Chancery Court refused to dismiss the claim based on the company's 102(b)(7) provision. In the BJ's case, by contrast, the Chancery Court granted dismissal in reliance on the company's 102(b)(7) provision. After observing that an "extreme set of facts" would be necessary to sustain a bad faith claim, the Chancery Court concluded the plaintiffs' allegations of bad faith were "not reasonable in light of the rational explanations for the Board's conduct."
Where directors and officers do face legal expenses or liability, indemnification is, in some respects, the first line of defense. Indemnification is broader than insurance in some respects, so it can provide protection in situations where insurance coverage may be more limited, such as the costs in the early stages of investigations borne by an individual director, officer or employee. However, indemnification is only as good as a company's ability to pay, so indemnification may be unavailable if the company is financially troubled, insolvent or otherwise prevented by law from indemnifying a director, officer or employee. Likewise, a claim in which a company official is found to have obtained an improper personal benefit subject to restitution or disgorgement remedies may not be indemnified--by definition, this conduct is deemed not to be in good faith and in the best interests of the corporation.
A key purpose of D&O insurance is to "fill gaps" where indemnification may be unavailable. One situation where indemnification is not available is in derivative suits, where settlements and judgments in some circumstances may not be indemnifiable under state law because companies would end up paying out amounts recovered by or on behalf of the corporation, but actually paid by the same corporation--in effect, a circular transfer of funds that violates public policy. In April, in what is reportedly the largest-ever cash settlement of a derivative lawsuit, News Corporation's directors and officers settled a series of consolidated derivative actions arising out of the acquisition of a company owned by Rupert Murdoch's daughter and phone-hacking allegations involving reporters and editors at newspapers run by the company. The company's D&O insurance will fund the entire amount of the $139 million settlement, which will be paid over to News Corporation. Others situations where indemnification is not available, and where the company's D&O insurance may "fill gaps," include instances where an individual has not met the standard of conduct (typically good faith) that is a prerequisite to receiving indemnification under state law and claims under the Securities Act of 1933, which the SEC views as against public policy.
3. Consider in advance what rights to grant.
Companies should carefully consider the nature and extent of the indemnification and advancement protections they intend to provide to their directors and officers and make sure their documents reflect those rights. While indemnification represents after-the-fact payment at the conclusion of a legal proceeding, advancement provides for the payment of legal fees while a proceeding is ongoing. In many instances, the costs of defending a lawsuit are more daunting, as well as more immediate, than the ultimate threat of liability. Advancement fills a critical and significant need for directors and officers by enabling them to defend themselves vigorously.
In recent years, the message from the Delaware courts has been clear: courts generally will enforce indemnification and advancement provisions as written. Delaware courts will construe provisions mandating indemnification and advancement "to the full extent permitted by law" to mean just that. It remains the norm for companies to provide indemnification and advancement "to the full extent permitted by law." However, depending on how a provision is written, the company's advancement obligations may continue even when one of its executives has pled guilty to a crime, until the final resolution of the "proceeding" in question, including all appeals or other post-conviction proceedings. This can result (and has resulted) in situations where companies must continue advancing expenses to "bad actors," despite the seeming incongruity of such a result4
If both the certificate and bylaws address indemnification, the two documents should be consistent. Otherwise, if there are limitations in one document that do not appear in the other, individuals can simply seek coverage under the broader document. Language in the certificate of incorporation will not necessarily control, as reflected in a 2010 case in which the Delaware Court of Chancery upheld limitations on advancement contained in the company's bylaws, even though the certificate provided directors with a right to mandatory advancement to the fullest extent permitted by law.5 Additionally, indemnification provisions typically contain "non-exclusivity" language stating that rights granted to an individual are not exclusive of indemnification rights granted elsewhere, whether by charter documents, agreement or otherwise.
A similar principle applies to indemnification agreements. An agreement can provide greater specificity, or more expansive rights, than the certificate and bylaws, but the agreement must be consistent with those documents. If the agreement limits rights that directors and officers have under the certificate or bylaws, individuals can simply seek to enforce their rights under those documents. Likewise, indemnification provisions should exclude indemnification and advancement for claims initiated by a director or officer, so it is explicit that there is no coverage in those situations. A broadly drafted provision that grants protection "to the full extent permitted by law" may be viewed as extending to situations where a director or officer sues the company. One important exception to this carve-out is for "fees-on-fees," which are fees incurred in enforcing rights to indemnification and advancement. Modern indemnification provisions typically contain express language stating that directors and officers are entitled to fees-on-fees where they successfully enforce their rights.
It is particularly important for companies to review the indemnification provisions in their charter documents if they do not have indemnification agreements with their directors or officers. As discussed in section 5 below, companies that do not have indemnification agreements should consider whether to add them. However, in the absence of agreements, more detailed provisions in the bylaws are advisable. These provisions would cover matters like the process and time frames for obtaining indemnification and advancement, "appeal" rights in the event the company denies a request for indemnification or advancement, and the right to fees-on-fees. Because the board can amend the bylaws on its own (while shareholder approval is necessary to amend the certificate of incorporation), including these provisions in the bylaws allows the board to review them periodically and update them as appropriate. Additionally, in Delaware, even in the absence of a written indemnification obligation, the Delaware General Corporation Law provides for mandatory indemnification in circumstances where a director or officer successfully defends a proceeding or claim.
4. Consider which groups of individuals get mandatory rights.
A policy question that each corporation mush address as a threshold matter is which groups of individuals should receive mandatory indemnification and advancement rights under the corporation's certificate and/or bylaws. Most companies grant mandatory indemnification and advancement rights only to directors and officers and "permissive" rights to employees and agents--that is, the certificate and bylaws permit, but do not require, indemnification and advancement for employees and agents. Broad, mandatory rights can be an important tool in attracting and retaining qualified directors and officers, but extending these rights to employees can result in significant financial obligations for a company, particularly in the event of a major lawsuit or investigation. Permissive rights also preserve flexibility for a company to decide whether, and to what extent, to provide indemnification and advancement based on specific facts and circumstances, including circumstances where an individual's conduct appears to have violated a law, but the claim will require expensive litigation to resolve that question, the costs of which might have to be borne by the corporation. A minority of companies (particularly, older companies and companies in certain industries like manufacturing and consumer products) provide mandatory indemnification and advancement rights to all employees. For these companies, there may be cultural and optical issues associated with limiting or eliminating these rights once they are in place.
Companies also should consider who qualifies as an "officer" for purposes of the indemnification provisions in their charter documents. This is critical at companies that follow the predominant approach of providing mandatory rights only to directors and officers, because officer status entitles an individual to mandatory (rather than permissive) indemnification and advancement. There is limited Delaware case law on the question of who is an "officer" for indemnification purposes, although, at a minimum, this term is likely to encompass positions described in the officer provisions of a company's bylaws. Accordingly, companies should consider which of their "officers" should have mandatory indemnification and advancement rights, particularly at companies that have a large number of officers or positions with officer-like titles. If a company wishes to cover a narrower (or broader) group of individuals than those who are designated as officers by or in accordance with the bylaws, it should consider a definition of "officer" that is specific to the indemnification provisions. Further, whether an individual is deemed an "officer" may have implications for the company's D&O insurance, which will cover officers but not necessarily employees for certain types of claims.
5. Consider whether to provide indemnification agreements.
In recent years, there has been a trend among larger public companies toward adding indemnification agreements. Other public companies continue to rely on provisions in their charter documents and many have updated their bylaws to make them more detailed. Indemnification agreements have a number of advantages over relying exclusively on indemnification provisions in charter documents. Among other things, agreements enable companies to address rights in more detail. An indemnification agreement typically includes definitions of key terms, which offers clarity on the types of proceedings and expenses that are covered. Agreements often outline procedures and time frames for obtaining payment and specify who will authorize indemnification payments, including in specific scenarios like a change of control, although these matters can be addressed in the bylaws. Additionally, the indemnification agreement can include presumptions in favor of indemnification, provisions to empower directors and officers to select among several dispute resolution alternatives, and provisions that permit an award of legal fees, including "fees-on-fees" where an individual is successful in suing to enforce rights under the agreement. The corporation also can contractually agree that indemnification rights are not subject to unilateral amendment or rescission by the company and indemnification agreements may raise fewer enforceability issues because they are bilateral contracts. Finally, indemnification agreements are individual to directors and officers, which may provide a degree of comfort that is not present with a generally applicable certificate or bylaw provision. From the company's perspective, an agreement may limit flexibility because changes, or the adoption of a new agreement, will require the consent of both parties.
For public companies, provisions in the certificate of incorporation also result in limited flexibility because changes to the certificate require shareholder approval. The board can amend the bylaws on its own, but this creates a risk for individuals because their indemnification rights are subject to change without their consent. However, these changes would be prospective only, and would not apply to acts occurring prior to the amendment, unless explicitly authorized in the bylaws.
Companies also should consider who should receive indemnification agreements. Among companies that have agreements, most provide them to both their directors and senior officers, but practices differ. Companies with large numbers of officers often limit indemnification agreements to a group consisting of the most senior executives.
6. Consider "priority" issues in situations where there are multiple sources of indemnification.
Priority issues--that is, who is responsible for paying first--arise in situations where there are multiple sources of indemnification. Following the 2007 Levy case in Delaware6 which addressed the relative indemnification obligations of a private equity fund and one of its portfolio companies, this issue drew significant attention in the private equity context. Priority provisions and agreements emerged to clarify that portfolio companies would be primarily liable for the indemnification and advancement of expenses to private equity fund representatives serving on portfolio company boards. These types of provisions articulated what had been the widespread expectation prior to Levy: that individuals typically would look to the entity where they are serving as a director or officer as the first source of payment.
Priority issues come up in a number of situations outside the private equity context that are relevant--and even commonplace--for public companies. Directors and officers may serve at any number of outside entities, ranging from subsidiaries and employee benefit plans to joint ventures, industry groups and non-profit organizations. Broad, mandatory indemnification provisions typically state that a corporation will indemnify and advance expenses not only for service at the corporation itself, but also where an individual "is or was serving at the request of the corporation" at "another corporation, partnership, joint venture, trust or other enterprise." However, outside organizations often will have their own indemnification arrangements. Companies should address the possibility of competing indemnification obligations in advance by considering priority issues and taking steps to document the obligations of the respective parties.
The question of responsibility for indemnification also arises in the parent/subsidiary context. Under Delaware law, directors of first-tier subsidiaries are deemed to be serving "at the request of" the parent corporation.7 Therefore, directors of first-tier subsidiaries would be entitled to indemnification by the parent corporation under a broad, mandatory indemnification provision stating that the parent corporation will indemnify and advance expenses to individuals serving "at the request of the corporation" at another enterprise. Outside this context, indemnification for subsidiary directors and officers is not automatic. Subsidiaries may have their own indemnification provisions in their certificates and bylaws. Unless a parent company explicitly grants indemnification rights to directors and officers of subsidiaries, it is unlikely that these individuals would be entitled to indemnification from the parent company.
Similar priority considerations apply with respect to insurance. D&O policies typically extend coverage to the subsidiary level, but companies should understand how that coverage works together with indemnification obligations. Additionally, it is important to review the policy language on coverage for outside entity service and understand the effect of insurance provided by outside entities.
7. Pay attention to the specifics of D&O insurance.
D&O insurance plays an important role by "filling gaps" where indemnification is not otherwise available to a director or officer. In those situations, D&O insurance is the last line of defense, so it is critical that a company's D&O insurance respond to protect directors and officers when it is most needed. This means that companies should pay attention to their D&O insurance, understand what it does and does not cover, and seek to obtain the most favorable terms available in the market at a reasonable price.
D&O insurance is not an "off the shelf" product. The particular insurance carrier's policy form is just the starting point for a D&O insurance policy. Many of the substantive coverage terms appear in "endorsements" that add to or otherwise modify the form. Endorsements can impact coverage in significant ways, so companies should understand the endorsements, and the endorsements should integrate well with the policy form.
Policy language ordinarily is negotiable, with certain coverage enhancements having direct correlation to the premium charged by the carrier. Language matters, and it differs from one policy to the next, and sometimes from one type of industry to the next--depending on the carrier's perception of litigation risks associated with certain industries. Minor wording changes can mean the difference between having and not having coverage, or having significantly more limited coverage. "The devil is in the details," and knowledge of "state of the art" coverage terms available in the insurance market is critical.
8. Understand the structure of D&O insurance programs.
A typical public company D&O insurance program consists of multiple policies: a primary policy and one or more excess layer policies issued by different insurers. This structure allows public companies to obtain appropriate levels of coverage and enables insurers to spread risk.
The D&O insurance program typically provides three types of coverage: (a) "Side A" coverage for directors and officers for "non-indemnifiable" losses--that is, losses for which the company does not indemnify them, either because applicable law prohibits it, or because the company refuses or is financially unable to do so; (b) "Side B" coverage that reimburses the company for indemnification paid to directors and officers; and (c) "Side C," or "entity," coverage that protects the company for securities-related claims brought against it. In some cases, insurance carriers also offer coverage for internal investigations in response to a shareholder derivative claim, subject to a "sub-limit" of insurance amounting to several hundreds of thousands of dollars (often not enough to cover the true legal costs of these investigations).
Additionally, D&O policies often include coverage for non-officer employees. This may be limited to certain types of claims (such as employment and securities), or it may take the form of broader, "co-defendant" coverage that protects employees for any claims where a director or officer also is a party. Finally, D&O policies cover defense costs, which means that substantial legal fees could deplete a policy well before settlement or trial.
One fundamental feature of a D&O insurance program that may come as a surprise to some companies and their directors is that directors share D&O coverage with other parties. This means that claims involving other parties can "erode" or dilute the amount of insurance available for directors, creating the risk that D&O insurance may not be there for the very individuals it was designed to protect--the directors and officers. This reality is inherent in the structure of modern D&O policies, but there are steps that companies can take to maximize the coverage available for their directors. Addressing this issue should be top of mind for companies in evaluating their D&O insurance programs, and it should be a key consideration in determining both the amount and structure of coverage. As an initial matter, it is important to look at whether the overall amount of D&O insurance is likely to be adequate. Although there is no way to predict with certainty how much insurance is enough, factors including company size and industry, potential litigation exposure, and peer group coverage levels are relevant. "Dedicated" Side A coverage, which protects directors and officers only and is not shared with the company, has also become popular in recent years. Among public companies participating in Towers Watson's 2012 Directors and Officers Liability Survey, 83% had some form of additional Side A coverage in 2012.8 The Towers Watson data also indicate that, for larger companies (those with $1 billion or more in market capitalization), the average amount of additional Side A coverage represented between 32% and 40% of total coverage.
A specialized and increasingly common form of Side A coverage--known as "Side A DIC" (difference-in-conditions) coverage--provides even broader protection for individuals and is designed to protect them from catastrophic losses, such as where the company refuses to indemnify them or cannot do so because of bankruptcy, or where an underlying insurer rescinds coverage or becomes insolvent. Not one, but two, of these situations arose in the Commodore case in the Second Circuit discussed at the beginning of this client alert--a company bankruptcy followed by insurer insolvency. In that respect, the Commodore case provides a compelling illustration of why Side A DIC coverage is so important. Another circumstance that aggravated the outcome in the Commodore case was that the company had obtained multiple insurance policies from the same insurers. Commodore's D&O insurance program consisted of a total of nine policies. Four were issued by the insolvent insurers, and two were issued by the insurer that successfully contested coverage in the Second Circuit. Thus, between the insurer insolvencies and the Second Circuit holding, Commodore's former directors and officers ultimately had no coverage under six of the company's nine D&O policies. Although this is an unusual outcome, it illustrates the importance of placing coverage with different insurers to spread risk and minimize the impact of an insurer's insolvency or refusal to pay.
As with traditional Side A/B/C D&O insurance, directors and officers share in a Side A-only policy, so the coverage available to any one director or officer may be diluted by the coverage for other individuals. "Independent director liability" (or IDL) coverage is reserved for outside directors and is intended to address this risk, but it has not become widespread since its introduction several years ago. Accordingly, securing an adequate amount of D&O insurance that includes some Side-A only coverage remains the most common solution for public companies. While specifics will vary from one company to the next, the ultimate goal of the D&O insurance program should be to ensure that there will be a pool of funds available to protect directors and officers.
9. Review excess policy terms carefully, including "trigger" language.
As noted above, a typical public company D&O insurance program consists of multiple policies, which means that the majority of the coverage will come from the excess policies. Accordingly, once a claim exhausts the primary policy, the excess policies will provide the remaining coverage. Most excess policies "follow form" of the primary policy, meaning that they generally provide coverage on the same terms as the primary policy. However, excess policies may, and frequently do, contain different or more restrictive terms that can impact the scope of coverage. These considerations underscore the need for careful scrutiny of excess policies. It should not automatically be assumed that excess policies simply follow all the terms of the underlying insurance. It is important to understand the terms of the excess policies and how those policies work together with the underlying insurance.
The most critical aspect of excess policies is the "trigger" language, which establishes when coverage becomes available under those policies. An excess policy might state, for example, that coverage "attaches" (that is, coverage under that excess policy is triggered) only after the underlying insurance has been exhausted by the actual payment of losses by the insurers. This language can be problematic where an underlying insurer does not pay, whether due to a coverage dispute, insolvency of the insurer or for other reasons. For example, if a company has a $10 million primary policy, settles a claim with the primary insurer for $8 million, "fills the gap" by paying the remaining $2 million itself, and seeks coverage from its excess insurers for amounts in excess of the $10 million limit, coverage may not be available because the policy language stipulates that the insurers must pay up to the underlying policy limits. Similarly, in the Commodore case, where two of the company's insurers were insolvent, the Second Circuit held that two of the remaining, solvent insurers had no payment obligations under their policies based on the policy language, which stated that coverage was triggered only if the insolvent insurers' policies had been exhausted by the payment of claims. With the insolvent insurers unable to pay, the Court held that the limits of their policies had not been exhausted and thus, the other insurers' policies had not been triggered. The Court rejected the argument from the former directors and officers that coverage was triggered because their liability (not the amount of claims paid) exceeded the limits of the insolvent insurers' policies.
Unfortunate outcomes like these have occurred with increasing frequency in recent years. Trigger language in excess policies has become a recurring subject of coverage disputes, with a growing number of cases permitting excess insurers to deny coverage where the insured company settled with an underlying insurer for less than the full policy limits.9 The results in these disputes demonstrate that courts will enforce policy language as written.
In the wake of these cases, some insurers have responded to market demand by modifying policy language so that it explicitly recognizes payments from sources other than the underlying insurers. Well-drafted trigger language should recognize payments from any source, including a "gap filling" payment by the company in order to fully exhaust the dollar amount of the limits of a particular underlying policy in order to access the excess layers of insurance above that policy. Accordingly, trigger language should state that an excess policy attaches after payment of the underlying policy limits, regardless of whether payment is made by the underlying insurers, the company or any other entity, such as a Side A DIC (difference-in-conditions) insurer. Likewise, well-drafted trigger language should not include a "limits shaving" provision. These provisions state that, if an underlying insurer (as opposed to some other party) pays only a portion of its liability limits (such as 75%), then the excess insurer is only responsible for paying the same percentage (75%) of its limits.
As a result of recent litigation involving trigger language in excess policies, today's market generally offers access to better, more comprehensive language. Nevertheless, companies should review the language carefully in evaluating their excess policies.
10. Consider the scope of coverage for cyber liability.
The recent spotlight on cyber security issues has led public companies and their boards to consider what role the board should have in overseeing cyber security matters. This, in turn, has prompted questions about liabilities directors may face for cyber breaches and whether D&O insurance covers those liabilities.
As part of the board's risk oversight function, the board should have an understanding of the cyber risks the company faces in operating its business and should be comfortable that the company has systems in place to identify and manage cyber risks, prevent cyber breaches and respond to cyber incidents when they occur. This should include an understanding of the extent to which a company's insurance may provide protection in the event of a major cyber incident. When the SEC staff issued its October 2011 guidance on disclosures about cyber security risks and cyber incidents10 the staff specifically mentioned that, where material, one component of appropriate disclosure may be a description of any relevant insurance coverage.
A company's D&O coverage should respond in the event of litigation alleging traditional claims for breach of fiduciary duties related to cyber issues. Accordingly, a claim for oversight liability--alleging, for example, that directors failed to see that the company implemented appropriate systems to manage cyber risks and to oversee those systems effectively--would fall squarely within the D&O policy. For other types of cyber losses--involving both the company and third parties--a number of traditional insurance products (general liability, crime, errors and omissions) may provide some coverage, but this will depend on the policy terms. With the growing focus on this area, insurers have begun offering policies that are specifically designed to address cyber losses. While cyber insurance is evolving, it typically provides coverage for losses that the company incurs in responding to a cyber incident, such as the cost of notifying customers of a data breach, and claims brought by third parties, such as customers alleging unauthorized disclosure of their data.
11. Review D&O insurance coverage annually with assistance from qualified professionals.
D&O insurance should be reviewed annually. Changes in both the external environment and the D&O insurance market may warrant changes in coverage. In the current environment, litigation defense costs and pre-litigation investigation costs continue to rise and litigation from M&A transactions has increased to the point where post-deal lawsuits are a virtual certainty. For the first time in several years, companies renewing their D&O insurance can expect higher premiums and the possibility of restrictions in coverage terms. Investigations remain a significant exposure for companies, so investigations coverage has become an area of particular focus and has begun evolving to meet the demand for insurance to respond at earlier stages in the investigative process. Companies with significant international operations increasingly are evaluating whether their D&O policies will respond to claims brought in foreign jurisdictions and considering the need for some form of "local" D&O coverage issued by in-country insurers. The laws of some countries require the purchase of local policies while there is uncertainty about the status of traditional D&O policies under the laws of other countries. All of these developments illustrate the importance of reviewing D&O coverage annually.
Due to the complexity of policy language and the issues involved, expert advice from qualified professionals is important in obtaining a thorough understanding of the coverage available under a company's D&O insurance program. These professionals should include both insurance and legal advisors, as each group brings different skills and experience to the table. Many boards of directors seek comprehensive analyses of their companies' D&O insurance programs, undertaken with the assistance of experts, at the time of initial purchase or renewal of D&O insurance coverage.