Performing a directors and officers (D&O) insurance
audit is a complex exercise that is made more difficult by constantly shifting language, new rulings and claim trends. While much of the policies’ language and terms have remained fairly constant over the years, here are six areas of new or renewed interest that buyers and their brokers will want to pay attention to.
See also: The Need to Educate on General Liability
Because cyber-related litigation has been quiet, there is little case law at the moment testing courts’ interpretations of D&O policies, so it is difficult to determine the adequacy of coverage provided by existing policy language. Generally speaking, D&O policies are not crafted with cyber risks in mind, so many policies may contain problematic language, such as the definition of “wrongful acts.” However, some carriers are going in the opposite direction and are purposefully applying specific cyber-related exclusions to their policies with the intent of pushing the exposures to more appropriate cyber policies.
Cyber policies have still not quite adjusted entirely to modern cyber risk, and these exclusions are not yet industry standards, so buyers should — when able — avoid D&O policies that contain cyber exclusions. While most policies are absent of such language, many carriers have included somewhat watered down wording by adding “privacy events and/or invasion of privacy” within the broad bodily injury exclusions. While this language is not as crippling as an explicit cyber exclusion, buyers should still attempt to negotiate its removal.
Many professional liability experts also believe broadly worded terrorism exclusions may have the ability to negate coverage for cyber events with the belief that they will be classified as cyber-terrorism. To address the terrorism exclusion, buyers should ask the carriers to “except” (thus, carving back) cyber-related claims.
Lastly, while it may be obvious, brokers should advise buyers on the importance of placing separate cyber insurance while also highlighting the intricate coverage differences among them
. The same level of attention that is given to grooming D&O coverage should be given to grooming cyber proposals/policies. This includes careful review of policy definitions, terms, conditions, exclusions, etc.
Professional Services Exclusion:
Along with the contractual exclusion, the professional services exclusion is consistently cited as one of the most sweeping and problematic exclusions for insureds. Broad professional service exclusions typically preclude coverage for claims “for, based upon, arising from or related to” errors, acts and omissions while providing professional services. This exclusion is particularly problematic for service firms because almost any claim can be “related to” their providing of professional services. However, this exclusion is also becoming increasingly problematic for many businesses because so many businesses today provide some level of services (from consulting to technology services). For tech companies, in particular, this exclusion has the potential to preclude coverage for cyber-related claims, as many of the tech services provided may be considered “professional services” by the carrier.
When negotiating this exclusion, buyers should ask the carriers to replace the term “for, based upon, arising from or related to,” with, simply, “for.” Such an amendment effectively carves out the errors and omissions exposure the carrier intends to exclude while still preserving coverage for “true” D&O claims.
The conduct exclusions are one of the (if not the) most visited exclusions within D&O policies. While not much has changed in terms of recommendations to D&O buyers, we have noticed a number of carriers that still contain less-than-preferred language. To avoid coverage being denied for unintentional wrongdoing, the conduct should be specifically stated as “deliberate, willful and intentional.” Sufficient severability language should also be included to protect innocent directors.
The area where we still see many carriers lacking is in the “ruling language.” For purposes of providing coverage for innocent actors and claims without merit, the carrier should agree to provide defense costs until a final determination is made. More specifically, though, that final “determination” should be in the form of a “final adjudication in the underlying action.” While much of it may seem like a matter of semantics, final rulings/judgments are NOT the same as “final adjudication,” which is required by the courts. In addition, the language should specifically state that that determination be made in the underlying action to prevent the carrier from arguing that wrongdoing found by those outside the courts (such as regulators) nullifies coverage.
JOBS Act/Securities Exclusion:
Startups and companies looking to raise equity have a new reason to be excited. The JOBS Act provides an avenue for significant growth without all of the time and compliance costs imposed by the strict reporting and disclosure obligations that come with an IPO. And with the new regulation A+, the ceiling has been lifted, allowing a significant capital raise while still remaining private.
Those same attractive features, however, also carry some increased risk. The potential for fraud (and accusations of fraud) is considerably higher because of the lack of transparency. Additionally, private companies purchasing D&O may find a somewhat hidden surprise in the broad securities exclusions that almost entirely eliminate coverage for crowdfunding-related claims.
While many insurers have been somewhat slow to react, many others responded expeditiously by either adding a separate endorsement or revising their exclusion to carve back coverage for claims that are related to securities and qualify under the JOBS Act. Any companies considering a crowdfunding campaign or raising any equity under crowdfunding regulations should exercise extra diligence when reviewing their D&O insurance to ensure the carrier has appropriately provided coverage for such claims. Without question, this includes smaller companies that may believe they are less prone to crowdfunding claims, which is false. The case against Quest
from 2011 demonstrates that these claims can arise over seemingly simple fee disputes.
Lastly, organizations should also avoid any carrier-imposed sub-limits for crowdfunding-related claims, paying close attention to the adequacy of such limits when they are unavoidable.
Entity vs. Insured Exclusion:
The insured vs. insured exclusion is almost as old as D&O itself. To alleviate some of the concerns related to the “I vs I” exclusion, many carriers today have adopted a more modern alternative replacing it with an “entity vs. insured” exclusion. While this substitution is preferred and does seem to solve many of the unintended consequences, it still deserves careful review. The most obvious carve-back that buyers and their brokers should seek is coverage for derivative claims brought on behalf of the organization. Because of their derivative nature, insureds should also negotiate a carve-back for bankruptcy claims brought by trustees and debtors in possession. Additionally, buyers should review the definitions of insured and organization/entity to ensure bankruptcy trustees and debtor-in-possession are also included as insureds.
Regulatory Proceedings and Investigations:
Coverage for regulatory/administrative proceedings and investigations has always been of interest for buyers but remains difficult to obtain. Informal regulatory proceedings and investigations against the entity itself are the most difficult to insure against.
With cyber whistleblower claims beginning, regulators are capitalizing on their success with more “traditional” whistleblower claims, and coverage for government investigations is quickly becoming a topic of renewed interest. Over the past few years, many carriers have begun to provide coverage for informal investigations and regulatory/administrative proceedings against individual directors and officers. Additionally, private companies may be able to obtain coverage for formal investigations and proceedings against the entity itself. It should be noted that, for purposes of reviewing and grooming coverage, administrative/regulatory proceedings and investigations are not synonymous.
Some carriers have also been implementing standard coverage for FCPA fines/penalties against individuals. The ability to obtain a policy with such language does not necessarily mean the policy will respond, though. There are a number of additional items that require review, such as claim definitions that require “wrongful act” accusations to trigger the regulatory coverage (which should be avoided).
See also: What to Expect on Management Liability