ESG and Cyber Are Fueling Class Actions. Why D&O Risk Selection Is Gaining New Gravity

As ESG and cybersecurity threats rise, so too do D&O risks.
By: | November 17, 2023

Environmental, social and governance (ESG) risk is now a growing concern for businesses and their executives.

As companies come under increasing scrutiny and pressure from their shareholders, clients and activists to meet a fast-growing environmental agenda, the potential for securities class action lawsuits is also heightened.

The other major exposure that has come into sharp focus is cyber liability, as ransomware attacks and social engineering fraud have escalated in both frequency and severity over the past 12 months; more than one-third of respondents to Allianz’s risk barometer survey cited it as the most important business risk in 2023.

In addition, biometric data hacking has been on the rise as criminals have become ever bolder and more sophisticated in their methods.

Yet, as a whole, rates in the professional liability market have continued to decrease for consecutive quarters, and some lines are down by as much as 10 to 20% from a year ago, according to Risk Placement Services (RPS).

That is predominantly due to the influx of new market entrants over the past year, resulting in record capacity and intense competition, putting greater downward pressure on rates.

“Currently, ESG is at the forefront in terms of the biggest risks facing companies in the professional liability space,” said Mark Butler, vice president of underwriting at AmTrust EXEC.

“ESG-related litigation has accelerated over the last few months as the matter comes under the increasing scrutiny of the Securities and Exchange Commission (SEC). The breadth of disclosures directly and indirectly linked to ESG required of executive management has also increased.”

“The use of technology in every business has increased the risk and exposure that every company faces for potential cyberattacks.” — Manny Cho, executive lines practice leader, RPS

Even issues that seemed peripheral in the past have taken center stage. For example, firms have been sued for breach of fiduciary duty relating to their social and environmental investment strategies as shareholders dig deeper into their public statements and disclosures.

As a result, a big increase in allegations of greenwashing and backtracking on initial agreements and promises is being made against companies. Of particular interest have been corporate disclosures on issues such as extreme weather and other environmental concerns, as well as social, diversity and inclusion matters.

Growing Cyber Risk

The SEC has also been driving the cybersecurity agenda; its July ruling on mandatory cyber disclosures requires additional reporting of material threats and activity. The end result is that, if companies are found to be in breach of these, it opens the door to a host of fines or penalties, as well as class action lawsuits.

“Cyber has become such a huge systemic risk for clients,” said James Beatty, Marsh’s U.S. FINPRO practice leader. “All it takes is that one breach or network security failure for a whole company to be brought down.”

The rise in cyberattacks has resulted in a spike in D&O claims as investors increasingly hold directors and managers to account for their decisions and actions. That is borne out in the fact that additional business interruption and operating costs arising from IT outages or service disruptions can materially affect a company’s stock price, and management may be held directly responsible for these economic losses.

“Cyber continues to be a growing concern for many companies,” said Manny Cho, executive lines practice leader at RPS. “The use of technology in every business has increased the risk and exposure that every company faces for potential cyberattacks.”

While biometric data usage may still be in its relative infancy, how that data is used and protected is fast becoming a deeper concern for firms. Despite the fact that it has been around for only 15 years, there have already been a large number of claims filed under Illinois’ Biometric Information Privacy Act, and as increasing numbers of regulations are brought out to protect consumer and employee data across the country, the risk is only magnified.

In terms of rates, while they have generally fallen in professional liability, particularly in excess public directors and officers (D&O), there have been some areas where they have held firm. These include medium to large private D&O and some not-for-profit D&O business, where premiums are flat or 5 to 10% down at renewal.

“The market for D&O right now is as good as it has ever been,” said Beatty. “The days of $25 million primary limits may have gone, but the amount of excess capital available and the London wholesale marketplace becoming more robust have resulted in an increasingly competitive D&O market.”

Class Action Litigation

Class action lawsuits reached a historic high in 2020 before tapering off, largely because the courts were closed due to COVID-19 and the way merger objection claims were brought.

But they are starting to creep up again this year, in line with pre-pandemic levels, in the form of COVID-related and special purpose acquisition company litigation, as well as cyber and biometric data lawsuits — a trend that looks set to continue. That’s evidenced by the fact that 48 cases were settled for a total of around $1.4 billion in the first half of 2022 alone, exceeding the 10-year average, according to AM Best.

Added to that, social inflation continues to gain traction, with longer drawn-out legal proceedings and higher jury awards that translate into greater claims costs. Those added expenses are expected to be borne out in higher primary retentions and rates throughout the insurance tower in the coming years.

Manny Cho, executive lines practice leader, RPS

Litigation financing has also fueled a sharp rise in claims and defense costs. As a result, many insurers have responded by tightening their limits, updating terms and conditions or pulling cover altogether.

In response to these ever-increasing emerging risks, companies need to be more rigorous in their risk mitigation practices. That includes carrying out a comprehensive assessment of their cyber liability risks, risk appetite, systems, and policies and procedures, in addition to beefing up their network security and privacy by putting in place controls such as multi-factor authentication.

“Insureds need to be tapping into technology, reassessing their cyber controls,” said Butler. “They need to be extremely thorough when it comes to assessing and selecting the right insurance broker that is suited to their specific enterprise and needs.”

Given that D&O and cyber policies cover different risks, it’s also vital for firms and individuals to understand exactly what each one will protect them against. That’s why having a broker who can guide them through the policy and its language is paramount. &

Alex Wright is a UK-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected].

More from Risk & Insurance