The D&O claims environment is now in an unusually uncertain state. A fragile U.S. economy, a struggling global economy, high inflation and interest rates, a tight labor market, the collapse of several large crypto firms, and unpredictable fuel costs will likely create a material increase in D&O claims activity in a wide variety of industries. As an example of the financial challenges now faced by a growing number of companies, a Cornerstone study reported that the number of large corporate bankruptcy filings in the first half of 2023 exceeded the total number of filings for all of 2022.
Added to this uncertainty is the Biden administration, which is proposing and implementing an increasing number of important regulations, is more aggressively pursuing regulatory enforcement proceedings, and is supporting wide-ranging social reforms. Those initiatives seem likely to directly or indirectly impact, at least to some extent, the nature, frequency and severity of D&O claims in various contexts.
The following summarizes many of the more important recent legal developments involving D&O claims. During these uncertain times, it is especially important for those who advise and insure directors and officers to carefully monitor and react to these and other developments.
- Securities Class Action Litigation. In 2023, the frequency of new federal securities class action litigation filings increased by 11%, ending a four-year decline in filings from 2019 to 2022. The technology and finance sectors accounted for a combined 40% of those filings. Merger objection suits remain very low, continuing a trend that began in 2021 when plaintiff lawyers began filing such suits as single-plaintiff cases rather than as class actions, thereby allowing the plaintiff lawyer to settle the case for a so-called mootness fee (without the need for court approval) following modest additional disclosures by the company.
The 2023 median settlement value in securities class actions was about the same as 2022, although the average settlement value increased by 17% due to several very large settlements.
The following summarizes many of the recent substantive developments in securities class action litigation:
- Since 2019, four separate securities class actions involving D&Os have settled for more than $1 billion each. See VEREIT, Bausch Health (fka Valeant), Dell Technologies and Wells Fargo settlements. These 10-figure settlements can no longer be considered isolated but suggest a trend toward dramatically increased settlement amounts in at least the most severe cases. An increase in settlement amounts in more modest cases has also occurred to some extent, probably reflecting in part a trickledown from these huge settlements.
- The traditional belief that securities class actions which survive a motion to dismiss are largely indefensible as a practical matter is being challenged by some recent developments. For example, in February 2023, Elon Musk and other Tesla executives successfully defended at trial a securities class action lawsuit involving Musk’s 2018 tweet that he had “funding secured” to take Tesla private. An actual trial in a securities class action is quite rare, so some commentators have predicted an increase in these trials following Musk’s victory. That is very unlikely, though, because very few directors and officers have sufficient personal resources to bear the risk of a catastrophic judgment, which likely would not be insured (due to the conduct exclusion in D&O policies) or indemnified by the company (due to the failure to satisfy the standard of conduct in most indemnification statutes).
In August 2023, the Second Circuit decertified a class of investors who sued Goldman Sachs, thereby effectively ending a more than 10-year-old securities lawsuit. The ruling was based on a 2021 U.S. Supreme Court ruling in the same lawsuit which instructed lower courts when deciding whether to certify a class in securities litigation to examine actual facts (not just allegations, which is the standard for motions to dismiss) to determine if the alleged misstatements had a material impact on the company’s share price. The ruling creates new hope that at least some securities class actions can be defeated at the class certification stage even if the defendants’ motion to dismiss is denied. For example, in February 2024, the Federal District Court of Delaware refused to certify a class in a securities class action against M&T Bank Corp., concluding the plaintiffs failed to present evidence establishing loss causation and transaction causation during the class period. However, some courts continue to certify securities class actions despite the Goldman Sachs precedent. For example, (i) in January 2024, a New Jersey Federal District Court certified a class in a securities class action lawsuit against Johnson & Johnson, ruling that the defendants failed to completely rebut the presumption of price impact by a preponderance of the evidence, (ii) in February 2024, a California Federal District Court certified a class in securities litigation against Talis Biomedical, and (iii) in 2023, an Ohio Federal District Court certified a class in securities litigation against First Energy. Several of these recent decisions are now on appeal.
- Crypto-related securities litigation has been described as the new frontier in securities fraud litigation. In 2023, the number of crypto-related securities class action filings declined by 28% compared to 2022. But, because these cases present unique legal issues, including the fundamental question of whether cryptocurrency tokens are securities, the future impact of crypto-related cases on the D&O insurance industry is hard to predict both from an exposure and coverage standpoint. For example, entity coverage under public company D&O policies only applies to “Securities Claims” and private company D&O policies usually contain exclusions for certain types of securities claims.
- SEC Enforcement. In addition to private securities litigation, D&Os need to also be concerned about SEC enforcement activity. The SEC is increasing its focus on holding directors and officers accountable in a variety of contexts. The three main factors which create concern for D&Os in this context are summarized below.
First, the revolving leaders at the SEC’s Division of Enforcement have repeatedly stated that “individual accountability” is one of the Division’s “core principles,” and that “pursuing individuals has continued to be the rule not the exception.” This includes being more aggressive with “gatekeepers” (including directors and officers), such as requiring defendants in certain enforcement action settlements to admit wrongdoing rather than merely “neither admit nor deny” wrongdoing which has been the norm for decades. Approximately two-thirds of the SEC’s cases in FY23 involved charges against individuals, and the SEC obtained 133 orders barring individuals from serving as officers and directors of public companies (which was the highest number in a decade).
Second, during its 2023 fiscal year, the SEC received over 18,000 whistleblower reports, which was a record. This increased frequency of whistleblower reports to the SEC appears to be attributable to two recent developments. In February 2018, the U.S. Supreme Court held in the Digital Realty Trust, Inc. case that the Dodd-Frank Act’s provision which protects whistleblowers against retaliation only applies to whistleblowers who report to the SEC, not to whistleblowers who report internally within their company. As a result, whistleblowers are now highly incentivized to report their complaints to the SEC. In addition, the size of whistleblower bounty awards from the SEC has increased significantly, thereby encouraging more whistleblower reports. In its 2023 fiscal year, the SEC paid a record $600 million to whistleblowers, including a record $279 million to one whistleblower (which was more than double the previous record and which was in addition to other large awards of $28 million, $18 million and $12 million in 2023).
Third, SEC enforcement actions can be particularly problematic for D&Os because they frequently last a long time and usually cannot be resolved at the same time as parallel securities class action and shareholder derivative litigation. As a result, a sufficient amount of the company’s D&O insurance limits should be preserved following a settlement of the private litigation to fund the ongoing and potentially very large costs in the SEC action.
The SEC’s impact on D&O exposures is not limited to enforcement actions. An increasing number of proposed SEC rules relating to a wide variety of topics will likely increase both SEC and private actions against D&Os. For example, in fiscal year 2022, the SEC proposed nearly 30 new rules, which is more than the number of new rules proposed during each of the preceding five fiscal years.
Three recently adopted SEC rules are particularly important for directors and officers. First, in October 2022, the SEC adopted final rules to implement the compensation clawback provisions in §954 of Dodd-Frank. Pursuant to the new rules, any executive officer of a publicly-traded company that restates its financial statements must repay to the company any incentive-based compensation received by the officer during the three years prior to the restatement, regardless of whether the executive committed any wrongdoing or knew of the facts underlying the restatement. Importantly, the new rules prohibit the company from indemnifying the executive or purchasing insurance for the amount of the clawed back compensation, although executives who did not cause the restatement may personally purchase insurance for his or her clawback liability.
Second, in July 2023 the SEC adopted final rules requiring enhanced disclosures of cybersecurity incidents and risk management, which are briefly discussed on page 11 below.
Third, massive new rules regarding climate change disclosures were adopted in March 2024. See page 13 below.
These attempts to use disclosure rules to address social issues are controversial and are being attacked in the courts (with some initial success) based on arguments that the rules are outside the SEC’s legal authority and are arbitrary and capricious.
- Derivative Suits. Historically, shareholder derivative lawsuits (which are cases brought by shareholders on behalf of a company against D&Os seeking damages incurred by the company as a result of alleged wrongdoing by the D&Os) have presented relatively benign exposures. Although frequently filed in tandem with a more severe securities class action, derivative suits usually have been dismissed by the court or settled for relatively nominal amounts because of the strong defenses available to the D&O defendants. For example, a committee of independent directors who were not involved in the alleged wrongdoing may determine that prosecution of the derivative suit on behalf of the company is not in the company’s best interest, in which case the court may dismiss the case. Likewise, the defendant D&Os usually have several strong defenses in the derivative suit, including pre-suit demand requirements, the business judgment rule, state exculpation statutes, and reliance on expert advisors.
Despite these procedural and substantive defenses, an increasing number of derivative suits are now settling for large amounts. The following summarizes many of the more recent “mega” derivative settlements.
| Company | Type of Incident | Derivative Settlement |
| Tesla | Excessive executive compensation | $735 million of returned cash and equity compensation |
| Wells Fargo | Widespread improper consumer banking practices | $320 million |
| Alphabet | Alleged culture of sexual discrimination/harassment and mishandling of complaints against senior executives | $310 million diversity and equity fund for governance reforms |
| Renren | Transfer of company assets to privately owned company at undervalued price | $300 million |
| VEREIT | Financial statement errors | $286 million |
| Activision Blizzard | Executive officers unfairly acquired a controlling interest in the company | $275 million |
| Boeing | Alleged breach of the Board’s safety oversight duties resulting in crash of two Max 737 aircraft | $237.5 million |
| FirstEnergy | Executives bribed state officials | $180 million |
| McKesson | Opioid-related wrongdoing | $175 million |
| CBS/Paramount | Allegedly unfair merger terms | $167.5 million |
| News Corp. | Relative of majority owner personally benefitted from acquisition of company; company’s employee journalists used illegal reporting tactics | $139 million |
| AIG | Allegedly fraudulent $500 million reinsurance transaction to mask company losses | $150 million |
| Freeport-McMoRan | Merger fraught with allegations of sweetheart deals and self-dealing | $137.5 million |
| Cardinal Health | Opioid-related wrongdoing | $124 million |
| Oracle | $900 million in insider trading in advance of disappointing earnings announcement | $122 million |
| Broadcom Corp. | Options backdating scandal that resulted in $2.2 billion write-down | $118 million |
| Altria Group Inc. | $12.8 billion investment in vape manufacturer Juul | $117 million (including $100 million for programs to combat underage nicotine use) |
| AIG | Allegation that company paid sham commissions to a closely-held insurance agency | $115 million |
| L Brands | Alleged sexual harassment and toxic workplace | $90 million governance reform fund plus $21 million attorney fee award |
| 21st Century Fox | Allegedly rampant sexual harassment by former Fox executives | $90 million |
| PG&E Corp. | Gas Line Explosion | $90 million |
| Del Monte Foods | Leverage buyout of company by private equity firms | $89.4 million |
| Pfizer | Off-label marketing of drugs resulting in federal investigations and claims under the False Claims Act | $75 million |
| Bank of America
|
Acquisition of Merrill Lynch based on allegedly false statements about Merrill’s losses | $62.5 million |
A number of factors appear to be contributing to this troubling trend of large derivative suit settlements, including:
- Caremark Erosion. One of the primary substantive defenses for D&Os in many derivative lawsuits is the so-called Caremark defense, which in essence says D&Os are not liable for lack of oversight of company operations absent the director or officer engaging in self-dealing, having a conflict of interest or committing gross dereliction of his or her duty (i.e., acting in bad faith). A series of decisions issued over the last few years from Delaware courts suggests an erosion of this important defense, at least in derivative lawsuits involving public health and safety issues or egregious workplace behavior. For example, Delaware courts have not applied the Caremark defense in recent derivative lawsuits involving listeria-tainted ice cream (2019 Marchard case), 737 Max airplane crashes (2021 Boeing case) and opioid anti-diversion obligations (2024 Amerisource Bergen case and 2023 Walmart case).
But, Delaware courts have more recently applied the defense in other less alarming derivative oversight lawsuits, such as the 2021 Marriott and the 2022 Solar Winds cases involving a cyber breach, the 2023 Segway case involving financial reporting issues, and the 2024 Walgreen’s case involving the company’s prescription management system. In the Solar Winds case, the Delaware Chancery Court recognized Caremark oversight claims have recently “bloomed like dandelions after a warm spring rain,” but those claims “remain, however, one of the most difficult claims to clear a motion to dismiss.” In the Segway case, the Delaware Chancery Court similarly confirmed a valid oversight claim exists only in “the extraordinary case where fiduciaries’ ‘utter failure’ to implement an effective compliance system or ‘conscious disregard’ of the law gives rise to corporate trauma.” Likewise, in the Walgreen’s case, the Delaware Chancery Court expressed concern about oversight claims being “reflexively filed” whenever a company “encounters an adverse circumstance,” thereby weakening the core protections of the business judgment rule and draining resources from the company the derivative plaintiffs purport to represent. Instead, a valid oversight claim should be a “rare event” according to the court.
The derivative litigation against McDonald’s directors, CEO and Chief People Officer involving company-wide sexual harassment allegations demonstrates the changing and confusing legal landscape today regarding Caremark claims. In January 2023, the Delaware Chancery Court refused to dismiss the claims against the executive officers, finding for the first time that officers have the same oversight duty as directors and the officers’ alleged wrongdoing in this case was sufficiently egregious to survive the Caremark defense because the officers directly participated in the company’s sexualized culture. But, two months later, the Court dismissed the oversight claims against the directors even though the directors knew about the sexual harassment allegations. Because the directors responded to the problem (albeit insufficiently), the Court determined the directors’ conduct did not constitute bad faith and thus dismissed the claims.
- Duplicate Lawsuits. Unlike most securities class actions which must be litigated in federal court, derivative litigation is usually filed in state court. Also, unlike securities class action litigation, there is no mechanism to consolidate multiple derivative lawsuits into one state court proceeding. As a result, multiple derivative cases, each prosecuted by a different plaintiffs’ firm, will often proceed in different courts, even though all of the lawsuits assert essentially the same claims on behalf of the company. This results in higher defense costs, inconsistent court rulings in the parallel cases, and the potential for higher settlement amounts to resolve all of the lawsuits.
A forum selection clause in a company’s bylaws is an increasingly important tool to avoid such duplicate derivative lawsuits. Under relatively new statutes in Delaware (Section 115, Delaware General Corporation Law) and a few other states, public companies chartered in those states may adopt a forum selection bylaws provision which requires all proceedings relating to internal affairs of the company (such as derivative suits) to be filed and adjudicated only in the state designated in the bylaws. Such forum selection bylaw provisions (which are different than the federal forum selection bylaw provisions discussed above for securities claims under the 1933 Act) can prevent multiple derivative lawsuits being prosecuted in multiple and hostile forums. The Seventh and Ninth Circuits recently issued conflicting opinions regarding the enforceability of such a state forum selection bylaws provision if the derivative suit includes claims for false proxy statements in violation of Section 14(a) of the Securities Exchange Act. The Seventh Circuit held the provision is invalid as to Section 14(a) claims because such claims must be brought in federal court (i.e., plaintiffs would be precluded from asserting Section 14(a) claims in a derivative suit if the state forum selection provision is enforced). But the Ninth Circuit upheld the enforceability of the provision even with respect to Section 14(a) claims.
- Exculpation of Officers. A recent development that may appear to moderate the liability of officers in derivative lawsuits in fact will likely have little if any impact. Effective August 1, 2022, the Delaware exculpation statute for directors in Section 102(b)(7) was amended to also apply to officers. But, unlike the exculpation of directors, the exculpation of officers does not apply to claims by or on behalf of the company (including derivative lawsuits). The exculpation exists only if the company’s charter is amended to implement the exculpation. About 300 public companies have reportedly adopted such a charter amendment to date. The process used to adopt those charter amendments has resulted in several lawsuits in 2022 and 2023 by certain classes of shareholders who contend they were wrongly denied the opportunity to vote on the proposed amendment.
- Criminal Proceedings. In recent years, regulators, prosecutors and commentators have repeatedly discussed the importance and purported commitment by the government to hold executives criminally accountable for wrongdoing. In the aftermath of the financial crisis in the late 2000s, there was a large public outcry for the prosecution of responsible individuals. Regulators and prosecutors both then and now repeatedly express the importance of creating individual and corporate accountability through criminal prosecution of executives. During the Trump administration, these statements were little more than rhetoric. But, beginning in late 2021, the Biden administration announced a series of new actions intended to reinforce the Department of Justice’s “unambiguous” prioritization of individual accountability in corporate criminal matters, including a return to the so-called Yates Memorandum and other Obama-era initiatives.
However, the prosecution of white-collar crime remains surprisingly infrequent, particularly with respect to directors and senior executives of large public companies where decisions are often made “by committee” without clear attribution to one or a few individuals who possess the necessary intent to violate the law. In addition, prosecutors often have limited resources and usually only bring cases they believe they can win. As an example of these challenges, in January 2021, a federal appeals court overturned the convictions of four former executives of Wilmington Trust, which was the only financial institution criminally charged in connection with the federal bank bailout program following the 2008 financial crisis. Similarly, in late 2021 a jury found the CEO of Iconix Brand Group not guilty of fraudulently booking $11 million of revenue, although a year later another jury convicted him of related charges in a separate proceeding.
Despite these challenges, numerous recent examples demonstrate that criminal exposure for executives is very real in several circumstances.
First, even in a large public company, senior executives who have direct responsibility for matters which create spectacular losses can be incarcerated. For example, in the last few years the former CEO and COO of SCANA pled guilty to defrauding customers and others with respect to a failed $9 billion nuclear construction project; the former CEO of SAExploration and the former CFO of Roadrunner Transportation Systems were sentenced to three years and two years in prison, respectively, for their roles in fraudulent accounting schemes at their companies; the former CEO (Elizabeth Holmes) and former COO of Theranos were convicted of securities fraud and sentenced to 11 years and 13 years in prison, respectively; and the former CEO of cryptocurrency company FTX (Sam Bankman-Fried) was convicted in 2023 of multiple counts of fraud and sentenced to 25 years in prison; and the former CEO of cryptocurrency company Biance Holdings pled guilty to violation of the Bank Secrecy Act by failing to adopt anti-money laundering policies and was sentenced to four months in prison.
Second, lower-level executives who more easily can be shown to have knowingly participated in criminal wrongdoing are more frequently prosecuted than senior executives. From 2005 to 2021, the percentage of criminal cases against companies that also included charges against directors or senior executives dropped from nearly 73% to about 25%. Examples of charges against mid-level executives since 2020 include: (i) the former medical director of Indivior PLC pled guilty to criminal charges relating to the company’s marketing and sale of opioid drugs (following a similar plea by the company’s former CEO), (ii) six mid-level executives of Citigo were convicted in Venezuela of corruption charges, (iii) the Senior Vice President of Governmental Affairs of Com Ed pled guilty to charges involving the bribery of governmental officials, (iv) an executive of Sandoz, Inc. pled guilty to price-fixing charges involving generic drugs, (v) a former executive of Netflix was convicted of money laundering and bribery for accepting stock options, cash and gifts from third-party vendors in exchange for lucrative contracts with the company, and (vi) the former controller of a small insurance company pled guilty to a fraud scheme which diverted $6 million of company money to his personal accounts.
Third, individuals who are senior executives (and also large owners) of smaller companies are easier targets of criminal charges because of their more intimate knowledge of company operations. For example, in 2023, (i) the founder and former CEO of Nikola was sentenced to four years in prison for securities fraud following the company’s IPO in which the defendant allegedly lied about “nearly all aspects of the business,” (ii) the former CEO of a drug cooperative was convicted of trafficking opioids to “bad pharmacies” and “bad doctors;” (iii) the COO of a company that operates a hydroelectric dam pled guilty in connection with a spill of pollutants into a local river; (iv) the CEO of a small clean-energy company was convicted of defrauding investors and forging documents to raise money for personal purchases, (v) the CEO of a software startup plead guilty to wire fraud and securities fraud in connection with a $100 million stock offering, (vi) the founder of a brand-licensing company was convicted of securities fraud involving a sophisticated accounting scheme to add $11 million in sham revenue to the company’s financial statements; and (vii) the CEO of a biotech company pled guilty to securities fraud in connection with his company’s false claims during the COVID pandemic that it developed a new blood-based test for COVID-19. In 2024, (i) the CEO and founder of a software company was sentenced to 18 months in prison and assessed a $1 million fine for inflating the company’s financial statements in connection with a securities offering that raised $60 million; (ii) the CEO of a clean energy company was sentenced to six years in prison following his conviction for defrauding investors out of $1.1 million; (iii) the former CEO of a dental device company pled guilty to defrauding investors out of $10.7 million; and (iv) the CEO of a cryptocurrency company plead guilty to violating the Bank Secrecy Act by not adopting policies to prevent money laundering.
These criminal prosecutions are based on an increasing number of legal theories. For example, in 2023 a jury convicted two executives of an appliance sales and distribution company for failing to report to the federal Consumer Product Safety Commission defects in dehumidifiers sold by their company. The case reportedly was the first time executives were prosecuted under the Consumer Product Safety Act.
- Cyber Claims. Unquestionably, cyber-related losses and claims are one of the most troubling future exposures for companies. It is virtually impossible for companies to prevent cyber attacks. Loss mitigation, rather than loss prevention, seems to be the only strategy available for most companies.
Surprisingly to some, the liability exposure of directors and officers for cyber-related claims is less predictable. Prior to 2017, no cyber-related securities class action lawsuits were filed even with respect to very large and highly-publicized cyber intrusions at large companies. More recently, plaintiff lawyers have filed a growing number of such securities class actions, including cases against Marriott, Chegg, Google/Alphabet, FedEx, Capital One, First American Financial Corp., Solar Wind, Yahoo!, Equifax, Telos, Octa and their D&Os. These cases are still somewhat uncommon despite the large number of companies which experience data breaches because in most cyber attack situations, the company’s stock price does not materially drop following disclosure of the attack. But, if there is a material stock drop following disclosure of the cyber breach, a securities class action is likely, and those securities class actions can be expensive, particularly if the company failed to promptly disclose the breach. For example, the Alphabet (Google) securities class action litigation which was related to a software flaw that allowed outside developers to access personal data of 500,000 users of the Google Plus social media site was settled in February 2024 for $350 million, the Yahoo! cyber-related securities class action litigation was settled in March 2018 for $80 million while a motion to dismiss was pending, the Equifax data breach securities class action litigation was settled in 2020 for $149 million, and the Solar Winds data breach securities class action was settled in 2022 for $26 million.
It is far from clear whether these cases will ultimately be successful on a widespread basis. Most of these securities class action lawsuits have been dismissed, primarily because the plaintiffs failed to sufficiently allege (i) the defendants acted with the requisite scienter (i.e., plaintiffs did not allege facts showing the defendants knew the size or impact of the breach at the time of the allegedly incorrect disclosures) , (ii) either a misstatement or omission of material facts, or (iii) loss causation (i.e., the misstatement or omission caused the company’s stock to be artificially inflated). The likelihood of these cases being dismissed increases if the company’s disclosures include detailed and specific cautionary statements about cyber risks and do not characterize the quality of the company’s cybersecurity. Despite plaintiffs’ limited successes in cyber-related securities claims, the general trend of courts dismissing these cases continues to exist as evidenced by (i) the Ninth Circuit affirming on March 2, 2022 a District Court dismissal of a data breach-related securities class action against Zendesk, (ii) the Fourth Circuit affirming in April 2022 a District Court dismissal of a data breach-related securities class action against Marriott and its D&Os, (iii) a District Court in Virginia dismissing a cyber-related securities class action against Capital One in September 2022, and (iv) District Courts in California dismissing cyber-related securities class actions against First American and Okta in September 2021 and March 2023.
On July 26, 2023, the SEC adopted final rules requiring enhanced disclosures by public companies regarding material cybersecurity incidents and the company’s risk management and board oversight of cybersecurity matters. The rules significantly increase a company’s disclosure requirements in this area. For example, material cybersecurity incidents need to be disclosed within four business days after the company determines the incident was material (that determination must be made without unreasonable delay following discovery of the incident). The disclosure must describe the material aspects of the nature and scope of the incident as well as the likely material impact of the incident on the company’s operations and financial condition. Those disclosures need to be updated periodically. Also, the board’s oversight of cybersecurity risks, the company’s policies and procedures for identifying, assessing and managing those risks, and the cybersecurity expertise of management need to be disclosed in the company’s annual report. These disclosure requirements will likely result in not only increased cyber-related scrutiny by the SEC, but also increased securities claims against companies and their directors and officers, not to mention very difficult compliance challenges.
The SEC is also asserting direct claims against companies and their executives for false and misleading cyber-related disclosures. For example, in October 2023, the SEC sued Solar Winds Corp. and its Chief Information Security Officer for failing to disclose cybersecurity risks during the company’s 2018 IPO and for referencing on its website the company’s strong cybersecurity practices despite internal warnings that the company was vulnerable to attacks that could cause “major reputation and financial loss.” In 2020, the company disclosed hackers breached the networks of the company and several U.S. federal agencies that were customers of the company, resulting in a 25% stock price drop. The SEC lawsuit is unprecedented in two respects. First, it is the first time the SEC has asserted civil claims against a corporate executive in a cybersecurity disclosure suit. Second, it is the first time the SEC has asserted a cyber claim against the company for intentional fraud rather than for negligently false disclosures.
In a bizarre development which may signal heightened exposure for cyber-related claims by the SEC against D&Os, a cyber ransom gang filed in 2023 a whistleblower complaint with the SEC alleging a company that was hacked by the gang failed to disclose to the SEC, consistent with the new SEC cyber disclosure rules, the security breach and its impact on the company. The gang apparently intended to enhance its future negotiation leverage over other companies hacked by the gang.
Shareholder derivative lawsuits against directors and officers are another litigation response when a company suffers large cyber-related losses. However, this type of derivative litigation is also challenging for plaintiffs in light of the business judgment rule, the applicable state exculpatory statute for directors, and other state law defenses for the defendant directors and officers. A cyber incident will rarely involve conflicts of interest, and therefore should rarely give rise to large derivative litigation settlements absent unusual circumstances. But, a few cyber-related derivative lawsuits have recently settled or survived a motion to dismiss. Most notably, the Yahoo! derivative suit settled for $29 million, due in large part to the extraordinary number of people impacted by the breach (i.e., as many as 1.5 billion users) and the two-year delay in disclosing the breach. Other cyber derivative settlements are far smaller, often including a modest plaintiff fee award and the company agreeing to certain governance reforms. In October 2021, the Delaware Chancery Court dismissed a cyber-related derivative lawsuit involving the Marriott data breach.
The area of greatest potential exposure for directors and officers regarding cyber matters does not arise from acts or omissions by directors and officers prior to the attack, but rather from conduct of directors and officers once the attack is identified. Disclosures regarding the scope, effect and cause of the attack, and the response by management immediately following the attack, can potentially create either securities class action or shareholder derivative litigation. Therefore, companies should develop and implement long before a cyber attack actually occurs effective protocols and action plans which describe what should and should not be done if a cyber attack against the company occurs. Careful advanced planning in this area can provide a unique opportunity to minimize the potential personal liability of directors and officers for post-attack conduct.
Another related D&O exposure in this context is the potential for criminal charges. For example, in October 2022, the former chief security officer of Uber was convicted of obstructing the FTC’s investigation of a cyber breach involving private personal information about the company’s customers. The company initially disclosed to the FTC the breach involved 50,000 customers. The defendant officer subsequently learned from the hackers in the context of a ransomware demand that the breach involved 57 million customers, but the officer failed to report that updated information to the FTC. In another case, the former chief information officer of Equifax was convicted of insider trading and sentenced to four months in prison based on his sale of $950,000 of company stock before the company’s massive data breach was publicly disclosed.
- ESG Claims. There is now an unprecedented number of D&O claims which arise out of highly publicized social issues. Whether each of those social issues is temporary or long-term, and thus whether the D&O claims arising from each of those social issues are aberrations or a permanent new exposure for D&Os and their insurers, is yet to be seen.
The following summarizes the primary examples of these types of claims. The legal theories asserted in these claims are not new or unusual, but the factors which are causing the claims to be prosecuted are recent. Ironically, most ESG-related claims are asserted against companies who are proactive in addressing ESG concerns as opposed to companies who seemingly ignore the issues (often called “greenhushing”). Those proactive companies are often in a no-win situation because they are criticized for not doing enough (or misrepresenting the impact of what they are doing) or for doing too much. For example, American Airlines and certain of its fiduciaries were sued in June 2023 for pursuing “leftist political agendas” through ESG strategies which fail to maximize profits. Deutsche Bank paid a $19 million penalty to the SEC for making allegedly misleading statements about its use of ESG factors in connection with its research and investment recommendations. Other similar claims have been brought against directors of Disney, Starbucks, Target, Blackrock and the parent of Ben & Jerry’s (Unilever).
There are growing indications the focus on ESG issues is waning. Most notably, the SEC stated in its annual report on 2023 examination priorities that ESG issues and concerns about greenwashing would be a significant focus, but the annual report on 2024 examination priorities does not reference ESG matters, instead focusing on cybersecurity and crypto-related risks.
a. Climate Change Claims. Although climate change issues permeate many industries and generate a variety of legal concerns, D&O litigation has been largely immune to those issues.
On March 6, 2024, the SEC adopted highly controversial new rules requiring larger registered public companies to disclose a wide range of information related to climate change and greenhouse gas emissions information and risks. For example, the new rules require companies to disclose in their SEC annual reports (i) the amount of their direct greenhouse gas emissions from their own operations and their indirect emissions associated with the generation of energy consumed by the company; (ii) their climate-related risk, such as the risk of financial harm caused by severe weather events like flooding and wildfires, (iii) their processes for identifying, assessing and managing these risks, (iv) a quantitative and qualitative description of their material expenditures to mitigate or adapt to those risks, and (v) any Board oversight of climate-related risks and any role by management in assessing and managing those risks.
The adopted rules are being legally challenged in numerous lawsuits both by plaintiffs who contend the rules exceed the SEC’s authority and by plaintiffs who contend the SEC should not have diluted the far more demanding proposed rules. Opponents of the new rules largely based their challenge on a June 2022 ruling by the U.S. Supreme Court which held that EPA rules limiting coal power plant emissions exceeded the EPA’s legal authority and are therefore unlawful. As a result of these legal challenges, the implementation of the new rules has been stayed.
By addressing climate change issues through disclosures to shareholders, the SEC is creating personal accountability for directors and officers who fail to comply with the new requirements. Not only will the SEC be a direct enforcer of the new requirements through proceedings against both the company and its directors and officers, but shareholders (and plaintiff lawyers) will undoubtedly use the new rules as a basis for securities class action lawsuits against directors and officers and their companies.
In October 2023, California enacted two far-reaching statutes requiring climate-related disclosures. The Climate Corporate Data Accountability Act requires greenhouse gas emissions data disclosure by all public or private entities doing business in California with gross annual revenues in excess of $1 billion. A second related statute requires companies with more than $500 million of gross annual revenues to develop a biennial report on its climate-related financial risks. The concerns described above under the newly adopted SEC climate change rules equally apply to these new California statutes. As similar additional new laws and regulations are enacted by the federal government and other states, companies and the D&Os may soon be faced with nearly impossible and conflicting climate-related legal requirements which dramatically increase their liability exposures.
The lack of current D&O litigation relating to climate change issues does not mean climate change litigation does not exist. An estimated 1,000 climate change lawsuits have been filed in recent years against companies and governmental authorities, with the large majority of those cases being filed outside the U.S. against non-U.S. entities. One well-publicized example is litigation involving Shell plc, a U.K. company. In May 2021, a Dutch court ordered Shell to reduce its emissions by 45% by 2030. On February 9, 2023, an environmental advocacy group filed a shareholder derivative lawsuit in the High Court of England and Wales against Shell’s directors alleging the board is not taking sufficient steps to address the future impacts of climate change and to comply with the court-ordered reduction in emissions.
It seems likely this highly litigious environment for climate change issues, when combined with increasing regulations in this area, will eventually result in meaningful D&O litigation in the U.S. and perhaps other countries.
- Executive Compensation. Although a board’s executive compensation decisions have typically not been overturned by courts consistent with the business judgment rule, the increasingly enormous size of some executive compensation arrangements have been reviewed by courts, with mixed results. On January 30, 2024, the Delaware Chancery Court rescinded Elon Musk’s $55.8 billion compensation package following a 2022 trial in a derivative lawsuit on behalf of Tesla against Musk and the Tesla board. The Court concluded Musk’s personal relationships with the directors removed the board’s compensation decision from the business judgment rule. As a result, the defendant directors were required, but failed, to prove the “entire fairness” of the compensation package, even though 74% of the Tesla shares not held by Musk or his brother approved the compensation package.
In contrast, a Federal District Court in New York in February 2024 dismissed a securities class action lawsuit against Apple and its directors and officers alleging the defendants misrepresented information about very large performance-based stock compensation awards to Tim Cook (Apple’s CEO) and other senior executives. The Court concluded the plaintiffs did not plausibly allege any actionable misrepresentations regarding the value of the awards.
- Reincorporation Outside of Delaware. In response to the Delaware Chancery Court rescinding Elon Musk’s $55.8 billion compensation package with Tesla (see summary above), Musk is seeking approval from both Tesla and Space X shareholders to reincorporate those companies from Delaware to Texas. That strategy has been highly publicized, and at least several other companies are considering or proposing similar moves out of Delaware to either Texas or Nevada.
There are numerous legal and financial implications to such a reincorporation. But Texas and Nevada statutory laws are clearly more protective of directors and officers than Delaware. For example, the Nevada liability exculpation statute applies to breach of any fiduciary duty, including the duty of loyalty (unlike Delaware law). Under Texas law, shareholder derivative suits are prohibited if independent directors decide prosecuting the lawsuit is not in the company’s best interest, unlike Delaware law which allows shareholders to avoid or circumvent the directors’ decision under certain circumstances. In addition, both Texas and Nevada permit a company to indemnify settlements in derivative lawsuits against directors and officers, unlike Delaware. These differences in state laws may result in D&O insurers treating companies who reincorporate out of Delaware to these or oher comparable states more favorably when underwriting their D&O insurance.
Efforts to reincorporate outside Delaware may be criticized by shareholder who contend the reincorporation is motivated by the company’s directors’ attempt to insulate themselves from litigation. For example, in February 2024, the Delaware Chancery Court denied a motion to dismiss such a lawsuit against directors of Trip Advisor who approved the company’s reincorporation from Delaware to Nevada.
- Board Diversity Claims. The Black Lives Matter movement beginning in 2020 and the related sensitivity to racial equality and diversity has impacted virtually all aspects of society, including the business community. Corporations have quickly realized that real and immediate reform in this area is both socially and economically in their best interests. To further emphasize that point, California enacted a statute in September 2020 which requires public companies headquartered in California to include on their board of directors at least one representative of “underrepresented communities,” such as persons who are Black, African-American, Hispanic, Latino, Asian, Native American, gay, bisexual or transgender, although the statute was ruled unconstitutional by a California Superior Court on April 1, 2022 and by a California federal court on May 15, 2023. Washington has a similar statute requiring board of directors diversity. These statutes are similar to an earlier California statute enacted in 2018 which requires corporations headquartered in California to have a minimum number of females on their boards of directors.
In contrast, some other states, including Illinois, Maryland and New York, do not mandate such diversity but instead require companies to disclose the minority composition of their Boards in either publicly-available government filings or annual reports to shareholders. Yet another statutory approach, adopted by Colorado and Pennsylvania, urges but does not require board diversity by establishing non-binding diversity requirements.
Perhaps more impactful, in August 2021, the SEC approved new “comply or explain” guidelines issued by Nasdaq, which require most Nasdaq-listed companies to have—or explain why they do not have—at least two members of its board of directors who are “Diverse,” including at least one Diverse director who self-identifies as female and at least one Diverse director who self-identifies as an Underrepresented Minority or LGBTQ+. In October 2023, the Fifth Circuit ruled the new guidelines are not subject to constitutional challenge because Nasdaq is a private entity.
Since July 2020, shareholder derivative suits on behalf of numerous publicly traded companies have been filed related to board and employee diversity, seeking a wide range of relief such as replacing current non-diverse directors, disgorgement of directors’ fees and creating huge funds to hire minority employees. To date, none of these cases have survived a motion to dismiss.