The D&O claims environment is now in an unusually uncertain state, largely due to the potential for unprecedented and wide-spread changes directly and indirectly caused by the new Trump administration. Many of the predicted changes may appear to lessen D&O exposures, including more conservative judges and a more business-friendly regulatory environment. But other changes will likely create a mixed bag of winners and losers. Some industries and companies will likely benefit from new Trump policies, such as the oil and gas and the crypto currency industries. Other industries and companies may be harmed, such as many green-energy companies and industries heavily dependent on an immigrant workforce. Plus, virtually all industries face the unpredictable consequences of potentially huge foreign tariffs, federal government downsizing and a more tolerant antitrust oversight of large M&A transactions.
History has shown that in times of significant uncertainties and changes, D&O claims often thrive, sometimes in surprising ways. Increased stock price volatility and financial distress caused by these types of developments are incubators for increased D&O claims involving many types of industries and companies.
Despite this unknown future, understanding recent D&O claims developments remains important both because many of those developments likely reflect future claims activity and because the consequences of new Trump policies probably will not impact D&O claims results for at least a year or two.
The following summarizes many of the more important recent legal developments involving D&O claims. It is now especially important for those who advise or insure directors and officers to carefully monitor and react to these and other developments in the coming months and years.
1. Securities Class Action Litigation
In 2024, the frequency of new federal securities class action litigation filings increased by about 5%, representing the second straight year of modest increases after a four-year decline in filings from 2019 to 2022. The technology, pharmaceutical and medical device sectors accounted for a combined 37% of those filings. Surprisingly, 19 COVID-related securities suits were filed in 2024, which was a 46% increase from 13 in 2023. Merger objection suits remain very low, continuing a trend that began in 2021 when plaintiff lawyers began filing such suits as single-plaintiff cases rather than as class actions, thereby allowing the plaintiff lawyer to settle the case for a so-called mootness fee (without the need for court approval) following modest additional disclosures by the company.
The number of securities class action lawsuits dismissed by courts increased from 96 in 2023 to 124 in 2024 (i.e., 29% increase).
The median settlement value in securities class actions has remained about the same in the last few years (the 2024 median settlement amount was $13.5 million), although the average settlement value materially declined in 2024 due to several factors, including an arguably temporary decline in the number of mega securities settlements.
The following summarizes some of the recent more important developments in securities class action litigation:
-
Since 2019, four separate securities class actions involving D&Os have settled for more than $1 billion each. See VEREIT, Bausch Health (fka Valeant), Dell Technologies and Wells Fargo settlements. These 10-figure settlements can no longer be considered isolated but suggest a trend toward dramatically increased settlement amounts in at least the most severe cases. An increase in settlement amounts in more modest cases has also occurred to some extent, probably reflecting in part a trickledown from these huge settlements.
-
The traditional belief that securities class actions which survive a motion to dismiss are largely indefensible as a practical matter is being challenged by some recent developments involving class certification. In August 2023, the Second Circuit decertified a class of investors who sued Goldman Sachs and its executives, thereby effectively ending a more than 10-year-old securities lawsuit. The ruling was based on a 2021 U.S. Supreme Court ruling in the same lawsuit which instructed lower courts when deciding whether to certify a class in securities litigation to examine actual facts (not just allegations, which is the standard for motions to dismiss) to determine if the alleged misstatements had a material impact on the company’s share price. The ruling creates new hope that at least some securities class actions can be defeated at the class certification stage even if the defendants’ motion to dismiss is denied.
The Second Circuit is the only Federal Court of Appeals to apply the 2021 Goldman Sachs Supreme Court decision to date, although several other circuit courts are currently considering those issues in several cases. Numerous District Courts have addressed class certification issues in light of the Supreme Court decision with mixed results. For example, in February 2024, the Federal District Court of Delaware refused to certify a class in a securities class action against M&T Bank Corp., concluding the plaintiffs failed to present evidence establishing loss causation and transaction causation during the class period. Similarly, in September 2024, the District of Columbia Federal Court refused to certify a class in a securities class action against Bed Bath & Beyond because the market for the company’s stock was not efficient during the proposed class period. Also in September 2024, a District Court in Michigan refused to certify a class in securities litigation against Rocket Mortgage and its officers because of unique issues among the class members regarding reliance on the alleged misrepresentations. However, some courts continue to certify securities class actions despite the Goldman Sachs precedent. For example, (i) in January 2025, Federal District Courts in Arizona and Colorado certified classes in securities litigation against Nikola Corp. and InnovAge, respectively, (ii) in January 2024, a New Jersey Federal District Court certified a class in a securities class action lawsuit against Johnson & Johnson, ruling that the defendants failed to completely rebut the presumption of price impact by a preponderance of the evidence, (iii) in February 2024, a California Federal District Court certified a class in securities litigation against Talis Biomedical, and (iv) in 2023, an Ohio Federal District Court certified a class in securities litigation against First Energy.
2. SEC Enforcement
In addition to private securities litigation, D&Os need to also be concerned about SEC enforcement activity. The SEC is expected to continue at least to some extent its focus on holding directors and officers accountable in a variety of contexts. The three main factors which create concern for D&Os in this context are summarized below.
First, the revolving leaders at the SEC’s Division of Enforcement (dating back to the first Trump administration and before) have repeatedly stated that “individual accountability” is one of the Division’s “core principles,” and that “pursuing individuals has continued to be the rule not the exception.” Approximately two-thirds of the SEC’s cases in FY24 involved charges against individuals, and the SEC obtained 124 orders barring individuals from serving as officers and directors of public companies (which was one of the highest numbers in a decade). Although some of the aggressive tactics by the SEC in recent years will likely subside with the new Trump administration, directors and officers will still be subject to expensive and problematic investigations and proceedings by the SEC.
Second, during its 2024 fiscal year, the SEC received over 24,000 whistleblower reports, which was a record. This increased frequency of whistleblower reports to the SEC appears to be attributable in large part to the significantly larger bounty awards now paid by the SEC to persons who provide information that materially assists the SEC in identifying and prosecuting securities law violations. In its 2023 fiscal year, the SEC paid a record $600 million to whistleblowers, including a record $279 million to one whistleblower (which was more than double the previous record and which was in addition to other large awards of $28 million, $18 million and $12 million in 2023). These large awards continued in fiscal year 2024, including a $98 million award to two whistleblowers in August 2024 and total awards exceeding $255 million for the entire year. The DOJ launched a similar whistleblower program in August 2024 for persons who provide information to the DOJ regarding various types of crimes, including financial institution, foreign and domestic corruption, and healthcare fraud crimes.
Third, SEC enforcement actions can be particularly problematic for D&Os because they frequently last a long time and usually cannot be resolved at the same time as parallel securities class action and shareholder derivative litigation. As a result, a sufficient amount of the company’s D&O insurance limits should be preserved following a settlement of the private litigation to fund the ongoing and potentially very large costs in the SEC action.
However, in June 2024, the U.S. Supreme Court granted some relief for companies and their directors and officers in SEC enforcement proceedings by ruling the SEC cannot use in-house administrative proceedings to impose civil fines for securities fraud. Instead, the SEC must use courts for assessing those monetary sanctions, which is viewed as a more even-handed forum for the defendants.
The SEC’s impact on D&O exposures was not limited to enforcement actions under the Biden administration. A number of new SEC rules relating to a wide variety of topics significantly expanded D&O responsibilities and exposures. The three most important new rules impacting D&Os involved (i) executive compensation clawbacks following a company restating its financial statements, (ii) disclosure requirements with respect to cybersecurity (see discussion on page 11 below); and (iii) disclosure requirements with respect to climate change (see discussion on page 13 below). The new Trump administration is reportedly likely to rescind or greatly dilute the new cybersecurity rules and is not opposing numerous lawsuits alleging the climate change rules are invalid. The new compensation clawback rules, which are summarized below, will likely remain in effect.
In October 2022, the SEC adopted final rules to implement the compensation clawback provisions in §954 of Dodd-Frank. Pursuant to the new rules, any executive officer of a publicly-traded company that restates its financial statements must repay to the company any incentive-based compensation received by the officer during the three years prior to the restatement, regardless of whether the executive committed any wrongdoing or knew of the facts underlying the restatement. Importantly, the new rules prohibit the company from indemnifying the executive or purchasing insurance for the amount of the clawed back compensation, although executives who did not cause the restatement may personally purchase insurance for his or her clawback liability.
On March 17, 2025, the Acting Chair of the SEC stated he has directed staff to reassess a number of finalized and proposed regulations by the Biden administration and promised a more deliberate and slower process for considering any new rules in the future.
3. Derivative Suits
Historically, shareholder derivative lawsuits (which are cases brought by shareholders on behalf of a company against D&Os seeking damages incurred by the company as a result of alleged wrongdoing by the D&Os) have presented relatively benign exposures. Although frequently filed in tandem with a more severe securities class action, derivative suits usually have been dismissed by the court or settled for relatively nominal amounts for several reasons. For example, a committee of independent directors who were not involved in the alleged wrongdoing may determine that prosecution of the derivative suit on behalf of the company is not in the company’s best interest, in which case the court may dismiss the case. Likewise, the defendant D&Os usually have several strong defenses in the derivative suit, including pre-suit demand requirements, the business judgment rule, state exculpation statutes, and reliance on expert advisors.
Despite these procedural and substantive defenses, an increasing number of derivative suits are now settling for large amounts. The following summarizes many of the more recent “mega” derivative settlements.
| Company | Type of Incident | Derivative Settlement |
| Tesla | Excessive executive compensation | $735 million of returned cash and equity compensation |
| Wells Fargo | Widespread improper consumer banking practices | $320 million |
| Alphabet | Alleged culture of sexual discrimination/harassment and mishandling of complaints against senior executives | $310 million diversity and equity fund for governance reforms |
| Renren | Transfer of company assets to privately owned company at undervalued price | $300 million |
| VEREIT | Financial statement errors | $286 million |
| Activision Blizzard | Executive officers unfairly acquired a controlling interest in the company | $275 million |
| Boeing | Alleged breach of the board’s safety oversight duties resulting in crash of two Max 737 aircraft | $237.5 million |
| FirstEnergy | Executives bribed state officials | $180 million |
| Insys | Opioid-related wrongdoing | $175 million |
| McKesson | Opioid-related wrongdoing | $175 million |
| CBS/Paramount | Allegedly unfair merger terms | $167.5 million |
| AIG | Allegedly fraudulent $500 million reinsurance transaction to mask company losses | $150 million |
| News Corp. | Relative of majority owner personally benefitted from acquisition of company; company’s employee journalists used illegal reporting tactics | $139 million |
| Freeport-McMoRan | Merger fraught with allegations of sweetheart deals and self-dealing | $137.5 million |
| Cardinal Health | Opioid-related wrongdoing | $124 million |
| Walmart | Opioid-related wrongdoing | $123 million |
| Oracle | $900 million in insider trading in advance of disappointing earnings announcement | $122 million |
| Broadcom Corp. | Options backdating scandal that resulted in $2.2 billion write-down | $118 million |
| Altria Group Inc. | $12.8 billion investment in vape manufacturer Juul | $117 million (including $100 million for programs to combat underage nicotine use) |
| AIG | Allegation that company paid sham commissions to a closely-held insurance agency | $115 million |
| L Brands | Alleged sexual harassment and toxic workplace | $90 million governance reform fund plus $21 million attorney fee award |
| 21st Century Fox | Allegedly rampant sexual harassment by former Fox executives | $90 million |
| PG&E Corp. | Gas Line Explosion | $90 million |
| Pfizer | Off-label marketing of drugs resulting in federal investigations and claims under the False Claims Act | $75 million |
| Bank of America
|
Acquisition of Merrill Lynch based on allegedly false statements about Merrill’s losses | $62.5 million |
A number of factors appear to be contributing to this troubling trend of large derivative suit settlements, including:
-
Caremark Erosion
One of the primary substantive defenses for D&Os in many derivative lawsuits is the so-called Caremark defense, which in essence says D&Os are not liable for lack of oversight of company operations absent the director or officer engaging in self-dealing, having a conflict of interest or committing gross dereliction of his or her duty (i.e., acting in bad faith). A series of decisions issued over the last few years from Delaware courts have created uncertainty regarding this important defense. Some recent cases, particularly those involving public health and safety issues or egregious workplace behavior, have not applied the Caremark defense, including derivative lawsuits involving listeria-tainted ice cream (2019 Marchard case), 737 Max airplane crashes (2021 Boeing case), opioid anti-diversion obligations (2024 Amerisource Bergen case and 2023 Walmart case), discriminatory lending practices (2024 Wells Fargo case), and infant formula safety (2024 Abbott Laboratories case).But, in other less alarming derivative oversight lawsuits, Delaware courts have applied the defense, including the 2021 Marriott and the 2022 Solar Winds cases involving a cyber breach, the 2023 Segway case involving financial reporting issues, the 2024 Walgreen’s case involving the company’s prescription management system, the 2024 Centene case involving inaccurate cost reports to Medicaid, and the 2024 TransUnion case involving the company’s failure to comply with a Consumer Financial Protection Bureau order. In the Solar Winds case, the Delaware Chancery Court recognized Caremark oversight claims have recently “bloomed like dandelions after a warm spring rain,” but those claims “remain, however, one of the most difficult claims to clear a motion to dismiss.” In the Segway case, the Delaware Chancery Court similarly confirmed a valid oversight claim exists only in “the extraordinary case where fiduciaries’ ‘utter failure’ to implement an effective compliance system or ‘conscious disregard’ of the law gives rise to corporate trauma.” Likewise, in the Walgreen’s case, the Delaware Chancery Court expressed concern about oversight claims being “reflexively filed” whenever a company “encounters an adverse circumstance,” thereby weakening the core protections of the business judgment rule and draining resources from the company the derivative plaintiffs purport to represent. Instead, a valid oversight claim should be a “rare event” according to the court. In the Centene case, the Delaware Chancery Court recognized “a bad outcome, without more, does not equate to bad faith” by the directors, which is required for an oversight claim against the directors.
The derivative litigation against McDonald’s directors, CEO and Chief People Officer involving company-wide sexual harassment allegations demonstrates the changing and confusing legal landscape today regarding Caremark claims. In January 2023, the Delaware Chancery Court refused to dismiss the claims against the executive officers, finding for the first time that officers have the same oversight duty as directors and the officers’ alleged wrongdoing in this case was sufficiently egregious to survive the Caremark defense because the officers directly participated in the company’s sexualized culture. But, two months later, the Court dismissed the oversight claims against the directors even though the directors knew about the sexual harassment allegations. Because the directors responded to the problem (albeit insufficiently), the Court determined the directors’ conduct did not constitute bad faith and thus dismissed the claims.
-
Duplicate Lawsuits
Unlike most securities class actions which must be litigated in federal court, derivative litigation is usually filed in state court. Also, unlike securities class action litigation, there is no mechanism to consolidate multiple derivative lawsuits into one state court proceeding. As a result, multiple derivative cases, each prosecuted by a different plaintiffs’ firm, will often proceed in different courts, even though all of the lawsuits assert essentially the same claims on behalf of the company. This results in higher defense costs, inconsistent court rulings in the parallel cases, and the potential for higher settlement amounts to resolve all of the lawsuits.A forum selection clause in a company’s bylaws is an increasingly important tool to avoid such duplicate derivative lawsuits. Under relatively new statutes in Delaware (Section 115, Delaware General Corporation Law) and a few other states, public companies chartered in those states may adopt a forum selection bylaws provision which requires all proceedings relating to internal affairs of the company (such as derivative suits) to be filed and adjudicated only in the state designated in the bylaws. Such forum selection bylaw provisions can prevent multiple derivative lawsuits being prosecuted in multiple and hostile forums. The Seventh and Ninth Circuits recently issued conflicting opinions regarding the enforceability of such a state forum selection bylaws provision if the derivative suit includes claims for false proxy statements in violation of Section 14(a) of the Securities Exchange Act. The Seventh Circuit held the provision is invalid as to Section 14(a) claims because such claims must be brought in federal court (i.e., plaintiffs would be precluded from asserting Section 14(a) claims in a derivative suit if the state forum selection provision is enforced). But the Ninth Circuit upheld the enforceability of the provision even with respect to Section 14(a) claims.
4. Criminal Proceedings
In recent years, regulators, prosecutors and commentators have repeatedly discussed the importance and purported commitment by the government to hold executives criminally accountable for wrongdoing. In the aftermath of the financial crisis in the late 2000s, there was a large public outcry for the prosecution of responsible individuals, although those prosecutions were essentially non-existent. Regulators and prosecutors both then and now repeatedly express the importance of criminal prosecution of executives.
But, despite this rhetoric, the prosecution of white-collar crime remains surprisingly infrequent, particularly with respect to directors and senior executives of large public companies where decisions are often made “by committee” without clear attribution to one or a few individuals who possess the necessary intent to violate the law. In addition, prosecutors often have limited resources and usually only bring cases they believe they can win. As an example of these challenges, in January 2021, a federal appeals court overturned the convictions of four former executives of Wilmington Trust, which was the only financial institution criminally charged in connection with the federal bank bailout program following the 2008 financial crisis. More recently, in June 2024, a California federal jury acquitted the former CEO and the former finance Vice President of Autonomy of criminal charges that they deceived HP about the software company’s business and financial health prior to HP’s purchase of the company for $11.7 billion.
The Trump administration will likely de-emphasize the criminal prosecution of directors and officers at least for certain targeted offenses. For example, on February 10, 2025, President Trump signed an Executive Order that puts a “pause” on enforcement of the federal Foreign Corrupt Practices Act, which is a common source of criminal prosecutions of directors and officers. A subsequent memo by Attorney General Bondi to the DOJ’s Criminal FCPA Division stated future FCPA investigations should prioritize foreign bribery that facilitates the criminal operations of cartels and transnational criminal organizations and not focus on other types of foreign bribery allegations.
Despite these challenges for prosecutors, numerous recent examples demonstrate that criminal exposure for executives is very real in several circumstances.
First, even in a large public company, senior executives who have direct responsibility for matters which create spectacular losses can be incarcerated. For example, in the last few years the former CEO and COO of SCANA pled guilty to defrauding customers and others with respect to a failed $9 billion nuclear construction project; the former CEO of SAExploration and the former CFO of Roadrunner Transportation Systems were sentenced to three years and two years in prison, respectively, for their roles in fraudulent accounting schemes at their companies; the former CEO (Elizabeth Holmes) and former COO of Theranos were convicted of securities fraud and sentenced to 11 years and 13 years in prison, respectively; the former CEO of cryptocurrency company FTX (Sam Bankman-Fried) was convicted in 2023 of multiple counts of fraud and sentenced to 25 years in prison; and the former CEO of cryptocurrency company Biance Holdings pled guilty to violation of the Bank Secrecy Act by failing to adopt anti-money laundering policies and was sentenced to four months in prison.
Second, lower-level executives who more easily can be shown to have knowingly participated in criminal wrongdoing are more frequently prosecuted than senior executives. Recent examples of charges against mid-level executives include: (i) six mid-level executives of Citigo were convicted in Venezuela of corruption charges, (ii) the Senior Vice President of Governmental Affairs of Com Ed pled guilty to charges involving the bribery of governmental officials, (iii) an executive of Sandoz, Inc. pled guilty to price-fixing charges involving generic drugs, (iv) a former executive of Netflix was convicted of money laundering and bribery for accepting stock options, cash and gifts from third-party vendors in exchange for lucrative contracts with the company, and (v) an Assistant Vice President of an insurance company pled guilty to fraud in connection with a $3.9 million scheme to scam the company for phony construction work and kickbacks from vendors.
Third, individuals who are senior executives (and also large owners) of smaller companies are easier targets of criminal charges because of their more intimate knowledge of company operations. For example, in 2024, (i) the CEO and founder of a software company was sentenced to 18 months in prison and assessed a $1 million fine for inflating the company’s financial statements in connection with a securities offering that raised $60 million, (ii) the CEO of a clean energy company was sentenced to six years in prison following his conviction for defrauding investors out of $1.1 million, (iii) the former CEO of a dental device company pled guilty to defrauding investors out of $10.7 million, (iv) the CEO of a cryptocurrency company plead guilty to violating the Bank Secrecy Act by not adopting policies to prevent money laundering, (v) the former CEO of a medical device company was sentenced to six years in prison for healthcare fraud in connection with the company selling non-functional pain management device components, (vi) the former CEO of a management software company was sentenced to 20 years in prison for using company assets for personal benefits; (vii) the former CEO of a health advertising company was sentenced to seven and one-half years in prison for misrepresenting to investors, lenders and customers the company’s value and capabilities; and (viii) the former CEO of a healthcare software company was convicted of securities fraud for falsely declaring the company had a multimillion dollar deal to buy and resell COVID test kits.
These criminal prosecutions are based on an increasing number of legal theories. For example, in 2023 a jury convicted two executives of an appliance sales and distribution company for failing to report to the federal Consumer Product Safety Commission defects in dehumidifiers sold by their company. The case reportedly was the first time executives were prosecuted under the Consumer Product Safety Act.
5. Cyber Claims
Unquestionably, cyber-related losses and claims are one of the most troubling future exposures for companies. It is virtually impossible for companies to prevent cyber attacks. Loss mitigation, rather than loss prevention, seems to be the only strategy available for most companies.
Surprisingly to some, the liability exposure of directors and officers for cyber-related claims is less predictable. Prior to 2017, no cyber-related securities class action lawsuits were filed even with respect to very large and highly-publicized cyber intrusions at large companies. More recently, plaintiff lawyers have filed a growing number of such securities class actions, including cases against Marriott, Chegg, Google/Alphabet, FedEx, Capital One, First American Financial Corp., Solar Wind, Yahoo!, Equifax, Telos, Octa and their D&Os. These cases are still somewhat uncommon despite the large number of companies which experience data breaches because in most cyber attack situations, the company’s stock price does not materially drop following disclosure of the attack. But, if there is a material stock drop following disclosure of the cyber breach, a securities class action is likely, and those securities class actions can be expensive, particularly if the company failed to promptly disclose the breach. For example, the Alphabet (Google) securities class action litigation which was related to a software flaw that allowed outside developers to access personal data of 500,000 users of the Google Plus social media site was settled in February 2024 for $350 million, the Yahoo! cyber-related securities class action litigation was settled in March 2018 for $80 million while a motion to dismiss was pending, the Equifax data breach securities class action litigation was settled in 2020 for $149 million, and the Solar Winds data breach securities class action was settled in 2022 for $26 million.
It is far from clear whether these cases will ultimately be successful on a widespread basis. Most of these securities class action lawsuits have been dismissed, primarily because the plaintiffs failed to sufficiently allege (i) the defendants acted with the requisite scienter (i.e., plaintiffs did not allege facts showing the defendants knew the size or impact of the breach at the time of the allegedly incorrect disclosures) , (ii) either a misstatement or omission of material facts, or (iii) loss causation (i.e., the misstatement or omission caused the company’s stock to be artificially inflated). The likelihood of these cases being dismissed increases if the company’s disclosures include detailed and specific cautionary statements about cyber risks and do not characterize the quality of the company’s cybersecurity. Despite plaintiffs’ limited successes in cyber-related securities claims, the general trend of courts dismissing these cases continues to exist as evidenced by (i) the Ninth Circuit affirming on March 2, 2022 a District Court dismissal of a data breach-related securities class action against Zendesk, (ii) the Fourth Circuit affirming in April 2022 a District Court dismissal of a data breach-related securities class action against Marriott and its D&Os, (iii) a District Court in Virginia dismissing a cyber-related securities class action against Capital One in September 2022, (iv) District Courts in California dismissing cyber-related securities class actions against First American and Okta in September 2021 and March 2023, and (v) a New York District Court dismissing most of the SEC’s cyber-related claims against SolarWinds Corp. in July 2024.
On July 26, 2023, the SEC adopted final rules requiring enhanced disclosures by public companies regarding material cybersecurity incidents and the company’s risk management and board oversight of cybersecurity matters. The rules significantly increase a company’s disclosure requirements in this area. For example, material cybersecurity incidents need to be disclosed within four business days after the company determines the incident was material (that determination must be made without unreasonable delay following discovery of the incident). The disclosure must describe the material aspects of the nature and scope of the incident as well as the likely material impact of the incident on the company’s operations and financial condition. Those disclosures need to be updated periodically. Also, the board’s oversight of cybersecurity risks, the company’s policies and procedures for identifying, assessing and managing those risks, and the cybersecurity expertise of management need to be disclosed in the company’s annual report. If not repealed by the new Trump administration, these disclosure requirements will likely result in not only increased cyber-related scrutiny by the SEC, but also increased securities claims against companies and their directors and officers, not to mention very difficult compliance challenges.
In a bizarre development which may signal heightened exposure for cyber-related claims by the SEC against D&Os, a cyber ransom gang filed in 2023 a whistleblower complaint with the SEC alleging a company that was hacked by the gang failed to disclose to the SEC, consistent with the new SEC cyber disclosure rules, the security breach and its impact on the company. The gang apparently intended to enhance its future negotiation leverage over other companies hacked by the gang.
Shareholder derivative lawsuits against directors and officers are another litigation response when a company suffers large cyber-related losses. However, this type of derivative litigation is also challenging for plaintiffs in light of the business judgment rule, the applicable state exculpatory statute for directors, and other state law defenses for the defendant directors and officers. But, a few cyber-related derivative lawsuits have recently settled or survived a motion to dismiss. Most notably, the Yahoo! derivative suit settled for $29 million, due in large part to the extraordinary number of people impacted by the breach (i.e., as many as 1.5 billion users) and the two-year delay in disclosing the breach. Other cyber derivative settlements are far smaller, often including a modest plaintiff fee award and the company agreeing to certain governance reforms. In October 2021, the Delaware Chancery Court dismissed a cyber-related derivative lawsuit involving the Marriott data breach.
The area of greatest potential exposure for directors and officers regarding cyber matters does not arise from acts or omissions by directors and officers prior to the attack, but rather from conduct of directors and officers once the attack is identified. Disclosures regarding the scope, effect and cause of the attack, and the response by management immediately following the attack, can potentially create either securities class action or shareholder derivative litigation. Therefore, companies should develop and implement long before a cyber attack actually occurs effective protocols and action plans that should and should not be done if a cyber attack against the company occurs. Careful advanced planning in this area can provide a unique opportunity to minimize the potential personal liability of directors and officers for post-attack conduct.
Another related D&O exposure in this context is the potential for criminal charges. For example, in October 2022, the former chief security officer of Uber was convicted of obstructing the FTC’s investigation of a cyber breach involving private personal information about the company’s customers. The company initially disclosed to the FTC the breach involved 50,000 customers. The defendant officer subsequently learned from the hackers in the context of a ransomware demand that the breach involved 57 million customers, but the officer failed to report that updated information to the FTC. In another case, the former chief information officer of Equifax was convicted of insider trading and sentenced to four months in prison based on his sale of $950,000 of company stock before the company’s massive data breach was publicly disclosed.
6. ESG Claims
In the last several years, an unprecedented number of so-called ESG claims were filed against companies and their directors and officers. The legal theories asserted in these claims are not new or unusual, but the factors which are causing the claims to be prosecuted are recent. Ironically, most ESG-related claims are asserted against companies who are proactive in addressing ESG concerns as opposed to companies who seemingly ignore the issues (often called “greenhushing”). Those proactive companies are often in a no-win situation because they are criticized for not doing enough (or misrepresenting the impact of what they are doing) or for doing too much. Recent ESG-related lawsuits typically criticize a company and its directors and officers for implementing DEI initiatives that harmed the company’s financial performance or reputation. For example, American Airlines and certain of its fiduciaries were sued in June 2023 for pursuing “leftist political agendas” through ESG strategies which fail to maximize profits. Deutsche Bank paid a $19 million penalty to the SEC for making allegedly misleading statements about its use of ESG factors in connection with its research and investment recommendations. Other similar securities class action or derivative lawsuits have been brought against directors and officers of Disney, Starbucks, Target, Gap, Blackrock, the parent of Ben & Jerry’s (Unilever), McDonalds and Lululemon. These lawsuits have received mixed reactions from courts. Some have been dismissed (e.g., Starbucks, Disney and Gap), some have survived a motion to dismiss (e.g., Target securities suits), and, in one case the defendants were found to have breached their fiduciary duties based on an evidentiary hearing (e.g., American Airlines).
The future of DEI-related investigations and litigation is very much in doubt under the Trump administration. On January20 and 21, 2025, President Trump issue Executive Orders which terminated DEI policies and programs within the federal government and “encouraged” private sector companies to do the same. Numerous companies have announced their elimination of DEI initiatives both before and after those Executive Orders.
-
Climate Change Claims
Although climate change issues permeate many industries and generate a variety of legal concerns, D&O litigation has been largely immune to those issues.On March 6, 2024, the SEC adopted highly controversial new rules requiring larger registered public companies to disclose a wide range of information related to climate change and greenhouse gas emissions information and risks. For example, the new rules require companies to disclose in their SEC annual reports (i) the amount of their direct greenhouse gas emissions from their own operations and their indirect emissions associated with the generation of energy consumed by the company; (ii) their climate-related risk, such as the risk of financial harm caused by severe weather events like flooding and wildfires, (iii) their processes for identifying, assessing and managing these risks, (iv) a quantitative and qualitative description of their material expenditures to mitigate or adapt to those risks, and (v) any board oversight of climate-related risks and any role by management in assessing and managing those risks.
The adopted rules are being legally challenged in numerous lawsuits both by plaintiffs who contend the rules exceed the SEC’s authority and by plaintiffs who contend the SEC should not have diluted the far more demanding proposed rules. All of those lawsuits were consolidated into a single proceeding in the 8th Circuit Court of Appeals. As a result of these legal challenges, the Biden administration stayed the implementation of the new rules one month after the rules were adopted. On March 27, 2025, the SEC informed the 8th Circuit that the SEC would no longer defend the validity of the new rules, which the SEC now says are “costly and unnecessarily intrusive.” As a result, it appears likely the new rules will not become effective.
Even if the new SEC climate change disclosure rules are not eventually implemented, directors and officers will still face challenging disclosure obligations and potential liability exposures under similar state laws notwithstanding the Trump administration. In October 2023, California enacted two far-reaching statutes requiring climate-related disclosures. The Climate Corporate Data Accountability Act requires greenhouse gas emissions data disclosure by all public or private entities doing business in California with gross annual revenues in excess of $1 billion. A second related statute requires companies with more than $500 million of gross annual revenues to develop a biennial report on its climate-related financial risks. The concerns described above under the newly adopted SEC climate change rules equally apply to these new California statutes. Other states are reportedly also considering climate change disclosure laws, such as Illinois, Minnesota, New York and Washington. As similar additional new laws and regulations are enacted by the federal government and other states, companies and the D&Os may soon be faced with nearly impossible and conflicting climate-related legal requirements which dramatically increase their liability exposures.
The lack of current D&O litigation relating to climate change issues does not mean climate change litigation does not exist. An estimated 1,000 climate change lawsuits have been filed globally in recent years against companies and governmental authorities, with the large majority of those cases being filed outside the U.S. against non-U.S. entities. One well-publicized example is litigation involving Shell plc, a U.K. company. In May 2021, a Dutch court ordered Shell to reduce its emissions by 45% by 2030. On February 9, 2023, an environmental advocacy group filed a shareholder derivative lawsuit in the High Court of England and Wales against Shell’s directors alleging the board is not taking sufficient steps to address the future impacts of climate change and to comply with the court-ordered reduction in emissions.
-
Executive Compensation
Although a board’s executive compensation decisions have typically not been overturned by courts consistent with the business judgment rule, the increasingly enormous size of some executive compensation arrangements have been reviewed by courts, with mixed results. On January 30, 2024 and again on December 2, 2024, the Delaware Chancery Court rescinded Elon Musk’s $55.8 billion compensation package following a 2022 trial in a derivative lawsuit on behalf of Tesla against Musk and the Tesla board. The Court concluded Musk’s personal relationships with the directors removed the board’s compensation decision from the business judgment rule. As a result, the defendant directors were required, but failed, to prove the “entire fairness” of the compensation package, even though 74% of the Tesla shares not held by Musk or his brother approved the compensation package. Following Tesla’s subsequent reincorporation in Texas (see discussion below), Tesla shareholders again approved the compensation package under Texas law. The Chancery Court’s ruling is now on appeal to the Delaware Supreme Court. -
Reincorporation Outside of Delaware
In response to the Delaware Chancery Court rescinding Elon Musk’s $55.8 billion compensation package with Tesla (see summary above), Musk sought and obtained approval from both Tesla and Space X shareholders to reincorporate those companies from Delaware to Texas. Musk also reincorporated his brain implant company Neuralink from Delaware to Nevada. That strategy to leave Delaware as the state of incorporation has been highly publicized, and at least several other companies have also moved out of Delaware to either Texas or Nevada, including Meta and Dropbox.
In contrast, a Federal District Court in New York in February 2024 dismissed a securities class action lawsuit against Apple and its directors and officers alleging the defendants misrepresented information about very large performance-based stock compensation awards to Tim Cook (Apple’s CEO) and other senior executives. The Court concluded the plaintiffs did not plausibly allege any actionable misrepresentations regarding the value of the awards.
There are numerous legal and financial implications to such a reincorporation. But Texas and Nevada statutory laws are clearly more protective of directors and officers than Delaware. For example, the Nevada liability exculpation statute applies to breach of any fiduciary duty, including the duty of loyalty (unlike Delaware law). Under Texas law, shareholder derivative suits are prohibited if independent directors decide prosecuting the lawsuit is not in the company’s best interest, unlike Delaware law which allows shareholders to avoid or circumvent the directors’ decision under certain circumstances. In addition, both Texas and Nevada permit a company to indemnify settlements in derivative lawsuits against directors and officers, unlike Delaware. These differences in state laws may result in D&O insurers treating companies who reincorporate out of Delaware to these or other comparable states more favorably when underwriting their D&O insurance.
Efforts to reincorporate outside Delaware have been criticized by shareholders who contend the reincorporation is motivated by the company’s directors’ attempt to insulate themselves from litigation. For example, in February 2024, the Delaware Chancery Court denied a motion to dismiss such a lawsuit against directors of Trip Advisor who approved the company’s reincorporation from Delaware to Nevada. But the Delaware Supreme Court reversed that decision on February 4, 2025, ruling that the directors’ decision to reincorporate outside of Delaware is protected by the business judgment rule. Perhaps in anticipation of that ruling, the Delaware Chancery Court in November 2024 dismissed claims against directors of The Trade Desk, Inc. related to the company’s reincorporation in Nevada. The dismissal was in large part due to a majority of company shareholders approving the reincorporation.
This exodus from Delaware, which has become known as “DExit,” prompted the Delaware legislature and Governor to enact new legislation in March 2025 intended to dissuade companies from leaving Delaware. Among other things, the new legislation adopts new safe harbor procedures for approving transactions with directors, officers or controlling shareholders, establishes criteria for determining the independence and disinterestedness of directors and shareholders, and limits the materials a stockholder may inspect pursuant to a books and records demand.
7. Artificial Intelligence
Artificial intelligence (AI) will likely have a profound impact on the liability exposure of directors and officers in future years, not unlike AI’s impact on businesses and society in general. In the D&O context, AI-related exposures will likely arise most frequently in securities class actions which focus on a company’s AI-related disclosures. Investors appear to have “irrational exuberance” for AI-related companies, much like the .com bubble in the late 1990s for internet-related companies. History has repeatedly shown that environment produces not only some wildly successful companies, but also many disappointing or failed companies which become targets of expensive D&O claims.
Examples of AI-related misrepresentations that may result in an artificial inflation of a company’s stock price and an eventual securities class action include:
-
A company may falsely promote itself as an AI company or having unique AI capabilities when in fact the company simply processes data.
-
A company may overstate or exaggerate its AI capabilities or its ability to successfully commercialize those capabilities (i.e., “AI-washing”).
-
A company may fail to fully disclose the material risks associated with its AI strategies and business, including risks from competitors, changing technology, rapid industry evolution, and claims by customers.
These types of lawsuits against companies and their directors and officers are already being filed, albeit in limited numbers so far. For example, thirteen AI-related securities class actions were filed in 2024, which is about double the number of such cases in 2023. These lawsuits allege the defendants overstated the use or effectiveness of AI technology in their business, and target a wide variety of companies, including Upstart (an AI lending platform), Zillow (developer of the Zillow Offers AI tool which provides predictive pricing information for buyers and sellers of houses), Innodata (an AI-enabled software platform company), Evolv Technologies Holdings (developer of AI-based weapons detection products for security screenings), UiPath (robotic process automation tool manufacturer with supplemental AI-powered products), Oddity Tech Ltd. (cosmetics internet platform which purportedly uses AI-based technologies to target consumer needs), and GitLab (an AI developer).
Potential AI-related shareholder derivative lawsuits may also be filed against directors and officers alleging breach of the defendants’ fiduciary duties in connection with AI matters. Examples of this type of claim may include:
-
Directors or officers may rely on AI in making a business decision that is harmful to the company, prompting shareholder allegations that such reliance was unreasonable without further investigation into the reliability, capability and accuracy of the AI systems used.
-
Directors or officers may fail to use commonly accepted and uniquely applicable AI systems to assist in their decision process, resulting in less informed decisions when compared with other companies under similar circumstances.
-
Directors and officers may authorize an expensive, resource-intensive but ineffective strategy to implement, use or market AI, resulting in significant losses and jeopardizing the company’s financial health and reputation.
-
Directors and officers may implement inadequate internal controls regarding AI issues resulting in significant claims against the company, including intellectual property infringement, invasion of privacy, defamation and similar tort claims.
-
Directors and officers may fail to identify or respond to company risks created by advisors, vendors, suppliers or competitors using (or misusing) AI technology.
-
Directors and officers may fail to stay abreast of rapidly changing AI technologies or recognized AI best practices.
In addition, the SEC has been clear that it intends to carefully monitor AI-related disclosures by companies. This oversight has already resulted in several enforcement actions against companies and their executives for misrepresenting AI-related matters.
The number of companies potentially impacted by AI risks is very large and growing. According to Bloomberg Law’s review of 2023 annual reports filed by S&P 500 companies with the SEC, over 40% of the reports mentioned AI. Similarly, a 2023 survey by the National Association of Corporate Directors found that 95% of the responding corporate directors believed AI tools would affect their companies, although 28% said AI issues were not regularly discussed at board meetings. When AI impacts that many companies, the likelihood of at least some of the D&Os liability risks summarized above occurring seems inevitable. Although the legal theories underlying those claims will probably not be new, the frequency and severity of those claims may be alarming for companies in virtually any industry.
To address these concerns, directors should be very proactive in understanding and responding to AI-related risks and opportunities. For example, directors should regularly consider basic AI-related questions such as which senior executive focuses on AI issues; how is AI used within the company; how are AI risks and opportunities identified, evaluated and monitored; how are competitors using AI; should one or more directors with AI expertise be added to the board; and how can the board best stay informed regarding this complex and rapidly changing topic? A 2024 report by ISS-Corporate found that about one-third of S&P companies disclosed in their SEC filings some level of board oversight on AI competency, which is a 150% increase from 2022. In most instances, the full board is performing the oversight function rather than delegating that role to the audit or risk committee.