Directors and Officers will be under the spotlight due to rapidly increasing regulation
The regulatory sands are constantly shifting for Directors and Officers (D&O). The recent landscape has been particularly dynamic, with a myriad of new regulations increasing the level of responsibility placed on business leaders.
As critical uncertainties crystallise and become clearer, directors have in turn had to expand the scope of their responsibilities considerably to include the management of cyber risk, inclusive workplace cultures, fraud prevention, ESG reporting and keeping pace with new technologies, such as generative AI.
This all comes amid increased scrutiny from regulators, consumers and investors. Directors must rise to the challenge if they are to remain compliant and their organisations reputationally sound. Insurers must also remain on top of these changes to ensure D&O insurance continues to be fit for purpose.
Risk evolution
Graham Ludlam, partner and D&O specialist at DAC Beachcroft, flags that recent years have seen directors' requirements evolve significantly after a fairly inert period.
“For decades, the commercial world has been relatively static in terms of innovation in comparison to what we're now seeing,” he explains.
He reveals that the claims coming into DAC Beachcroft are often centred on directors making regulatory missteps and he expects a further uptick. He adds: “We anticipate the exposures will originate from the relevant regulators using their enforcement powers, such as the Financial Conduct Authority (FCA) pursuing directors.”
The new failure to prevent fraud offence in the Economic Crime and Corporate Transparency Act 2023 makes large corporations criminally liable for the actions of their associated persons who commit an economic crime for the organisation's benefit. The threat of criminal prosecution should encourage senior-level commitment to the adoption of fraud prevention procedures and help eradicate a 'blind eye' culture.
Ludlam emphasises that the onus is on directors to assess new risks: “What's required is for the board of directors to ensure each of these risks is managed, with proper and appropriate governance structures in place."
Cyber risks
'Cyber attack or data breach' was identified as the top current and future risk, both globally and for risk and C-suite professionals, in Aon's 2023 Global Risk Management Survey. The prioritisation of cyber risk at the C-suite level is similarly reflected in the recently published call for views on the Cyber Governance Code of Practice (the Code), where the government stated: “Boards and directors should therefore place the same importance on governing cyber risk as they do with other principal risks.”
Hans Allnutt, partner and head of Cyber and Data Risk at DAC Beachcroft, predicts more and more regulation around cyber for directors. He details: “The scope of cyber legislation is constantly growing, moving from personal data and critical infrastructure to new legislation for connected devices and beyond. As the legislative scope grows to capture more of our cyber-reliant society, so will the scrutiny of directors."
It remains to be seen if the Code will impact directors from a liability and claims perspective but Allnutt points out: “It stands to reason that as the legal scope of cyber risk expands, so will director and officer legal responsibility.”
Anthony Perotto, partner and D&O specialist at DAC Beachcroft in Milan, explains that cyber risk is a significant concern for directors of Italian entities: "As well as the reputational and financial damage to the company, and the risk of regulatory action which may lead to penalties, in Italy we are seeing more and more claims against directors alleging a negligent failure to protect data or implement adequate IT security controls."
What directors must keep front of mind is that cyber risk is not going to be unseated from the top of the risk table any time soon.
Artificial intelligence
Newer technologies, such as artificial intelligence (AI), will also be a potential challenge. As companies increasingly integrate AI into their core functions, the technology is not only revolutionising the way businesses operate internally but also the nature of the products and services they provide to the market. This widespread adoption of AI brings with it a host of regulatory considerations.
In the United Kingdom, the approach to regulating AI is currently one of integration rather than the creation of entirely new regulatory frameworks. The existing regulatory structures are being adapted to encompass the challenges posed by AI. In contrast, the European Union is taking a markedly different approach by crafting specialised legislation in the 'AI Act' which is aimed specifically at governing AI.
Directors must continue to monitor the regulatory position in the UK as this is likely to continue to evolve.
Beyond the immediate regulatory concerns, there is an emerging discourse on the ethical and environmental implications of AI. Charlotte Halford, an insurance and technology partner at DAC Beachcroft in London, highlights a significant oversight in the corporate embrace of AI: the environmental impact. She gives the example that “Just one prompt into ChatGPT is the equivalent of opening a bottle of water and pouring it on the ground. There's a real worry for lots of businesses that say ‘all my competitors are using AI, so I need to find a way to use AI’, but they're not necessarily stopping to think about whether they should be using it or the downsides of it.”
The environmental footprint of AI is an aspect that many firms have yet to fully consider, but it is one that could pose substantial challenges in the future. As businesses rush to match their competitors in leveraging AI for competitive advantage, there is a risk of neglecting the broader consequences of such technologies and this is something of which directors should be mindful.
Spain's recently approved AI Strategy 2024 recognises this wider environmental impact and aims to enhance sustainable storage capabilities and promote the use of AI from an ethical, humanitarian and transparency perspective.
Pablo Guillen, a partner and D&O specialist at DAC Beachcroft in Madrid, welcomes the focus on sustainability: "The Spanish government's commitment to promoting environmentally-compliant digital infrastructure and data centres, and helping companies adopt sustainable AI measures through financial support and loans, is forward-thinking. It will boost investment and research into sustainable AI, while ensuring directors keep a sharper focus on their environmental footprint".
Misconduct in the workplace
Regulators are also clamping down on how directors address the risk of sexual misconduct in the workplace. The Worker Protection (Amendment of Equality Act 2010) Act 2023 introduces a new duty on employers to take 'reasonable steps' to prevent sexual harassment.
Ludlam explains: “From October this year, there will be a new express obligation on the part of senior managers within an organisation to prevent sexual harassment.”
Training, support hotlines for victims and adequate reporting structures must be in place if directors are to stay on the right side of the law.
Consumer Duty
Obligations to customers are also front-of-mind. The Consumer Duty was introduced by the Financial Conduct Authority in summer 2023 and is intended to protect customers of financial services firms.
As Halford notes: “There is now a greater focus on delivering good customer outcomes, with the guidance aimed at boards and senior managers."
She reminds leaders it isn’t a ‘one and done’ scenario to ensure compliance, instead risks must be constantly re-evaluated. “Providers must ensure they've got appropriate processes and review mechanisms and are getting the right data to ensure they're able to deliver on the Consumer Duty and they can evidence it.
“It's ensuring that you've defined what good customer outcomes are, and that flows down in the processes you implement.”
It is too early to say if directors are already falling foul of the new regime but insurers and other financial firms should be ready to be put under the microscope by the FCA. “The FCA has stated its intention to start looking at performance and finding where it's been inadequate,” Halford warns.
ESG and greenwashing
Additionally, there is no escaping Environmental Social and Governance (ESG) issues. In particular, directors are having to meet sustainability disclosure requirements and manage associated greenwashing risks.
Laura Berry, partner and ESG specialist at DAC Beachcroft, cautions directors to be aware of different requirements in different jurisdictions: "One size does not fit all when it comes to sustainability disclosures – we are not yet at the stage of global harmonisation of sustainability reporting obligations."
The EU’s Corporate Sustainability Reporting Directive (CSRD) is high on the agenda for companies that fall within its scope. The CSRD will in time impact not only EU firms, but also non-EU firms with significant presence in the EU.
Berry cautions: “Sustainability disclosures and environmental claims, whether made on a voluntary basis or in response to mandatory requirements, are being scrutinised by stakeholders. Statements must be clear, correct and capable of being substantiated to avoid the risk of greenwashing.”
Regulators are increasingly focused on greenwashing. For example, the FCA has brought in a new anti-greenwashing rule for all FCA regulated firms. As with all risks, it is essential for directors to be properly informed, consult with experts and ensure robust governance structures are in place.
As these risks develop, it is vital for insurers to step up and be aware of how these new threats affect their D&O customers and take the opportunity to create better cover. Ludlam says they should be asking: “What is the new regulation that's going to come out which we can add as an endorsement to our policy to differentiate ourselves from our competitors?”