Cyber Attacks, Data Loss Seen as Top Risks for Directors and Officers

Cyber attacks and data loss are perceived as the top two risks facing companies' directors, according to the Eighth Directors' Liability Survey from Willis Towers Watson and Clyde & Co.

Regulatory risk, including the threat of fines and penalties, health and safety/environmental prosecutions, and risk of employment claims round out the top five risks reported in the D&O Liability Survey 2021.

The Willis Towers Watson (WTW) survey report notes that the 2021 survey showed the impact the COVID-19 pandemic is having on perceptions of risks facing directors. What was surprising, however, was that most survey respondents did not rank insolvency highly among their concerns, given the risk of numerous insolvencies resulting from the pandemic's economic and business impacts.

"Despite a year of unprecedented turmoil across the world as a result of the COVID-19 pandemic, the worldwide trend of increasing focus on director exposures has not let up," Angus Duncan, executive director at WTW, says in an introduction to the report.

Among the factors he mentioned that are adding to risk pressures for directors are new laws, regulations, and consultations in the United Kingdom and Wales regarding pensions and governance; board diversity class actions in the United States; and the trend of climate change risks becoming a boardroom issue, whether through new regulatory requirements or legal actions.

At the same time, Mr. Duncan writes, "The COVID-19 pandemic has also coincided with and intensified a hard market for directors and officers [D&O] liability insurers, unlike any seen before."

The report notes that organizations' boards could potentially be accused of mishandling pandemic risks, such as the failure to have robust information technology systems and inadequate handling of increased exposure to cyber risks, or corporate manslaughter or occupational health breaches resulting from the failure to ensure adequate workplace health and safety.

Cyber attacks and data loss have been in the survey's top three overall risks since 2016, the report said, with data loss occupying the top spot in 2018 and 2019, before cyber attacks took the top spot this year. The 2 years that data loss ranked as the top risk were likely the result of the European Union's General Data Protection Regulation taking effect and reports of significant fines being levied against some businesses for violating the new data protection rules.

The high rankings of cyber attacks and data loss are not unexpected in the current pandemic environment, the report suggests.

"Given the prevalence of cyber-crime and the severe consequences for companies and D&Os should they fall foul of an attack and/or data is lost, this is no surprise," the report says. "The COVID-19 pandemic has proved to be a fertile ground for cyber criminals seeking to exploit the weaknesses presented by businesses having to move to new procedures and systems overnight, often with a remote workforce. The trend is towards bigger targets and bigger incidences and ransomware attacks are also on the increase, which could expose D&Os to criminal sanctions for breaches of terrorism and proceeds of crime laws."

The report notes that regulatory risk has slipped down the rankings in recent years (it was the top-ranked risk in the survey from 2011 to 2017), and litigation risk and shareholder claims have dropped out of the top five, but pandemic-related cyber and health and safety risks could trigger regulatory investigations and subsequent civil claims, as well as shareholder suits against directors.

While the survey's findings suggest directors and officers have grown less concerned about insolvency, bankruptcy, or corporate collapse, insurers' concerns remain.

"What we hear from insurers is that they are concerned that corporate or financial restructuring, job losses, and insolvencies could trigger investigations into directors' conduct and then transcend into D&O claims," the report says. "There is also increased focus on analyzing corporate governance and assessing how boards are managing risks during the pandemic."

The report notes that boards face a major challenge in navigating the broad range of risks they face. "They must ensure robust, resilient business models are in place that are sustainable and profitable, while ensuring the welfare and safety of the business's people—both employees and customers and the wider impact of its actions on the environment and society as a whole," the report says.

While US respondents' top five risks were fairly consistent with the worldwide result, the primary difference was that the risk of employment claims was ranked considerably higher by US directors at just over 45 percent, making it the third-ranked risk from US respondents. Globally, employment claims ranked fifth with 38 percent.

"Employment claims have long been a substantial business risk, with high frequency claims and, in some cases, very high severity claims impacting operations—with select matters (#MeToo) shaking up the C-suite itself," the report says. "It is perhaps not surprising that exposures relating to pandemic-triggered furloughs and layoffs, as well as return to work and vaccination policies, may exacerbate those concerns, bringing these issues higher into the top five in the minds of our US respondents."

Employment claims also ranked highly among respondents from the Asia-Pacific region, where there have been recent developments with industrial relations legislation and increasing wage and employee-related class actions that are consistent with the risk to directors becoming more significant, the report says.

The risk of shareholder actions hasn't ranked among the top five risks in the survey since 2013, the report says, and this year's survey found only 27 percent of those surveyed suggesting shareholder actions were a "very significant" or an "extremely significant" risk.

Still, nearly three-quarters of US respondents indicated that increases in the number of large-scale group claims were "to some extent,""to a moderate extent," or "to a great extent" a risk, the report says.

"Notwithstanding the fact that the respondents to our survey may not have rated exposure to class actions in their top five risks, it remains a significant driver of losses in the D&O market and therefore a major factor in the challenging market conditions," the report says.