Being a director is often challenging and potentially lucrative, but if the prospect of being sued is looming, it can be a lonely and alarming position.
Directors and officers cover (D&O) provides a suit of armour in the face of legal action, with the insurer stepping in to provide guidance at the first sign of a problem and ensuring legal costs and damages are met.
According to Eleni Petros, commercial crime practice leader for broker Marsh: “Cyber risks are a key topic in many boardrooms and are driven onto the agenda by high profile data breaches, distributed denial of services attacks and rising ransomware and cyber extortion attacks.
In the digital age, threats are coming thick and fast and directors are now more frequently having to contend with cyberattacks and data breaches – these are not just issues that affect large organisations.
Directors and high-ranking officers in public and privately-held corporations are under scrutiny like never before as they conduct business in an increasingly regulated and complex global business environment.
As regulatory authorities have responded to public and shareholder pressure in the wake of the credit crisis with more rules, heightened vigilance and tougher enforcement powers, corporate leaders find themselves exposed to even greater risks on a daily basis as they go about their roles.
The pressures on their time are vast, not least for non-executives, who frequently spend as little as 30 days a year working in the business, and for the many directors who sit on the boards of four or five companies.
These directors tell us the information packs that they receive from the companies they run are either far too large, and make it difficult for board members to target the business-critical information, or that they tell directors far too little about the key issues.
Nevertheless, directors face sanctions that make them sit up and take notice, not least the threat of jail. Though probably the least likely outcome for corporate leaders, jail terms can be handed down for antitrust failings, insider trading, bribery and corruption, money laundering or sanctions violations.
There is also the very real concern of regulatory fines and penalties. And these penalties can extend to being prohibited from sitting on boards in the future: the SIF regime now means that directors of banks that perform badly, though not necessarily personally liable, can find themselves excluded from directorships in regulated businesses going forward.
Then of course there is the growing threat of civil actions, and particularly shareholder class actions on both sides of the Atlantic. For antitrust violations in the United States, the maximum jail term for executives is ten years, and there are instances where officers and directors have served four-year terms.
These penalties apply equally to foreign nationals running companies with U.S. operations as they do to those businesses headquartered in the States, and antitrust authorities around the world are increasingly adopting similar approaches.
There are now more than 120 regimes that pursue this conduct around the world, with around a dozen of those imposing criminal sanctions for breaches.
The number of antitrust cases being dealt with by the enforcement agencies has increased exponentially in recent years, not least because the incentives for reporting incidences of wrongdoing have increased, encouraging whistle blowers and pushing companies to approach the authorities when they are alerted to issues within their own organisations.
This first-mover advantage can work to the detriment of directors, who may be implicated by the companies they work for when detailed investigations take place
It is increasingly important for directors and officers to work hard to set the compliance tone for the organisation from the top, by making it clear to employees what is expected of them, by setting an example and by ensuring that the messages are communicated across, and become part of, the company.
The guidance published with the Bribery Act 2010 is just one example of express reference to the importance of “tone at the top”.
Business leaders need to design and implement systems and controls that are appropriate to their organisation, and regularly review and test those systems to ensure they are delivering results. At the same time, compliance requires a bottom-up approach, such that the system ensures that regular requests for information are made of all levels of the business, and frequent enquiries are initiated and followed up.
Directors need to ensure that the information that they receive is both timely and appropriately prioritised, so that they know they have done their best to be on top of what is going on.
In today’s environment, directors and officers also need to look out for themselves, which means that if they have questions they must not only raise them, but also pursue answers, and record the fact that they have done so.
Directors need to be assertive with their colleagues across the business. If they find themselves dealing with topics with which they are not comfortable, they should seek external advice. There were countless examples of directors of financial institutions telling Congressional hearings in the U.S.- that they didn’t understand the collateralised debt obligation products that their banks were trading, but ignorance is not an excuse that will find favour with regulators.
The key message is that devoting time, resources and effort to the compliance programme is the best guarantee of success, and that the companies that have successfully introduced effective cultures have done so only as a result of sustained commitment.
Directors must take responsibility for introducing and maintaining a culture of compliance across their organisation, which means building the right structures; delivering regular training to employees, and particularly those in high-risk areas; setting up proper audit procedures that allow for deep-dive checks on a regular basis; and acting on discoveries in a timely and effective way.
Finally, with an ever-growing list of mandatory and non-mandatory rules is ramping up the risks faced by directors & officers. The general trend is toward raising the level of care expected of D&Os and expanding their existing duties.
These higher standards increase the personal risks and liabilities for D&Os as they look to steer their organisations through the complexity of today’s business challenges. As a consequence, at-risk senior executives are searching for more sophisticated D&O coverage.
In many instances it is not the personal liabilities of directors that have changed, nor what constitute illegal acts, but rather the appetite of enforcement agencies to hold directors and officers accountable. Reprimanding senior executives is increasingly seen as the most effective means of changing behaviour and preventing criminal and civil offences going forward.
The trend of rigorous enforcement particularly holds true when it comes to international criminal acts, including crimes committed against antitrust legislation, against the UK Bribery Act or America’s Foreign and Corrupt Practices Act, or breaching international sanctions laws.
Final thought, whether you are a large corporation or a small business, reaffirming the significance of the role of good corporate governance.
Corporate governance performed properly, results in the protection of shareholder assets. Fortunately, many boards take on this difficult and challenging role and perform it well. They do so by, among other things, being active, informed, independent, involved, and focused on the interests of shareholders.
Good boards also recognise the need to adapt to new circumstances—such as the increasing risks of cyber-attacks. To that end, board oversight of risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from mis-appropriation of management.
There is no substitution for proper preparation, deliberation, and engagement on company related issues. Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.
Nicolas Berggruen once said:
‘The biggest determinant in our lives is culture, where we are born, what the environment looks like. But the second biggest determinant is probably governance, good governance or a certain kind of governance makes a huge difference in our lives.’