THE HOT TOPIC IN US SECURITIES CLAIMS TRENDS IN 2024
2024 may end up having the highest number of securities class action claims in 4 years - what are the issues driving this?
The Stats
(figures courtesy of Stanford Law School in collaboration with Cornerstone Research):
The total number of securities class action filings to 30th September 2024: 165, which if annualised would reach 220.
How are the recent trends faring when set against the last few years?
Some notable indicators at this point
-
The resurgence of Covid-19 as a driver for claims, which no one, including me, predicted. This trend seems to be gaining pace so the annualised figure above may even turn out to be low!
-
The growing trend in AI related claims. This trend is also accelerating, so the annualised figure may also turn out to be low. This is undoubtedly the hot topic of 2024.
-
SPAC securities litigation is plummeting with the trend ever slowing.
-
Cyber remains steady but not at all spectacular, again defying predictions (including by me).
-
Both crypto and cannabis are continuing to decline as drivers for securities claims.
-
The US banking crisis is over as a driver for securities claims.
Finally, if the annualised number for the total number of class actions, 220, turns out to be correct, 2024 will be narrowly the highest year since 2020 (317), ahead of 2021 (212) and 2023 (213). There has been a decline and “levelling off” going on since the most recent height of 2017 (411). Nevertheless, to put into context, 220 would still make 2024 the 11th highest year in the last 30.
Not in the table, but also notable is that filings against non-US issuers are down both in number and as a percentage of total filings for non-M&A related securities claims, continuing a downward trend since 2020.
Artificial Intelligence (“AI”) is undoubtedly the Hot Topic of 2024
Even though we are only three-quarters of the way through the year it is safe to predict AI is the year’s hot topic. There were of course AI related filings in previous years, but the trend has accelerated this year and by all accounts is continuing to accelerate. It will be interesting to see how far into 2025 and beyond this continues.
Companies have been eager to highlight their AI credentials in order to gain a competitive advantage in the marketplace. However, sometimes this may be exaggerated, or what the SEC has described as “AI-washing”, borrowing an expression originally used in relation to companies overstating their “green” credentials (“green-washing”). The class action litigation has also included claims against rms who have not disclosed enough about
the financial and operational risks associated with their adoption of AI.
As time goes on we are likely to also see claims against directors for breach of fiduciary duty by companies, liquidators, or shareholders on behalf of the company (remember 47% of securities class actions settled between 2017 and 2023 had a parallel derivative claim) relating to any of the following:
-
failures in implementation or integration of AI;
-
failing to embrace AI quickly enough;
-
adopting AI too quickly;
-
failing to exploit opportunities; or
-
allowing the company to be outmanoeuvred by competitors.
A word about regulatory impact on AI
Regulators have been getting busy on AI.
In the US, the SEC has made it clear it will go after financial institutions that overstate their AI credentials in investment modelling to clients or potential clients. SEC Chief Gary Gensler said in March this year:
“Investment advisers or broker dealers should not mislead the public by saying they are using an AI mo del when they're not, nor say that they're using an AI model in a particular way, but not do so”.
There have reportedly been three enforcement actions against such rms so far this year.
We have yet to see an enforcement action against a public company based on statements made to the market. But it’s probably only a matter of time. SEC chief Gary Gensler also said this year:
“Public companies should make sure they have a reasonable basis for the claims they make and yes, the particular risks they face about their AI use, and investors should be told that basis.”
The UK’s FCA and Bank of England/PRA issued “updates” on their approach to AI in regulated rms on 22nd April 2024. There are no new rules, regulations or statutes for the time being, but a reminder that the rules will be enforced regardless of the technology. In the meantime, they are making clear that rms will need to understand and be prepared to explain to regulators how AI is being used in their business, including by their service providers, be aware of how AI impacts on their existing legal responsibilities, to ensure existing data protection laws are not being broken, and embed AI as a topic in the rm’s governance processes.
By contrast to the UK, the EU has been passing laws. The AI Act is now in force. It will become effective in stages over the next couple of years, starting in February 2025 with a list of banned uses. It applies directly to all EU member states, all other EEA states, and to any other business doing business in the EEA or where outputs from an AI system are usable in the EEA. This will include providers, importers, distributors and deployers/users of AI. In this way it will have an impact on most global businesses. Enforcement authorities will be able to impose fines of up to EUR 35m or 7% of worldwide turnover (whichever is higher).
We can expect to hear a lot more about AI enforcement in the future given its massive potential to touch all aspects of business life.
ARE YOU A BLENDER?
PUTTING TOGETHER A NEW PACKAGE PRODUCT - A STARTER FOR TEN
Blending policies to create a ‘combined’ product has many benefits to clients and carriers, but the art of blending itself comes with risks. What are the pitfalls to avoid?
Package products are insurance products that include multiple different covers under one banner. They are not new but in a soft market there seems to be a greater tendency to bolt covers together for medium sized clients presumably to save overall premium spend and enable those clients to buy some cover in areas where a more comprehensive standalone product might not be available to them.
Bolting products together sounds easy but it isn’t. There are a number of things that need to be thought about. In this brief guide I set out some of the things I have realised through my package work.
1. Decide how far to Blend
To Blend or Not to Blend – that is the question.
This is a threshold issue. It is possible to group policies together under one Schedule without making any substantive changes to them and dealing with all issues in the Schedule. This may superficially be attractive because it seems to involve the least work at the front end. We all want that obviously!
However, it won’t take long before you realise there are major drawbacks with this approach. First, the document will be very long indeed, difficult to navigate, and confusing for the client. It will contain a substantial amount of repetition and contradiction in the definitions, conditions and exclusions. More importantly, as the policies being combined are not co-ordinated, you will have little idea where the overlaps and gaps are between the covers. Inadvertent gaps and overlaps can be a fertile source of red faces in the wordings dept and more importantly disputes on claims.
Also, the Schedule will need to be very carefully drafted to ensure it takes all nuances between the different covers (including their different expressions) fully into account – as everything is riding on it. Without the Schedule you just have a bunch of separate policies. Also, the Schedule is unlikely to be the best place to deal with interlocking issues between the policies – what happens when multiple covers are triggered at the same time or cover the same loss for instance?
So, assuming you decide it’s a good idea to do some melding of the products, you need to decide how far this goes. At the other end of the spectrum is the fully blended form. These usually look great and may be mercifully short, but probably will involve the most amount of drafting work. The drawbacks are that they can also lead to “over-simplification” of some things that should stay nuanced which could lead to unintended consequences, and a lack of flexibility if you want the client to have the option of buying some covers but not others. A fully blended product will make it difficult to split things out easily without a hefty-looking endorsement deleting sections.
So, in my experience, most policies tend to be somewhere in between those two extremes – blending some things
but not others.
2. What to Blend – the General Section
In order to maximise space by avoiding unnecessary duplication but also allow flexibility many wordings have a “general section” that includes all the clauses that apply to all the covers. You need to decide which these are. This may include definitions that mean the same thing throughout the product wherever they appear, and conditions and exclusions that apply to all the covers. Examples of conditions that are likely to apply to all are “disputes” and
“fraudulent claims”. Common exclusions might include “prior matters” or “war & terrorism”.
You may be realising at this point a complication – the products being melded may operate in different markets where the same issue is dealt with in different ways. This can be a real headache for us blenders! The affected clauses should either not go into the general section or compromises made to settle on language everyone can unite behind. The latter is preferable but not always possible.
Watch out for definitions that need to mean different things depending on where they appear in the product – “Loss” for example will mean something different in a Property section to a Casualty section. Not all examples will be as obvious. These types of definition should not appear in the general section. Sometimes it’s hard to decide whether something should have a common definition or not. Space and readability suggests you should lean in favour of more common definitions but avoiding pitfalls leans towards keeping them separate where unsure if an important nuance might be lost. An example of this might be “Terrorism” which may need to have a different meaning in a Crime exclusion from where it appears in specific Terrorism cover, or “Computer System” which may need to be defined a certain way in a Crime section but in a different way in a Cyber section war exclusion.
Once you have decided your approach, this is where the blending takes place, leaving the covers themselves entirely separate (see next section).
When blending, you may find it helpful to introduce a new “all embracing” definition for the things in all sections that trigger the cover during the policy period: namely “insured events”. Having such a definition can be helpful for use in general section clauses but just be careful not to use it if the clause in question doesn’t apply to all triggers, or make express exceptions.
Through this process you can achieve a nice balance between general and bespoke and of course you can also add further cover sections that are designed to be bolted on to the general section.
3. What not to Blend – the Cover Sections
Each cover section includes all the cover that’s unique to that section and no more. Typically, this will be via its Insuring Clauses, Extensions and the Exclusions. It will also contain any definitions and conditions that only apply to that section. You will have decided which these are if you have already drafted the general section. However, I have often noted the absence of any specific Crime conditions in a package policy containing Crime cover so this bit’s easily forgotten!
4. Don’t Forget: Limits/Retentions and Interlocking Clauses
If you do minimal blending it’s likely you’ll not consider these clauses at all and you probably won’t find them in the individual products being combined (and if you do, not consistently). But they are important.
These are the clauses – that go in the general section – explaining:
(a) whether an overall limit of liability applies to the whole product or a separate limit of liability to each cover
section independently, or a combination of both (as indicated in the Schedule);
(b) what happens to the limits and retentions when the same incident causes related claims under more than one
cover section; or
(c) what happens where (despite best intentions) there is an overlap: more than one cover section applying to the
exact same loss.
Without dealing with these issues expressly you run the risk of a dispute when there are claims, possibly leading to
unintended consequences.
5. Also Don’t Forget… An Interpretation Clause
Remember the general section will contain general definitions. You will need a clause explaining that they apply throughout the product unless there is a more specific definition of the same word in a cover section – in which case that more specific definition should apply in that cover section (ie override) only.
Most policies contain an interpretation clause already, so that’s fine as far as it goes. However, in a package policy there’s an extra dimension in addressing how the interpretation of a word, phrase or clause in one cover section (or the general section) might assist in the interpretation of a word, phrase or clause in another cover section. This may or may not be desirable in any given case. And should you be able to refer to cover sections not even purchased for this purpose? (to this question I would say not, but it’s up to you). As described above, certain words may have deliberately different meanings throughout the product, or some words (“claim” and “loss” being good examples) should be deliberately undefined in certain contexts but defined in others (this issue is often exacerbated by poor drafting).
Should a word or phrase used in one context be used to help interpret another? These are for you to consider and decide, and when you have decided, make it clear in the general section.
6. A Word about … The Schedule
As with all policies it’s preferable that all variable values are in the Schedule not in the wording. This allows the product to ex properly on each deal without going back to amend the wording. The wording simply refers to the Schedule when dealing with a variable item, for example a limit of liability amount, whether aggregate or AOC, a retention, or governing law.
More specifically for the package product, the Schedule also indicates which covers have been purchased. Remember this isn’t as straightforward in a fully blended form hence the approach advocated above.
RELEVANT TO FINANCIAL INSTITUTIONS' D&O
Non-financial misconduct (“NFM”) is increasingly a focus for UK regulators
ESG has rarely been out of the news in the last 3 years. Whilst debates about the “E” continue, and the “G” is not really in dispute, the focus here is on the “S”, the focus on which has come comparatively late in the day compared to the others. It’s topical now with quite a few recent developments to talk about.
The Social piece is a broad church and can be loosely described as the way a rm interacts with its people and the wider community. In the workplace this most obviously involves diversity and inclusion but can also be about trading partner selection and ethical sourcing, among other things.
The FCA has historically been less active in the Social area given queries over how it impacts financial risk, but it is now catching up. Its primary focus is on what it calls Non-Financial Misconduct.
NFM – What Is It?
The FCA has described NFM as misconduct including bullying, sexual or racial harassment or any other discrimination in a work related context. The asset management industry has been facing some high profile and rather unwelcome scrutiny in this area specifically.
Odey Asset Management
Going on right now is the Odey Asset Management scandal in which its founder, Crispin Odey, has been accused of sexual harassment by some 20 women employed over a period of 25 years, at the asset manager he founded, Odey Asset Management.
The fallout has been so serious the asset manager closed its operations last year. After an investigation it has more recently been cleared of wrongdoing by the FCA.
Mr Odey – also well known for his strong pro-Brexit stance, and large financial donations to Reform UK and to Boris Johnson personally, in shades of Harvey Weinstein, was red by his own rm in June last year when the scale of his alleged harassment came to light. One of the allegations, repeated by several women, is that he lured them to his house under a work pretense where he would greet them in his dressing gown.
He has since survived a criminal prosecution for sexual assault but is still being investigated by the FCA in respect of whether he is t and proper to work in the financial services industry, and is facing multiple civil lawsuits alleging sexual harassment, and various degrees of sexual assault.
How prevalent is NFM in Financial Services?
In January this year in response to a Freedom of Information request, the FCA disclosed information that suggested the number of whistleblower reports received from UK asset management rms increased appreciably in 2023 – to 172. This included notable increases in respect of sexual harassment and culture: there were 8 whistleblowing complaints of sexual harassment in asset management rms (compared with none in the two previous years) and 20 whistleblowing complaints relating to culture (up on prior years). All the other complaints related to financial misconduct issues.
Also, partly in response to the Odey scandal a Parliamentary Treasury Committee examined barriers faced by women in the financial services sector in the “Sexism in the City” Inquiry, whose report was published in March this year. The FCA and PRA gave evidence to this inquiry partly to foreshadow the steps they are now taking (see below) which were not resoundingly endorsed by the Parliamentary Treasury Committee’s report. The Report did
acknowledge as follows:
“There is an important role for regulators to play in ensuring that rms tackle sexual harassment. We welcome the proposals by the Financial Conduct Authority and by the Prudential Regulation Authority to strengthen their regimes for tackling non-financial misconduct, including sexual misconduct. We note, however, that the regulators are constrained by their legal powers to take action, and acknowledge that they cannot take action in financial
services that goes further than allowed for in wide r employment and criminal law.”
What is the current UK legal position on NFM?
On a most basic level such conduct may be criminal, in which case if reported to them, the police will investigate (it was the FCA that reported Mr Odey to the police); or an employment matter in which civil claims may be brought against the firm and any relevant individuals for sexual discrimination, with potentially unlimited damages. Individuals would likely face disciplinary action by their employers. In the case of serial or systemic failures, the rm
may lose the support of its trading partners, the share price could be harmed, and there could be D&O claims.
In terms of financial services specifically and the FCA, the position is quite nuanced, and this is probably one reason why more regulation is on the way. The FCA has struggled with the question of how and to what extent such behaviour is related to an individual’s professional competence. Going back to Mr Odey again, he appears to have been an extremely competent asset manager with whom his investor clients would have had few complaints. How does the FCA square this with the fact he may have been a sex pest around the office?
There are two ways in which NFM plays out under the FCA’s remit currently –
1. If an individual is a Senior Manager or is Certified then they can be investigated and found to be not Fit and Proper to perform regulated activities, and ned. This is going on with regard to Mr Odey at the moment. As the founder and brain behind the asset manager and presumably a main board member he was obviously a senior manager.
This has been the primary route taken by the FCA in such cases to date, although it has generally found people to be not t and proper where there is no work connection to any serious wrongdoing (not in Mr Odey’s case obviously). An example would be a Senior Manger convicted of an offence not obviously connected to their work.
A firm that has failed to act properly in the face of a serial issue might also be found to be unfit to perform regulated services – this was the thrust of the FCA’s investigation into Odey Asset Management.
2. Most individuals working in financial services as well as the rm are subject to the FCA’s Conduct Rules. Any individual and the rm that employs them may therefore be in breach of the Conduct Rules, in particular the obligation to act with integrity (Rule 1). This has not been a fertile area for action by the FCA to date, partly due to queries over whether the existing rules sufficiently embrace non-financial misconduct matters.
NFM – what are the proposed changes?
The FCA, many who feel were stung into action by the Odey affair, released their proposals for beefing up their approach in this area in the Autumn of 2023 in a Consultation Paper CP 23/20. They are sticking to the two prong approach outlined above:
1. Fitness and Propriety regime for Senior Managers and Certified personnel – here they are looking to more firmly state that bad behaviour outside of the work context may still be an indicator that someone is not fit and proper to work in regulated services. An example might be that someone acting dishonestly in covering up an unrelated crime cannot be trusted in a regulated environment. This change will not make any difference to misconduct that clearly IS related to professional work as Mr Odey’s alleged conduct was.
2. The Conduct Rules to which most people in financial services are subject, will be changed to add a new rule relating specifically to serious instances of bullying, harassment, and similar behaviour towards fellow employees. Except in the case of Senior Managers or Certified persons, it is the firm that will be sanctioned for a breach of the rule by an individual, not the individual themselves, who would nevertheless be subject to the usual disciplinary and other legal processes already outlined above.
The Sexism in the City report did not resoundingly endorse these proposals querying whether they went far enough. For instance – what is the difference between “serious” bullying or harassment and non-serious bullying or harassment? The report also criticised the widespread use of Non-Disclosure Agreements and the lack of guidance about the FCA’s whistleblowing line neither of which are tackled in the recommendations.
The final rules have not yet been published but have been promised later this year (although in light of some of the comments in the Sexism in the City report it is possible these will be subject to some revision and delay).
Are there any other recent developments in this area?
Yes, a couple. While we wait for these new rules, earlier this year, an FCA Information Request letter was sent out to all London market insurers and brokers, and City banks and stockbrokers asking for statistics about historic NFM, their nature, whether involving senior manager level, and the outcomes – together with information about D&I policies – and they were given just a month to do so.
This was meant to just a first wave, with asset managers and others following, however, possibly in light of comments in the Sexism in the City report it appears no more portfolio letters have yet been sent. The FCA says it is not looking to take action against individual rms based on the answers given, it is to inform its future approach to NFM. In doing so though it is inevitably sending a signal to firms to clean up their act.
NFM – What is Lloyd’s doing?
Not asset management, but unsurprisingly where the FCA treads, Lloyd’s tends to follow. Hot on the heels of the FCA’s Information Request, Lloyd’s has very recently published its own consultation on “poor conduct and behaviours in the market” (see Lloyd’s Bulletin Y5443 Market bulletin (lloyds.com)). This includes proposed updated and more explicit financial and non-financial misconduct rules and processes. Interestingly, there is express reference to the misuse of alcohol and drugs. The Consultation closes on 16th December 2024.
A word about publicising FCA Investigations (NFM or otherwise)
A related and potential very significant development is an FCA Consultation launched in March this year – CP24/2. This included proposals for fundamental change to the way announcements are made when the FCA is investigating a firm – for any misconduct – financial and non-financial.
Currently the FCA does not announce when it opens an enforcement investigation against a firm or individual. Usually, announcements are only made once a decision to bring enforcement proceedings has been made, following an investigation – in line with the principle “innocent until proven guilty” and bearing in mind the reputational impact an investigation has.
The FCA is now proposing to make an announcement when it opens such an investigation and provide updates on them, giving the firm only 24 hours’ advance notice of the announcement. This will include publishing the identity of the firm (but NOT any individual) that is the subject of the investigation. Announcements will be subject to a decision making process and not automatic, but when made, will only amplify the effect of the harder stance being taken on non-financial misconduct, as such announcements could be extremely damaging for the firms concerned, even where no action is eventually taken.
The FCA’s Consultation on CP24/2 closed on 30 April. However, The House of Lords’ Financial Services Regulation Committee, chaired by Lord Forsyth of Drumlean, wrote to the FCA on 18 April to express a number of concerns about the proposals contained in the consultation. The letter stated that:
“the Committee intends to take evidence on this proposal and asks that you do not take further steps to implement
this change until it has had the opportunity to do so and reach a final conclusion.”
The Committee then sought further views on the proposals. This consultation closed on 4 June and the findings are presently awaited.
The public response to the FCA’s proposals has been almost universally negative. The FCA tried to go down this road in 2013 and backed down so it may be more determined to push on with it this time. Watch this space.
FOCUS ON...
SIDE A DIC POLICIES
What you need to know about Side A DIC insurance in 10 steps
1. What is a Side A DIC (“Difference in Conditions”) Policy?
It’s typically a broad form D&O policy that sits “above” other policies (most likely D&O but not necessarily), and is designed to cover the directors when both (1) those underlying policies do not pay for any reason, including when exhausted; and (2) the company does not indemnify the directors for any reason. Both need to apply before the cover can be accessed. I will return to these two criteria throughout this article.
2. Why is it bought?
Traditionally it was “sleep easy” cover for directors as a policy of last resort when all else (underlying policies and company indemnities) failed. These days ABC D&O policies are typically broad and (touch wood) insurer insolvencies are rare, so directors are more likely to get cover, but by equal measure the cover might also be more likely to become exhausted given the size of the losses these days. Further, company indemnification is a much less certain beast, with derivative claims, insolvency and regulatory/reputational factors all potential bars. Many factors play into whether a loss will be indemnified by the company these days.
3. Who is Covered?
It is for the insured persons only (there’s a clue in the name: “Side A”). There is no cover for the company and no retention.
4. What are the main features?
The policy is written on its own terms (unlike an Excess policy) – so is structured quite like a primary ABC policy with Insuring Clauses, Exclusions and Conditions. There are some important differences though (see next item) and mercifully these policies are generally a good deal shorter than primary policies.
5. Is the cover broad?
It’s meant to be, yes. The cover needs to be broader than the primary policy and all other underlying policies in order that the DIC feature is operative. This means the policy may “drop” into a coverage gap in an underlying policy if one opens up. As part of this, there need to be very few exclusions in a Side A DIC policy, typically for bad conduct and prior matters only. I have seen some wordings that don’t even have these!
Because underlying policies are broad these days it’s even more important that the cover given isn’t narrower than the underlying. For this reason, the policy always contains a “follow form” or “reverse DIC” feature saying that insofar as the underlying policies are broader in a given situation, the Side A DIC policy will ex to follow that broader coverage (subject to a few common exceptions).
6. How else is the cover broad?
Rather than have a huge list of extensions like a primary ABC policy, the language of the insuring clause and the definitions is deliberately designed to be broad to embrace a wide variety of situations, rendering many extensions unnecessary. Similarly, “Affirmative coverage” clauses which simply confirm that something already covered is covered (a personal bugbear of mine) is a rarity in these policies.
A good insuring clause may just say something like “The Insurer will pay non-indemnified loss where a policy of the underlying insurance does not pay for any reason”. This will embrace both gaps in cover and exhaustion of underlying limits. Job done.
7. What about Limits?
The limit may be bigger than limits in underlying layers. Some carriers specialise in Side A DIC and so have the capacity for this. Perhaps more importantly, and in another major departure from the underlying layers, is there are likely to be a couple of reinstatements of the limit available. The reinstatement language needs to be carefully checked to ensure it does what the parties intend. One key area is whether the reinstatement will apply to the same or a related claim for which a payment (however small) was made within the limit.
It is also possible there will be “excess Side A DIC” policies. These are excess layers that build on the “primary Side A DIC” layer. These are follow-form policies, and they follow the primary Side A DIC policy NOT the primary policy!
8. What happens if the Company could indemnify but doesn’t?
It is open to a company to decide not to indemnify when it would be expected to do so, triggering the Side A cover. This cover would be provided by the underlying insurance in the first instance on a “presumptive indemnification” basis with the Side B retention charged back to the company. The Side A DIC has no such protection if and when called into play. There is in theory a subrogation right available to the Side A DIC insurer where the company fails to honour a contractual obligation to indemnify the director, although this is by no means cast iron. In the end though, a company that does not indemnify when it should do will find it difficult to buy the cover in subsequent years!
9.1 Where are the exposures? Non-indemnified Losses may be on the increase.
Four factors suggest non-indemnified losses are increasing:
1. Side A DIC insurance is now routinely offered to companies registered in countries where lawful indemnification is at best questionable and at worst not permitted, thus increasing the prospects there will not be any indemnification by the company. There are too many countries in this category to mention, but many are in Europe. If the country’s law does not permit indemnification, or it is doubtful, every loss will be Side A.
2. Insolvencies are on the increase, with the world’s macro-economic position looking at best shaky, and with more bumps in the road surely to come. Since 2021 insolvencies in the UK have risen sharply. The 2023 banking crisis claimed a number of US banks. Insolvency is the biggest cause of D&O claims in Europe. Obviously, an insolvent company cannot indemnify its directors and so all insolvency D&O claims are Side A.
3. There are some signs that regulatory / reputational concerns may drive companies to step away from their obligations to indemnify, even where robust, and risk the consequences. This may be acute in cases of corporate scandal where the company fears a shareholder, regulator or public backlash if it becomes known it is indemnifying its directors even though there has been no “final adjudication” of fault. Public backlash via social media is a feature now more than ever before. Share prices are vulnerable to the court of public opinion with the spectre of a securities claim if there is a significant drop, whether or not underlying facts are proven or are simply under investigation.
4. Former directors may find it harder to access a company indemnity for claims that arise long after they’ve gone, particularly where instigated by the company’s current management. There is recent evidence suggesting that climate related litigation could come back to haunt former directors who did not properly consider transition risks once the impact of climate change became widely understood.
9.2 Where are the exposures? Underlying Insurance may be less likely to Pay.
Why might an underlying insurer not pay? As said earlier, it is rare that a D&O insurer fails to pay a Side A loss. Licensing might be a concern – some underlying insurers may not be permitted to pay losses in certain jurisdictions, even though these days there is greater awareness of the issue in the insurance community. Side A DIC insurance should typically be provided by insurers who can comply with global licensing requirements so are able to pay those losses where the underlying does not.
More importantly, underlying insurance is more likely to be exhausted these days than ever before. Underlying D&O insurance is usually on an AB or ABC basis and so will be eroded by things not covered under the Side A DIC policy (ie company Side B and Side C losses). Securities claim settlement sizes have been increasing: according to Cornerstone Research, in 2023 the median settlement amount was US$15m, the highest since 2010, and 34% of all settlements were over US$25m, the highest since 2012, and there was an increase in the number of mega-settlements. Defence costs in these claims have been reaching ever more eye-watering levels. Frequently securities claims (which often cause significant Side B and Side C losses) will be accompanied by a “parallel” derivative claim (eg Wells Fargo). Indeed, according to Cornerstone Research, 47% of all US securities claims that settled between 2017 and 2023 were accompanied by a derivative claim.
The costs of defending a derivative claim may be indemnifiable depending on the jurisdiction, but settlements or judgment amounts will almost never be. By the time the derivative settlement comes along all underlying limits may have been exhausted. The size of US derivative settlements has been steadily increasing in recent years (see last year’s record Tesla settlement at $735m, with ten other settlements over $100m in the last four years). Even without a securities claim, this trend indicates a derivative settlement on its own could wipe out all underlying insurance,
bringing the Side A DIC policy firmly into play.
10. The future for Side A DIC?
Side A DIC is as relevant today as it has ever been, perhaps more so. It has become a vital part of the directors’ safety net. And it is no longer just “sleep easy” cover: it is paying claims.
CROWDSTRIKE AND
ACCESSING THE CYBER INSURANCE
The CrowdStrike outage impacted most of us in some way or another. But how might it have impacted cyber policies? We take a look.
If not before, it was necessary for many of us to become acquainted with cyber a few years ago when the UK’s FCA mandated insurers to better understand the cyber exposures from their non-cyber products, and then Lloyd’s insurers were required to expressly clarify, in their policies, the extent to which non-cyber products gave cyber-related coverage (aka “silent cyber”). The reason for this is that cyber cover had and still has the potential to overlap with other policies given it responds to events affecting the Insured’s computer systems. These events may have been caused or contributed to by perils covered under policies or may themselves cause insured events under other policies.
How Cyber is accessed
Cyber products can vary a lot – this may be a consequence of the fact it is still a relatively immature product compared with others. However, many follow a similar pattern and contain up to three gateways to the cover:
1. Security Failure
2. Privacy Breach
3. System Failure
So, you generally need one of these before you can access some cover. It follows that the definitions of these gateways will have a very significant bearing on the breadth of the cover and how often it may be triggered.
Overlaying these gateways are the heads of cover offered: liability claims, investigations, business interruption, breach response costs and so on. You have to match these up with a gateway to see where the cover is. Usually not all covers are given for all gateways. This may be partly because some covers only really respond to a certain gateway – breach response costs being an example (Privacy Breach) but it is also a way in which insurers carefully control the cover given under the policy.
Once you have matched the required head of cover with the right gateway you have accessed the policy and there will be cover subject to any relevant exclusions and conditions that might apply.
How about CrowdStrike?
Developing this theme a bit more – how might an outage as a result of the CrowdStrike software update failure impact a cyber insurance policy?
First, some background.
On 19th July 2024, CrowdStrike, a company that provides antivirus software to Microsoft for its Windows devices (among others), sent out an update for its Falcon Security software. This update apparently had a fault in it, which when rolled out, impacted 8.5 million devices worldwide. Those who were impacted were primarily using the Falcon software for Windows Version 10 and above, and it resulted in a system outage and a “Blue Screen of Death” (BSOD) appeared on the impacted systems. This caused an outage crashing millions of systems across the globe.
This caused havoc around the world! It caused panic and had a signicant impact in many sectors worldwide.
Notwithstanding CrowdStrike rushing out a x soon afterwards, in some cases the disruption to business went on
for weeks.
The worldwide losses, according to some estimates, have been to the tune of US$10 billion. According to insurance
analyst estimates, global insured losses related to CrowdStrike outage have been estimated to be in the range of
$400m to $1.5b, potentially making it one of the largest cyber insurance losses ever.
Where is the Cyber Cover?
As stated above, cyber policies can vary considerably and there are regional variations. This will affect whether and to what extent a policy will provide cover in respect of the CrowdStrike incident. The thought process might go a little like this (obviously this is a dumbed-down hypothetical, and the outcome would depend on the actual circumstances of the Insured and the actual wording of their policy):
1. Check which gateways might apply. Here it was fairly quickly established that businesses suffered no obvious security failure or privacy breach. So, we are left only with System Failure as a gateway to cover.
2. Apply the System Failure gateway to the relevant head of cover to see if there is a match. Assuming the outage mainly caused an interruption of the Insured’s business, we would be looking at the business interruption (“BI”) cover, if the policy includes it. Does this cover match the gateway (System Failure)? In some policies the BI cover is only matched with Security Failure (ie something done maliciously which breaches the Insured’s security). This would result in there being no cover.
3. However, in those policies where System Failure is a gateway for BI cover the policy will potentially be accessed so long as the definition of System Failure embraces a failure whose cause was external (ie CrowdStrike). This is because often, System Failure relates to a failure whose cause was solely from within the Insured’s own computer system. You would need to dig more deeply into the wording and check the definition of System Failure here. Will it embrace an external cause? If Yes, the policy can be accessed and there is cover subject to the BI “Waiting Period” and any exclusions that might apply (such as infrastructure).
4. If the definition of System Failure does not include where the cause is external, there would be no cover as the definition is not satisfied and so there is no gateway to the BI cover.
5. Could there be any other relevant cover for a BI loss in the policy? There may still be possibilities if the policy includes “Dependent Business Interruption” which is cover specifically for where a business interruption is caused by an issue in an external business on which the Insured is dependent (ie CrowdStrike). However, if there was no match between System Failure and the Business Interruption cover in the policy (as referred to in (2) above) there is unlikely to be a match between System Failure and Dependent Business Interruption cover either.
Regional Variations
Most cyber policies in the London market provide BI and many provide Dependent BI as heads of cover. They will also include System Failure as a gateway, however, the cover may not necessarily be matched in the way described above. Further, even if matched, System Failure may be limited to an internal, rather than external, cause. Given the product variations, the amount of cyber cover provided in practice will often come down to the exact wording, which means that wordings need to be carefully considered by both buyer and seller.
Interestingly, in the Indian insurance space, most of the cyber policies do not offer coverage in respect of System Failure in the base wordings. Generally, in most cyber policies the gateways are either Security Failure or Privacy Breach. However, some insurers do offer BI cover for System Failure as a small sublimit (USD150k to USD 500k), by way of an endorsement. Also, there are a few insurance companies providing other covers in respect of System Failure, but the extent of the coverage is very limited. For some large multinational clients, the brokers have been
arranging reinsurance support for this coverage.
Summing Up
Post CrowdStrike, insurers everywhere have been receiving claims notices under cyber policies, mainly for BI (or Dependent BI) due to System Failure, but much covered loss is expected to be under the Waiting Period deductible
of 12 hrs to 24 hrs.
With insurers and reinsurers now having witnessed the significant damage that could be caused by System Failure coverage and recognizing the potential for even greater losses in the event of a Security Failure, the insurance industry will be approaching this risk with increased caution. It will be interesting to see whether in the end CrowdStrike causes policies to provide broader System Failure coverage (based on customer demands), or have the opposite effect given the potential losses.
In conclusion, wherever cyber is provided, cover in respect of System Failure is carefully controlled by markets given the potential for “systemic” losses. The most likely coverage under a cyber policy for BI as a result of the CrowdStrike outage would appear to be where BI (or dependent BI) cover is given for System Failure and “System Failure” includes external as well as internal sources of failure.
Produced in collaboration with Oorjita Lath, partner of Okube Advisors LLP
Okube Advisors LLP was founded by Oorjita Lath (LinkedIn profile: www.linkedin.com/in/oorjita-lath-13a5 5112). Oorjita has extensive experience in the Financial Lines & Casualty domain, having pioneered the Financial Lines and Liability Insurance space in India. She has also specialized in the Cyber Insurance domain and has been a speaker and author at both National and International forums. Oorjita began her Insurance journey as a Liability Underwriter at ERC Chicago and then at AIG India, and later established the Financial Lines & Liability Vertical for Aon, India. After more than 20 years as an Underwriter and National Head at leading Insurance Broking rms, she launched her Independent Consultancy in 2018. The primary goal w as to simplify the complex world of insurance and offer services to Insurance Companies, Insurance Brokers, InsurTech companies, and Corporates. Okube Advisors LLP specializes in Product Development for New Policies , Reviews, and revamps of existing policies to align with current Regulatory requirements and industry trends, Packaged Policies, and Pre-Underwritten policies for the SME sector. The firm also offers Claims Consultancy and other related services. For more information, visit www.oku be.in.
