Welcome to the 2023 Global Directors’ and Officers' Liability Survey in collaboration with WTW. We have continued the international scope of our report, with responses from directors and risk managers in 40 countries around the world.
As directors and officers continue to be the subject of ever-increasing accountability, the report provides a global view of their perceptions of risk. From climate change to cyber-attacks, regulatory risks to criminal exposures, the market’s temperature remains hot in a turbulent geopolitical and global economic environment.
Following on from the report we are releasing a series of separate articles, on various topics, inspired by the survey responses and will explore some of the results in more detail. Scroll down to view the latest releases.
Regulatory risk remains in fourth place on the list of top risks for D&O’s this year but there was a range of difference across the regions. Whilst between 36% to 60% of responders from GB, US, Europe and Asia considered a regulatory breach as a very or extremely significant risk, that rose to 76% in Latin America and fell to just 8% in Australasia. As expected, larger companies and those operating in financial services placed the risk higher than companies operating in other sectors and with lower revenue.
In GB, the Financial Conduct Authority (FCA) enforcement activity continues to be a substantial exposure for companies and D&Os. Specific target areas for the FCA are tackling unauthorised business and unsuitable advice (especially in the pensions arena) in its general push to improve consumer protection ahead of the incoming Consumer Duty. In addition, actions relating to failures in systems and controls are increasingly common, with significant penalties imposed on both companies and senior management for a range of failures.
Between 36% to 60% of responders from GB, US, Europe and Asia considered a regulatory breach as a very or extremely significant risk. This rose to 76% in Latin America and fell to just 8% in Australasia.
Financial crime continues to be a priority, with the FCA utilising all powers at its disposal, including its criminal powers, successfully securing a prosecution against a large bank and imposing a substantial fine, in addition to announcing that it has charged directors who were allegedly operating a scheme to defraud investors (trial is imminent). Corporate criminal liability reforms are also being debated, though whether these will result in more actions against directors remains to be seen.
As with other jurisdictions, ESG (which will be discussed in more detail in a separate article) and crypto regulation have moved up the regulatory agenda. In the latter regard, in February 2023, HM Treasury published a consultation paper on the UK regulatory approach to cryptoassets, looking at the risks and opportunities and how the sector could be regulated. The market is still in its infancy and many concerns have been noted, not least of which is the potential use of crypto exchanges to launder money and finance sanctioned entities (the FCA is proactively applying its powers to refuse or withdraw applications for authorisations of such exchanges). Risks for D&Os will likely lie in disclosures, making sure the risks are adequately captured and reported on. There may also be risks in accepting crypto as payment, especially given its notorious volatility. In the M&A space, due diligence must be conducted carefully to understand the potential risks the company is taking on which could expose the company and its D&Os to a range of actions, including regulatory investigations.
The top three risks to directors and officers (D&Os) remain unchanged from last year - cyber-attacks, data loss and cyber extortion – strongly emphasising that these risks are here to stay and present many challenges to D&Os.
Top 7 D&O risks - 2023
With the GDPR having been in force for a few years now, companies and D&Os have witnessed the significant fines that can be levied by data protection authorities following a breach and the law is still developing on claims from data subjects. In addition, the first party costs following a breach can be considerable and there is the prospect of third-party claims. Cybersecurity is, of course, of paramount importance but it can be very challenging to keep pace with the ways and means that attacks are perpetrated, meaning that regulatory actions for systems and controls failures (which have been a keen focus for financial regulators in recent years) can be added to the risk landscape.
Regulatory risk, more generally, continues to be of concern, and with good reason. In recent years there has been heightened scrutiny by more proactive and aggressive regulators (whose enforcement activity has largely rebounded following the pandemic), ever increasing regulatory requirements and a keen focus on holding wrongdoers to account. Regulators continue to focus on tackling financial crime and market abuse, improving consumer protection, as well as having an increasing emphasis on ESG, including climate related risks, and crypto regulation. We can expect to see regulators flexing their powers in due course in relation to these emerging risks.
It is clear from the survey that D&Os are also apprehensive about criminal risks – both falling foul of criminal laws and organisations being a victim of crime, such as cybercrime. The risk of health and safety prosecutions came fifth on the top seven list. Companies are under a duty to do all that is reasonably practicable to protect the health and safety of their employees and to provide a safe workplace. Failures in this regard can lead to significant fines being imposed and, in some cases, prison sentences handed out where there has been a particularly egregious failure. In England and Wales, D&Os can face prosecution if the offence has been committed with the consent, connivance, or neglect of the director(s) in question and many other jurisdictions carry similar provisions. Like most other public sector bodies, prosecuting authorities built up a backlog of cases during the pandemic which are now being brought to fruition, leading to high levels of activity. We shall have to see if these levels will be sustained or will taper off once there is some distance from the pandemic.
Bribery and corruption investigations are costly and often cross border, and prosecutors have been cooperating on an international level to stamp out the behaviour. In addition to direct offences, some jurisdictions, such as the UK, have enacted “failure to prevent” criminal offences for corporations, which could result in follow-on prosecutions for D&Os in the pursuit of a deferred prosecution agreement.
What the top seven list clearly show is that D&Os are faced with a range of challenging exposures, which could lead to significant consequences. Risk management and the implementation of adequate systems and controls are key to preventing and mitigating these risks.
Sanctions have quickly become the foreign policy tool of choice for countries around the world amidst the increasingly heated geopolitical climate over the past few years. Thus far, the EU, UK, US and their partner countries have imposed a series of extensive trade and financial sanctions packages against Russia, which are targeted at undermining Russia’s ability to continue the conflict.
The ever-changing sanctions landscape
Navigating an ever-changing sanctions landscape can be challenging for companies and their D&Os and it is no surprise that the risk of breaching sanctions has leapt into the top seven risks for those in financial services, especially the largest of companies within that sector.
Whereas trade sanctions target particular goods, a major component of financial sanctions are asset freeze measures, which freeze the assets of designated individuals and entities determined to have engaged in malign conduct. These measures will typically contain a prohibition imposed on all natural and legal persons within the relevant jurisdiction from making funds or economic resources available to, or for the benefit of, designated individuals and entities. Such prohibitions generally also apply to entities that are owned and/or controlled by designated persons despite such entities not themselves being expressly designated. Violation of asset freeze prohibitions can result in significant fines, unfavourable press and, in some cases, the violator itself becoming designated.