Risk & Resilience: Threat posed by D&O risk environment leaves no room for complacency
This article was first published in Insurance Day on 9th July 2021: Focus: Threat posed by D&O risk environment leaves no room for complacency.
With the global pandemic presenting the biggest test of business strategy, agility and competence in a generation, Beazley has launched the first in a series of reports based on a survey of 1,000 senior executives in the US and the UK, across 10 industry sectors examining business leaders’ sentiments towards four key risk areas: technology; business; environmental and political; and economic. The findings are extensive but three key interconnected areas should be on the watchlist for all directors and officers and their insurers.
With cyber attacks becoming more complex and frequent, organisations have little choice but to prioritise these threats; failure to do so would be a clear breach of duty, leaving directors and officers vulnerable to claims, as well as regulatory action. It is not surprising, then, that cyber was ranked as the highest technology-related risk, with more than one-third (34%) of respondents putting it top.
More surprisingly, however, our research reveals cyber is also the technology threat to which businesses feel most resilient. As digital trading becomes more ubiquitous, so does the perception of safety in numbers (it will not happen to me) and high levels of confidence that security measures are effective. There is a sense in the responses that if businesses survived 2020, they can survive anything.
But even if business leaders feel confident, ransomware statistics in particular paint a conflicting picture. As these threats continue to morph and change, it is increasingly important to focus on building strong resilience and security defences to reduce exposure to cyber risk in all its many forms.
Many organisations may think they have mitigated all cyber risk, sometimes because of a misplaced confidence in steadily advancing technological solutions. Defence tactics are frequently restricted to building a high wall over which attackers must jump, but limited budgets and a constantly shifting attack landscape mean there is always a soft spot that allows threat actors to implement their attack.
The reality is cyber criminals are well funded and resourced, innovative and able to quickly leverage vulnerabilities for maximum gain. What is absolutely key is to maintain continual investment in building cyber defences; seeing it as a “one-time” expenditure risks leaving you more exposed to evolving threats and more vulnerable to directors’ and officers’ (D&O) liability losses.
Regulatory compliance (or the lack of it) is another perennial driver of D&O claims. Since the pandemic, regulatory risk has heightened, with every aspect of how, when and where to do business; how to manage the customer interface; how to enforce or adapt employment contracts; reporting and accountability, all coming under scrutiny. Add to this the rising tide of environmental, social and governance and climate change reporting and it is little wonder that business leaders are concerned about regulatory risk. More than one-third (36%) rank this as their primary concern in this category, 15% points higher than economic uncertainty.
This regulatory burden is only going to intensify. Reporting rules relating to both the Taskforce on Climate-related Financial Disclosure (TCFD) and the new EU Corporate Accountability Directive will come into effect from January 1, 2022. These will require many companies to report at a level of detail never before imagined, on a wide range of areas that were previously not subject to scrutiny.
The EU’s General Data Protection Regulation rules, although now familiar, also create a “fear factor” for many businesses. The rising incidence of cyber crime makes it inevitable that in our technology-dependent world they will be exposed to threats outside their control, substantial fines and the associated risk of reputational harm.
According to our research, environmental risks sit at the bottom of the ranking for business leaders, with just 12% saying it is the area of risk that is most important to them. Threats in this category – for example, climate change and pandemic risk – are perhaps seen as systemic, existential concerns. However, they have the potential to dwarf all others.
The question we need to consider is whether this a case of looking the other way, as directors and officers are aware they are looming, but for now at least, their attention appears to be on more immediate and pressing risks such as cyber and managing the ramifications of the pandemic.
However, this is not a risk that can be put on the back burner for too long. Three classes of climate change risk – physical, transition and liability – are rapidly becoming drivers of reputational risk that directors and officers will face if they have not made obvious and systematic attempts to address them.
It is not just the insurance sector that is under scrutiny. From manufacturers to oil companies, stakeholder dissatisfaction is spilling over into direct action. And as more high-profile disputes reach the courts, this is only likely to spur increased litigation against companies, their directors and officers.
Against this high-threat backdrop – and our research indicates 85% of business leaders feel they are operating in a moderate to high-risk environment – there is a high degree of confidence, with 91% saying they feel moderately or highly resilient to risk. But while this bodes well for a strong recovery, there are some tests ahead, for directors and officers and for the insurance industry, as we look to accommodate emerging and systemic risks in an effective and cost-effective way and sustain our role as trusted risk partners.
About the author: