The results of the 2024/2025 Global Directors’ and Officers’ survey make for interesting reading for the Directors and Officers of financial institutions. This year we suggest that events in the public domain may have been front of mind as respondents ranked risk, and that as such high-profile events influenced the results. We compare and contrast those results with our own (backwards looking) claims data and experience.
Last year we examined the potential causes of health and safety risk being ranked highly (at number four) for the first time. Perhaps, we suggested, this was linked to an increased focus at a regulatory level to non-financial misconduct. If so, that risk has already diminished slightly in the eyes of senior leaders, with health and safety falling to 6th place, for financial institutions, whilst remaining of paramount concern in other industries, such as energy and utilities, industrial and healthcare. We have however noted at WTW an increase in the number of employment practices claims notified to insurers by financial institutions, often times related to whistleblowing or health issues, and we will continue to watch this space carefully.
This year the highest level of concern for global financial institutions related to data losses and to regulatory breaches. Taking data losses first, the highest level of concern related to data loss, with 79% considering it a very or extremely important risk, very closely followed by cyber attack (including cyber extortion) at 78%. This may be related to high-profile events in 2024 such as the CrowdStrike cyber incident. This incident resulted in a securities fraud class action which alleges that the company made misrepresentations when it “repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified.’” The data mined by WTW’s Claudia Piccirilli illustrated that companies with cyber events increased their D&O risk from 5% historically to 68% with a breach.
The system failures caused by CrowdStrike’s software updates resulted in their share price declining by 30% over the next few days following the incident, resulting in the company’s market capitalization decreasing by nearly $12.5 billion.[1] Furthermore in a recent analysis of WTW FINEX cyber claims data, it was found that D&O claims followed closely in time after a cyber event/incident in the US. This data helps to predict the likelihood of a D&O claim after a cyber event and highlights the need for enhanced cyber security measures and incident response planning.
Perhaps surprisingly, given its rapid rise in the public’s consciousness, and its ability to be used for bad as well as good, AI and machine learning did not feature highly as a risk in the survey, with 57% considering it a very or extremely important risk. Similarly, when asked where the board should be spending more time, AI was one of the lowest ranked topics overall as well as for the Finance and Insurance sector. It did, however, rank slightly higher in materiality to the business for Finance and Insurance, at 8th out of 12 topics, compared to the overall result where AI was one of the lowest ranked topics. At WTW we do consider that whilst AI presents opportunities for innovation and efficiency, it also introduces data and Cyber security risks[2].
Regulatory breaches may of course materialise as a consequence of a wide range of issues, including breaches of cyber security. That said, for financial institutions, it is perhaps not surprising that whilst the risks of regulatory breaches ranked high on the list of concerns (with 78% considering it a very or extremely important risk in 2024), they were fairly closely followed by a concern about breach of sanctions at (70%). The sanctions and financial crime regimes in the current geopolitical environment are fast-moving and concerning for financial institutions and these risks may have been front of mind due to events in the public domain. The largest fine in relation to financial crime in 2024 was a fine of USD 3 billion imposed in North America, whilst in Australia a fine of USD 42 million was imposed. In October 2024, a UK bank was fined GBP 29 million for failures in relation to sanctions screening. As the bank grew, it simply could not keep up with measures to tackle financial crime.
Whilst the survey reflects perceived risk, the risks identified are not inconsistent with our own claims data and experience in Global Financial Institutions. Over the past 5 years the number of claims notified to cyber polices has increased and there was also an increase in claims notified to D&O policies between 2023 and 2024. Of the Global Financial Institutions cyber notifications in our proprietary database, for the past 2 years the highest number have related to malicious data breaches, followed by ransomware and accidental data breaches. In 2024, accidental data breach outstripped ransomware for the first time in a 5-year data set.
We do not record the correlation between regulatory fines and D&O claims but it is clear that to the extent the fine leads to a stock drop, a securities claim may well follow.
On balance the C-suite seem to be looking in the right direction, in their concerns around cyber and regulatory risk, but ought perhaps to pay more attention to the downsides of generative AI. And don’t forget non-financial misconduct. It may not have gone away.
