WTW's Financial, Executive and Professional Risk (FINEX) practice collaborates with professionals from across the D&O insurance industry to gain insight into the many aspects of our business. In our "D&O Professionals Series," we highlight professionals from a variety of industry sectors, ranging from executive D&O underwriters to securities lawyers, roofing advisors and others. Our goal is to discuss how the ever-changing conditions of the broader economy and business have impacted D&O risk, securities litigation, and our industry more broadly.
Focusing on the French market, Daniel Kadar and Margot Lacaud of Reed Smith LLP discuss the critical issues that shape liabilities and risks.
WTW: What developments have you seen in D&O risk for global financial institutions over the past few years? How does the position differ for commercial organisations?
Reed Smith (RS): Financial institutions are subject to complex regulations that impose strict compliance requirements and oversight by authorities such as the AMF. Since the incorporation of the Directive (MiFID II) and its Delegated Regulation (EU) 2017/565 into French law, financial institutions have faced stringent compliance obligations, particularly for their leadership. In a note dated of the 6 of June 2021, the AMF reiterated that its General Regulation and the Delegated Regulation mandate that investment firms ensure these obligations fall under the responsibility of their governing bodies (Note 06/06/21).
While commercial enterprises also face regulatory developments, these are often related to competition, defective products, or commercial practices. For instance, the August 22, 2021 Climate and Resilience Law amended Article L.121-2 of the Consumer Code, extending deceptive commercial practices to include greenwashing (Law 22/08/2021).
Recent regulatory changes have increasingly emphasized ESG concerns, affecting both financial and commercial institutions. However, financial institutions, particularly banks, have been at the centre of public debate in recent years, as highlighted by the 2020 OXFAM France reports on the impact of banks on the climate (Oxfam's report).
Notable developments include:
These new regulations create additional oversight and consequently new risks for directors and officers, who may face liability if they fail to uphold social interests or address climate concerns (source). In the 2023 Climate commitment barometer [published] by AMRAE in partnership with AXA Climate, the majority of risk managers surveyed reported that their organizations have implemented climate risk governance, with 95% preparing for the CSDR, which is expected to further accelerate the structuring of climate risk management in organizations (AMRAE's 2023 barometer).
Cyberattacks are an increasing concern in France, particularly within the financial and insurance sectors, as highlighted by the 2023 report from the High Committee on Corporate Governance (report). The Directive (EU) 2022/2555 on net and information security (NIS 2), expanded its scope, requiring entities, to strengthen security measures and report to the national authority.
A director’s or officer’s personal liability can be triggered for failing to exercise due diligence in the event of a cyberattack or data breach involving a subsidiary or subcontractor. The duty of care requires directors to identify, prevent, and implement all necessary measures to avoid or mitigate the impact of a cyberattack (source).
According to the ANSSI, ransomware attacks in 2022 were fewer in number but more critical in their impact. The surge in remote work since the pandemic has significantly increased the opportunities for unauthorized access to systems (ANSSI’s 2022 report). The cyber insurance market continues to grow, driven in part by increased investments in information system security over the recent years, which are now yielding positive results (AMRAE’s 2024 report). Effectively, according to the 2024 Cybersecurity Barometer for enterprises by Opinionway for Cesin, the overall rate of successful cyberattacks remained stable, with 87% of companies expressing confidence in available security solutions such as multi-factor authentication, firewalls, endpoint detection and response systems (Cesin’s 2024 report).
Additionally, the GDPR has had a major impact on data management. Financial institutions, which handle vast amounts of sensitive personal data, have had to strengthen their security and compliance measures to prevent data breaches, thereby increasing the risk for directors in the event of an incident.
WTW: What D&O risks do you predict becoming significant in the near future and does this differ between global financial institutions and commercial organisations?
RS: Corporate Social Responsibility remains a major concern and is likely to become an increasingly significant risk in the future. Reports like those from Oxfam on the climate impact of banks highlight the urgent need to reform banking practices to address climate challenges. Financial institutions appear to be under intense public scrutiny. CSR was also a central theme in the AMF’s 2022 report on corporate governance and executive compensation, and it has been incorporated into the latest version of the AFEP-MEDEF code (AMF’s 2022 report). The High Committee on Corporate Governance in France has also identified CSR topics as key areas of focus for the coming year (The High Committee’s 2023 report).
Cybersecurity is certain to remain a priority in the future. In its November 2023 report, the High Committee on Corporate Governance in France indicated that cybersecurity remains one of the key areas of focus for the coming year (The High Committee’s 2023 report).
The committee highlighted “the rising threat of cyberattacks with a significant impact that could even jeopardize the survival of companies. These companies may become targets not only for cybercriminals but also for state actors. In this context of heightened risk, directors must stay informed about the measures in place to prevent cyberattacks and be prepared to respond appropriately in the event of an incident.”
According to the ANSSI’s 2023 Cyber threat panorama, the level of cyber threats continues to rise amidst new geopolitical tensions and international events in France. ANSSI identifies “attackers linked to China, Russia, and the cybercriminal ecosystem as the top three threats, targeting both critical French information systems and the national cybersecurity infrastructure as a whole” (source).
This is also reflected in Allianz’s 2024 Risk Barometer, where cyber incidents (cybercrime, IT network and service disruptions, malware/ransomware, data breaches, fines, and penalties) are identified as the top risk in France (Allianz’s 2024 report). The 2024 Cybersecurity barometer for enterprises by Opinionway for Cesin shows an increase in risks associated with unauthorized cloud use and Shadow IT, with 82% of chief information security officers reporting this trend. The development of AI intensifies the need to adapt security solutions. Consequently, the proportion of companies with cyber crisis training programs is rising, with 57% of companies conducting these exercises more frequently (Cesin’s 2024 report).
In light of recent international events, export controls and economic sanctions continue to evolve in a complex manner. The European Union has implemented a series of sanctions against Russia, including export bans on goods and technologies (source). The enforcement of these controls and restrictions relies on rigorous monitoring by customs authorities. In cases of violations of financial regulations with foreign entities, sanctions may be applied under the Customs code (Article 459 of the Custom code). Additionally, Directive 2024/1760 on the duty of vigilance also highlights the due diligence obligations related to exports (Recitals 25 of the CSDDD).
Directors and officers must ensure compliance with these complex regulations by mapping their direct and indirect exposure to the affected countries and implementing internal policies and compliance procedures. This includes conducting comprehensive due diligence on their business partners to ensure they are not engaging with any sanctioned entities, whether directly or indirectly.
The European Commission also advises incorporating specific contractual clauses in import and export agreements. These clauses should mandate that all parties adhere to the applicable sanctions regulations and verify that the goods involved are not subject to any export restrictions (source).
WTW: What do you think are the greatest challenges for companies in managing D&O exposure?
RS: Directors and officers must navigate an increasingly complex regulatory environment. For example, CSR requirements have evolved from basic reporting to mandatory non-financial disclosures, then, the adoption of the PACTE law and the European-level duty of vigilance. Regulations like MiFID II and its delegated regulation add to this complexity, increasing the liability risks for directors.
Companies face emerging risks, particularly cyberattacks and data breaches, which demand increasingly sophisticated protective measures. Directors and officers are responsible for ensuring that adequate security systems are in place to safeguard sensitive information. Additionally, new challenges related to artificial intelligence (AI) introduce further vulnerabilities. The integration of AI tools into existing systems can create new entry points for cybercriminals. Furthermore, AI can generate inaccurate outputs if the training data is biased. Directors may struggle to accurately assess and disclose the risks associated with AI, potentially exposing them to liability (source).
Managing D&O risks is further complicated by significant fluctuations in insurance premiums. Additionally, the most severe D&O claims typically take an average of five years to settle. This means that significant claims filed in 2023 may not be resolved until 2028, further complicating risk planning and management for companies (source).
WTW: How do you think that companies can maximise their D&O insurance recoveries?
RS: To maximize D&O insurance recoveries, D&O should ensure clear compliance with regulations and best practices. Regularly reviewing and updating insurance policies to align with evolving risks, such as cybersecurity and ESG concerns, is crucial.
Additionally, companies should engage in proactive communication with insurers and consider involving legal counsel early in the process to navigate potential coverage disputes.
According to the AMRAE Flash survey on 2024 renewals, 67% of risk managers adjusted their coverage by enhancing existing guarantees, purchasing new ones, or modifying deductible levels. While the proportion of excluded risks has generally remained stable, increases were reported in certain areas, including liability risks (37% respondents) (AMRAE's 2024 Flash survey).
WTW: WTW’s Global Directors’ and Officers’ Survey this year showed a big change over previous years, with the subject of “Health & Safety” coming out as the number 1 risk concern for directors and officers. Even for the finance and insurance sector, Health & Safety appears as the number 4 risk for directors out of 28 (having not been in the top 7 at all for the finance and insurance sector last year). Does that reflect your expectations and what do you think could be the reason for the change?
RS: The growing importance of "Health & Safety" risks in the concerns of directors and officers reflects several recent trends:
WTW: Do you think AI will be a material D&O risk over the next three years? Why or why not?
RS: Given its rapid development and the challenges it represents, AI is most certainly bound to become a risk for directors and officers, maybe not immediately in the next few years, but in the near future.
The more companies start using AI, the more they will have to take responsibility for any negative consequences of its use. The European Commission plans to support investment in innovative technologies by ensuring legal certainty for businesses, but also to protect individuals by guaranteeing fair compensation in the event of damage caused by AI. (source)
To date, one of the Commission’s most successful text is the proposal for an Artificial Intelligence Act, published on 21 April 2021. It aims to prohibit AI presenting risks deemed unacceptable, to subject high-risk AI to a compliance obligation and low risk AI to transparency obligation. (source) On 23 September 2022, the European Union has moved closer to adopting an AI liability regime, by adopting a proposal to amend Directive 85/374/EEC of 25 July 1985 on liability for defective products and a proposal for a Directive adapting the rules on non-contractual civil liability to the field of artificial intelligence. (source) These obligations represent additional points of vigilance for directors and officers, to which their attention must be drawn.
In any case, if AI really did take its place on the board, it is conceivable that the AI would be programmed to act prudently and comply strictly with the applicable regulations. The ability of AI to analyse large amounts of information quickly would perhaps be a response to the time constraints to which individual directors are subject.
The European Commission plans to support investment in innovative technologies by ensuring legal certainty for businesses, but also to protect individuals by guaranteeing fair compensation in the event of damage caused by AI. (source)
