The top three risks to directors and officers (D&Os) remain unchanged from last year - cyber-attacks, data loss and cyber extortion – strongly emphasising that these risks are here to stay and present many challenges to D&Os. With the GDPR having been in force for a few years now, companies and D&Os have witnessed the significant fines that can be levied by data protection authorities following a breach and the law is still developing on claims from data subjects. In addition, the first party costs following a breach can be considerable and there is the prospect of third-party claims.
| 2018 | 2019 | 2021 | 2022 | 2023 | |
|---|---|---|---|---|---|
| #1 | Cyber attack | Cyber attack | Cyber attack | Data loss | Risk of data loss/data breach |
| #2 | Data loss | Data loss | Data loss | Cyber attack | Cyber attack |
| #3 | Cyber extortion | Cyber extortion | Regulatory risk (including threat of fines and penalities) | Regulatory risk (including threat of fines and penalities) | Regulatory and other investigations |
| #4 | Regulatory risk (including threat of fines and penalities) | Regulatory risk (including threat of fines and penalities) | Risk of a health and safety/environmental prosecutions safety legislation | Litigation risk | Health and safety legislation |
| #5 | Health and safety prosecutions | Risk of a health and safety/environmental prosecutions safety legislation | Risk of employment claims | Focus of a social media campaign | Criminal and regulatory fines and penalties |
| #6 | Bribery and corruption | Your organisation being a victim of a crime | focus of a social media campaign | Your organisation being a victim of a crime | Class action lawsuits against the company and its directors |
| #7 | Your organisation being a victim of a crime | Bribery and corruption | Your organisation being a victim of a crime | Risk of a health and safety/environmental prosecutions safety legislation | Employement practices claims |
Cybersecurity is, of course, of paramount importance but it can be very challenging to keep pace with the ways and means that attacks are perpetrated, meaning that regulatory actions for systems and controls failures (which have been a keen focus for financial regulators in recent years) can be added to the risk landscape.
Regulatory risk, more generally, continues to be of concern, and with good reason. In recent years there has been heightened scrutiny by more proactive and aggressive regulators (whose enforcement activity has largely rebounded following the pandemic), ever-increasing regulatory requirements and a keen focus on holding wrongdoers to account. Regulators continue to focus on tackling financial crime and market abuse, improving consumer protection, as well as having an increasing emphasis on ESG, including climate related risks, and crypto regulation. We can expect to see regulators flexing their powers in due course in relation to these emerging risks.
Despite the global focus on Corporate Social Responsibility and ESG being a hot topic in the boardroom, climate change has only featured in the top 7 risks for D&Os in two of the 6 regions surveyed - Great Britain and Australasia. Interestingly though climate change did feature as the number one risk within GB this year ahead of cyber extortion, data loss and cyber-attack, which have dominated the top 3 risks within the region for the last 3 years running. It is clear any disclosure requirements create liability, but how companies and boards tackle the issue of complying with their ESG requirements will be as big a liability as not complying or reaching targets.
There are potentially huge knock-on effects to acting in the space, not only for the company itself but also in terms of people and economies. Boards will need to fully understand all this before acting or they could bear the brunt of claims arising from the mishandling of their ESG polices.
It is clear from the survey that D&Os are also apprehensive about criminal risks – both falling foul of criminal laws and organisations being a victim of crime, such as cybercrime. The risk of health and safety prosecutions came fifth on the top seven list.
Companies are under a duty to do all that is reasonably practicable to protect the health and safety of their employees and to provide a safe workplace. Failures in this regard can lead to significant fines being imposed and, in some cases, prison sentences handed out where there has been a particularly egregious failure. In England and Wales, D&Os can face prosecution if the offence has been committed with the consent, connivance, or neglect of the director(s) in question and many other jurisdictions carry similar provisions. Like most other public sector bodies, prosecuting authorities built up a backlog of cases during the pandemic which are now being brought to fruition, leading to high levels of activity. We shall have to see if these levels will be sustained or will taper off once there is some distance from the pandemic.
Bribery and corruption investigations are costly and often cross border, and prosecutors have been cooperating on an international level to stamp out the behaviour. In addition to direct offences, some jurisdictions, such as the UK, have enacted “failure to prevent” criminal offences for corporations, which could result in follow-on prosecutions for D&Os in the pursuit of a deferred prosecution agreement.
What the top seven list clearly show is that D&Os are faced with a range of challenging exposures, which could lead to significant consequences. Risk management and the implementation of adequate systems and controls are key to preventing and mitigating these risks.
| Title | File Type | File Size |
|---|---|---|
| Top 7 risks - Directors' and Officers' Liability Survey 2022/2023 | .9 MB |
