Guide to Directors and Officers Insurance

Director & Officer Liability (D&O) Underwriting Fundamentals

Directors and officers liability (D&O) insurance is a fundamental component of any company’s risk management program. A lack of D&O insurance may dissuade talented individuals from seeking an executive position at your company, as they don’t want to put their personal assets at risk in the event of a lawsuit.

As a savvy business owner looking to protect your bottom line, how do you weigh the cost of insurance to protect your senior leadership with the potential risk of a lawsuit? As regulatory investigations and defense expenses increase, prices for D&O insurance have gone up as well. Corporate indemnification provides the first line of liability protection; but certain circumstances—most notably, if the company goes bankrupt—necessitates that additional protection is offered to directors and officers.

A variety of factors determine the price of a company’s D&O insurance. Some low-risk companies pay pennies on the dollar; others pay a lot more, but they understand it’s a lot less than the expenses they’d incur in a lawsuit. Recognizing the cost drivers of D&O insurance—a company’s exposures, legislation and trends in D&O lawsuits—can help you decide what coverage your company needs to mitigate its unique exposures.

Company Characteristics and Exposures

Public, private and nonprofit corporations with assets of all sizes purchase D&O liability insurance. To determine the cost of premiums and the limits of coverage, insurers review several facets of the company’s structure and price D&O insurance accordingly. Some of these attributes include the following:

  1. Is the company mature or young and developing? Companies with less experience and a shorter history of proven effective management can be a riskier policy to underwrite than well-developed companies that have experienced directors and officers.
  2. What industry is the company involved in?Operating in certain industries, such as investment banking and securities, may expose their executive management to more risks than those for the board members of a small nonprofit.
  3. Is the company financially stable? Insurers consider the amount of debt a company has. Corporate indemnification usually protects directors’ and officers’ personal assets. However, if the company’s finances are unstable, they have an increased chance of becoming insolvent during a lawsuit.
  4. Is the company planning on going public soon? Initial public offerings, the most common way to go public, increases the exposures for a private company. Issues, such as a lack of disclosure or if the company’s performance fails to meet expectations, are significant risks for directors and officers during this process.
  5. Does your company have employees? From nonprofits to large, publicly held companies, employment-related claims are the primary cause of lawsuits against an organization’s directors and officers.
  6. Does the company operate in foreign markets? Conducting business internationally can complicate the D&O insurance needed. For example, in addition to domestic laws, European countries have their own set of regulations to follow.
  7. What is the company’s history of past litigation? Insurers will analyze a company’s history of
What Type of D&O Coverage Do You Need?
Your organization’s unique attributes and risks will determine
the extent of D&O insurance coverage you need. The type of
coverage affects the cost, and it’s important to understand the
different types of D&O insurance to determine what covers your
risks. Policy options include

Side A: This coverage protects directors and officers when indemnification is not available. For example, if the company goes bankrupt during a lawsuit, this coverage would protect directors’ and officers’ personal assets.

Side B: This coverage reimburses a company’s indemnification
obligations.

Side C: This coverage protects the company itself in the case of a
lawsuit.

Employment Practices Liability (EPL): This coverage protects
directors and officers against wrongful termination,
discrimination (age, sex, race, disability, etc.) or sexual harassment suits from current, prospective or former employees.

Fiduciary Liability: This coverage protects the fiduciaries of
employee benefit plans from ERISA lawsuits, previous lawsuits
and any adverse business developments and executive management changes.

Current and New Legislation

Securities Exchange Commission (SEC) regulations continue to impact the cost of D&O insurance. Publicly held companies especially must be cognizant and keep current on SEC disclosure obligations and provisions in the Sarbanes-Oxley (SOX) Act of 2002, which was enacted in response to the corporate scandals of Enron, Tyco, WorldCom and others.

Also, recent changes to the Dodd-Frank Wall Street Reform and Consumer Protection Act have caused a spike in whistleblower reporting, bringing to light many D&O claims and increasing the need for D&O insurance. The new whistleblower provision in the Act now gives whistleblowers a “bounty,” or monetary compensation, if the lawsuit results in more than $1 million in monetary sanctions. Given this new incentive, there has already been an increase in the number of whistleblowers that have emerged since the Act added the provisions in early 2011.

Trends in D&O Lawsuits

Even after a thorough assessment of a company’s risks, D&O insurance continues to be a high-severity product, as carriers are often hit unexpectedly with catastrophic claims. It’s no surprise that as litigation increases, the price of D&O insurance increases as well. In addition, as the litigation process grows lengthier and if multiple lawsuits erupt from a single transaction, a company can quickly exhaust its primary layer of D&O coverage.

Some types of lawsuits occur less often, but result in catastrophic losses. Other types result in smaller payouts, but occur more frequently. Nonetheless, defense expenses can cost millions of dollars, even if the director or officer is not found liable. Some of the types of lawsuits that affect directors and officers include the following:

  • Breach of fiduciary duty lawsuits
  • Employee Retirement Income Security Act (ERISA) lawsuits
  • Employment-related lawsuits
  • Mergers and acquisitions (M&A) and “merger objection” lawsuits
  • Securities class-action lawsuits
  • Shareholder derivative suits

Within the last few years, there has been an increase in M&A lawsuits. In 2014, there were more than 600 lawsuits regarding M&A. Some M&A cases involve multiple lawsuits and a lengthy litigation process, which can deeply cut into a company’s primary D&O policy.

Know What Your Policy Covers

While many companies usually focus on the cost of their D&O policy, understanding the scope of the policy is even more critical. Most D&O policies are renewed yearly, and the terms and conditions can change. Read through your policy carefully. Be aware of the following:

  • Look at the limits of your liability. Are they enough to cover your exposures? Companies with a lot of risk exposures usually find that they need more than just the primary coverage, and purchase excess insurance as well.
  • Be aware of exclusions; most D&O policies do not cover claims that arise from fraudulent or criminal acts.
  • For some insurance carriers, Employment Practices Liability (EPL) insurance and Fiduciary Liability insurance are policies that are purchased separately from primary D&O insurance. Don’t assume they are automatically included in your D&O policy.

Protecting Your Home from Wind Damage

Floods, lightning strikes and other common storms can endanger your home, but you also need to consider the risks of the wind damage that accompanies these weather events. High winds can cause significant damage to your home’s roof, windows, doors and siding. And since wind is usually just one factor of dangerous storms, any wind damage could create openings that would further expose your home.

Here are some ways you can protect your home:

  • Roof—Inspect your roof from the ground to ensure it’s fully covered. If you notice any damage, you should consider having it inspected professionally to ensure it’s up to code and that all of the shingles are secure.
  • Doors—Make sure your doors are made of a strong substance that isn’t heavy enough to present a risk if it’s torn off, such as solid wood or a hollow metal. You can also secure your existing doors by installing additional hinges or deadbolts.
  • Windows—Install impact-resistant shutters on large windows to protect your home from changes in air pressure and flying objects.
  • Yard—Remove any trees or other foliage that could come loose and fall on your home in high winds.

After a storm passes, you should inspect your home for damage as soon as possible. Contact Tooher-Ferraris 203.834.5900 if you need to make a claim or have questions about your insurance coverage for wind damage.

FMSCA FAQs—National Drug and Alcohol Testing Clearinghouse

On Dec. 5, 2016, the Federal Motor Carrier Safety Administration (FMCSA) issued a final rule that aims to improve roadway safety by establishing a National Drug and Alcohol Testing Clearinghouse.

Under the final rule, motor carriers and other employers of commercial motor vehicle (CMV) drivers must use the Clearinghouse to ensure that current and prospective employees do not have any unresolved drug and alcohol violations that render them ineligible to operate a CMV. Employers will also be required to report information about positive drug test results, alcohol test results greater than 0.04 blood alcohol content, refusals to test and other non-test violations of FMCSA’s drug and alcohol regulations.

These requirements take effect on Jan. 6, 2020, the date that the Clearinghouse is scheduled to become operational. Employers, CMV drivers and other parties will need to register to use the system and may sign up to receive an email notification that registration is open.

FMCSA HIGHLIGHTS

  • Will allow motor carriers and other employers to identify drivers who are ineligible to operate a CMV.
  • Will contain information about violations by employees who are subject to drug and alcohol testing under FMCSA regulations.
  • Employers must use the database to ensure current and prospective employees do not have unresolved violations.

IMPORTANT DATES

  • Jan. 6, 2020—Employers must begin using the Clearinghouse and must also make manual inquiries with former employers.
  • Jan. 6, 2023—Employers will no longer be required to request data from a driver’s previous FMCSA-regulated employers.

Clearinghouse FAQs

What information will the Drug and Alcohol Clearinghouse contain?

The Clearinghouse will contain records of violations of drug and alcohol prohibitions in 49 CFR part 382, subpart B, including positive drug or alcohol test results and test refusals. When a driver with a drug and alcohol program violation completes the required Return-to-Duty (RTD) process, this information will also be recorded in the Clearinghouse.

Who is authorized to use the Clearinghouse?

To access the Clearinghouse (once it is operational), a user must request access from the FMCSA by registering. Authorized users will include:

  • Motor carriers and other employers with drivers operating CMVs that require a commercial driver’s license (CDL) or commercial learner’s permit (CLP);
  • CDL/CLP drivers;
  • Consortium/third-party administrators;
  • Medical review officers;
  • Substance abuse professionals;
  • State driver licensing agencies; and
  • Federal and state enforcement personnel

Will a prospective employee’s drug and alcohol violation history with Department of Transportation (DOT) modes other than the FMCSA be available in the Clearinghouse?

No. The Clearinghouse will contain only drug and alcohol program violation information for employees subject to the testing requirements under the FMCSA regulations in 49 CFR part 382. Employers must continue to request information from previous employers if an employee was subject to DOT drug and alcohol testing required by a DOT modal administration other than FMCSA (as required by §391.23(e)(4)(B)).

May employers report the results of non-DOT drug or alcohol tests to the Clearinghouse?

No. Only results of DOT drug tests, alcohol tests or test refusals may be reported to the Clearinghouse. While employers may conduct drug and alcohol testing that is outside the scope of the DOT testing requirements, positive test results or refusals for such non-DOT testing may not be reported to the Clearinghouse.

What actions will drivers be able to take in the Clearinghouse?

Drivers will need to log into the Clearinghouse in order to electronically consent to requests from prospective and current employers that need to access full details about any drug and alcohol program violations as part of an employment-related background check. This is the only valid method for an employee to respond to this type of employer consent request, and failure to provide timely consent may result in a driver being prohibited from performing safety-sensitive functions for that employer.

Drivers may log in to the Clearinghouse to view their individual driver record at any time. Also, if a driver chooses to engage a Substance Abuse Professional (SAP), he or she must select the SAP through the Clearinghouse to initiate the RTD process.

How are employers and Consortium/Third-Party Administrators required to use the Clearinghouse?

The Clearinghouse offers employers a centralized location to report drug and alcohol program violations and to check whether a current or prospective employee is prohibited from performing safety-sensitive functions, such as operating a CMV, due to an unresolved drug and alcohol program violation—that is, a violation for which the employee has not completed the RTD process. Employers must conduct this test, or query, as part of any pre-employment screening and at least annually after an employee is hired.

Employers may also use the Clearinghouse to designate a consortium/third-party administrator, which is a required step for any employer that employs him- or herself as a driver.

How are Medical Review Officers (MROs) and Substance Abuse Professionals (SAPs) required to use the Clearinghouse?

MROs must use the Clearinghouse to report verified positive drug test results and any driver refusals to take a drug test.

SAPs must use the Clearinghouse to report on the RTD status of drivers who are working to resolve any open drug and alcohol program violations. These reports include the date of completion of the initial assessment and the date the driver becomes eligible for RTD testing.

How will State Driver Licensing Agencies (SDLAs) use the Clearinghouse?

As of Jan. 6, 2020, SDLAs will be able to query the Clearinghouse prior to completing licensing transactions.

How will driver data be protected in the Clearinghouse?

The Clearinghouse will meet all relevant federal security standards, and the FMCSA will verify the effectiveness of the security protections on a regular basis.

Driver information will not be available to the public. Only authorized users will be able to register and access the Clearinghouse for designated purposes. The Clearinghouse will require authentication (username/password) to access records.

Drivers registered in the Clearinghouse will be able to access their Clearinghouse records at any time, and at no cost to them. Drivers will only be able to access their own information, not information about other drivers.

The FMCSA will only share detailed drug and alcohol violation information with prospective or current employers when an employer has requested and received specific consent from the driver. Drivers will be able to see the information that would be released to an employer before consenting to the release.

Driver information will be shared only with the FMCSA and other enforcement agencies as required to enforce drug and alcohol use testing regulations.

Does the final rule change any of the existing drug and alcohol program requirements in part 40?

No, the final rule does not change any existing requirements in the US DOT-wide procedures for transportation workplace drug and alcohol testing.

Source: U.S. Department of Transportation, Federal Motor Carrier Safety Administration

Precautions for Better Cyber Security

Business operations in the technology industry revolve around the functionality of computers, network connections and the Internet. It’s no secret that computer use comes with many risks, including damaging viruses, hackers, the illegal use of your system to attack others, the use of sensitive data to steal identities and other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.

Get Familiar with Risks

The first step in protecting your business is to take notice of the multitude of cyber risks:

Hackers, attackers and intruders: These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).

Malicious code (viruses, worms and Trojan horses):

  • Viruses: This malicious code requires a user to take action to let a virus into the system, such as opening an email attachment, downloading a file or visiting a webpage.
  • Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw; then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
  • Trojan horses: This disguised code claims to do one thing while actually doing something else. For example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder.

Risk Management Planning

To reduce your cyber risks, it is wise to develop an IT risk management plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization. 

In addition, your organization should take precautionary measures when selecting your internet service provider (ISP) for use for company business.

ISP Considerations

Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security: How concerned with security is the ISP? Does it use encryption and secure sockets layer (SSL) to protect any information that you submit?
  • Privacy: Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services: Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost: Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?

Reliability: Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?

User support: Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?

Speed: How fast is your ISP’s connection, and is it sufficient for your business needs?

Recommendations: What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Cybersecurity is a serious concern for your business. Contact Tooher Ferraris Insurance Group to learn about our risk management resources and insurance solutions for emerging technology exposures.

OSHA Form 300A Posting Requirements Begin Feb. 1

#RiskSynergy


OVERVIEW

By Feb. 1 of each year, employers that are subject to the Occupational Safety and Health Administration’s (OSHA) routine recordkeeping requirements must post copies of their completed OSHA Form 300A (“Summary of Work-related Injuries and Illnesses”) from the previous year in visible locations within their employees’ workplaces. The postings must then be kept in place until at least Apr. 30 every year.  These requirements apply to all employers that are not in a partially exempt industry and have more than 10 employees.

ACTION STEPS

On Feb. 1, 2019, employers subject to OSHA recordkeeping requirements must ensure that copies of their completed Forms 300A from 2018 are posted in each of their establishments in a conspicuous place or places where notices to employees are customarily posted. 

Until Apr. 30, 2019, these employers must also ensure that their Form 300A postings remain in place and are not altered, defaced or covered by other material.

IMPORTANT DATES

February 1 to April 30, 2019

Employers must post and keep their completed 2018 Forms 300A posted in their employees’ workplaces.

March 2, 2019

Deadline for certain employers to submit electronic reports to OSHA.

Contact Tooher-Ferraris today to learn more about our integrated insurance and risk management programs at 203-834-5900 or info@toofer.com.

Mobile Device Security

Because of all they can offer, smartphones and tablet devices are essential to many professions’ daily operations. However, as use rises, it will become more and more important to ensure that security for these mobile devices is able to adequately protect you from new and existing threats.

The need for proper phone security is no different than the need for a well-protected computer network. Gone are the days when the most sensitive information on an employee’s phone is contact names and numbers. Now a smartphone could grant access to any number of applications, emails and stored passwords. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.

Lost or Stolen Devices

Because of their size and nature of use, mobile devices are at an increased risk of being lost or stolen. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, having physical possession of the device is one of the easiest ways for unauthorized users to access private information.

To prevent someone from accessing a lost or stolen device, the phone or tablet should be locked with a password. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in, which is something you should consider before purchasing. Depending on your cellphone provider, there are also services that allow you to remotely lockdown or erase a device in the event that it is lost or stolen.

Malicious Attacks

Mobile devices have the potential to be just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications are especially threatening as a way for malware to install itself onto a device. Employees should never install unauthorized applications to their company devices.

Analyze Threats

Like any potential exposure, the level of risk brought on by mobile devices is based largely on how your company uses them. Conduct a formal risk assessment to see where your biggest risks are. Also establish when to conduct follow-up assessments to account for new exposures created by the ever-advancing state of technology.

Establish a Smartphone Policy

Before issuing smartphones to your employees, establish a device usage policy. Outline what does and does not constitute acceptable use and what actions will be taken if employees violate the policy. It is important that employees understand the security risk inherent to smartphone use and their role in its mitigation. Well informed, responsible users act as an invaluable layer of security protecting mobile devices.