D&O on Alert

Directors and officers (D&O) at the more than 3,500 publicly listed companies in Canada have a duty to the corporations they serve, to shareholders and other company stakeholders, and sometimes to the public. Their primary purpose is to help the corporation set and meet its strategic goals. For this service, however, directors and officers can face personal liability.

Three particular trends are now accentuating this reality: securities class actions, environmental risk and cyber liability. What has transpired to bring each of these trends to the forefront? And what lessons can be learned to help mitigate the exposures?

SECURITIES

Ontario’s Bill 198, an omnibus bill titled An Act to Implement Budget measures and other initiatives of the Government, went into effect in Canada about a decade ago in 2005, yet its effects are more than ever being felt.

Designed to restore investor confidence and passed in response to strong reforms taking place in the United States, the Sarbanes-Oxley Act that took effect in 2002, the bill sought to protect investors through more accurate corporate disclosure. Bill 198 imposes statutory civil liability – for public companies, investment funds and other issuers, as well as their directors and some officers, influencers and experts – to ensure continuous disclosure in the secondary investment market.

In essence, lawmakers intended to create a statutory vehicle to allow securities class action lawsuits to proceed more easily against companies (and the directors who sit on their respective boards) alleged to have misled investors.

Eleven new securities class action lawsuits were filed in 2014 – about the annual average since 2008 – 10 of which were statutory secondary market cases related to Bill 198. Of the 96 total securities class actions filed since 2005, about two-thirds, 63, have been Bill 198 claims.

The potential costs are significant. NERA Economic Consulting reports that more than $32 billion in total claims are represented in the 38 statutory secondary market cases unresolved at the end of 2014. Defendants in the 22 settled statutory secondary market cases agreed to pay a total of more than $345 million.

Complicating the picture are macroeconomic trends that could be making Canadian corporations more vulnerable to securities litigation. Canadians are leveraged today to a greater degree than the U.S. debtors were prior to the credit crisis. Both interest rates and the prime lending rate remain at all-time lows, while the Canadian dollar continues to decline against its southern equivalent.

ENVIRONMENTAL

Beyond these key macro indicators driving uncertainty, directors and officers can look to the courts for a crucial emerging risk: environmental liability.

One case, in particular, is driving the trend. Its roots date back to 2005, when Northstar Aerospace (Canada) began a voluntary remediation of its contaminated properties in Cambridge, Ontario.

In 2012, Northstar found itself in financial difficulty. In response, the Ministry of the Environment issued orders requiring further remediation and more than $10 million in financial assurance to be set aside. It was to no avail; Northstar was insolvent by June 2012, prompting the provincial ministry to undertake the remediation.

To pay for the remediation, regulators named 12 former Northstar directors and officers and the parent company in the United States to conduct the work.

The critical takeaway from the case: Regulators imposed personal liability on the directors and officers, even though they had not been in their positions during the time of contamination.

Regulators demanded that each pay $800,000 for the interim remedial work. The defendants settled for $4.75 million before an appeal could be heard.

For board members across Canada, there is a lesson to be learned from this incident. They should understand their companies’ environmental pollution risks and be satisfied that policies and procedures are in place to prevent unlawful contamination.

Incoming board members need to dig into a company’s pre-existing exposures. And all officers and directors could benefit from risk transfer, whether that comes in the form of adequate insurance or separate indemnity agreements between board members and companies in the event of a Northstar-like fact pattern.

The Northstar case also brings to light the question of governance. Generally, directors and officers are not liable for environmental liabilities by their corporations when they have taken reasonable steps to prevent those liabilities.

Such adequate due diligence can include being satisfied that those directly responsible are adequately supervised, that pollution prevention systems meeting industry standards are introduced, and that response when such systems have failed is immediate.

CYBER

Unlike environmental risks, cyber liabilities do not appear to have yet shaken Canadian officers and directors. Corporate loss experience has been more benign in Canada than south of the border.

Headline-grabbing data breaches have occurred against large, well-known U.S.-based retail companies and banks.

However, concern is warranted. Canada ranked 15th in the world in data security practices in the EMC Global Data Protection Index, and the IT services firm estimated that it is costing the nation’s economy $16.8 billion every year.

Specific incidents have gained headlines, too. Of note was the hard drive lost by Canada Student Loans that contained 583,000 Canadians’ records.

This event and others like it were not on the scale of U.S. breaches, in which millions of records were involved, but it is only a matter of time before all global companies face those catastrophic-level breaches.

That reality requires a change of thinking among directors and officers. Unlike many other aspects of directing public company affairs, cyber risk may be new for many directors and is not intuitive. Directors may fail to be properly informed on the issue or take the chief information officer’s optimism on face value that breaches will not happen to their company. Directors may also feel cyber security is simply more a company issue than a director-level concern.

A recent U.S. court case demonstrates that cyber security is a board issue.

Shareholders of Wyndham Worldwide Corporation filed a derivative-action lawsuit in February 2014 in an attempt to hold the organization’s directors and officers liable for three hacking attacks against the corporate parent, which compromised the personal information of approximately 600,000 customers and led to government investigations.

Shareholders demanded that the board investigate the breaches and sue the company. When rebuffed, the shareholders then sued the board members.

A U.S. federal judge dismissed the case last October.

The case, nonetheless, sends a clear signal to boards around the world that they must be involved in the information security of their organizations.

Public company directors and officers can follow several best practices to ensure their oversight of corporate cyber security programs. A crucial one is placing cyber security within the framework of enterprise risk management (ERM).

Specific focus should also be placed on incident response and crisis management programs, as well as the potential value of standalone insurance to transfer some of the risk.

ATTENTION WARRANTED

All three aforementioned trends are worthy of renewed attention. Going forward, Bill 198 may inspire further securities class actions, adding to the tally of unresolved cases or those headed to settlement, a process that may be influenced by changing macroeconomic trends like currency and energy price fluctuations.

With fallout from the Northstar case, understanding a company’s environmental liabilities is as important as ever. And cyber risks continue to grow in relevance and costs.

Despite the pressing nature of these three D&O exposures, directors and officers do not need to stay awake at night. Sound risk management processes combined with risk transfer tools such as insurance can help protect companies and their directors and officers both before and during a lawsuit.