Q4 2023 FINPRO Management Liability: Need to Know

Every quarter, our management liability team provides noteworthy trends and emerging issues to help US-based companies make decisions to manage their risks. We will cover topics related to directors and officers (D&O) liability, employment practices/wage & hour liability, and fiduciary liability risks and share insights on building an effective, customized insurance program that is fit for an evolving risk landscape.

Our Q4 2023 issue focuses on:

• D&O updates centering around the SEC's heightened enforcement activity and how companies are in turn heightening their cybersecurity awareness and defense. 
• How the National Labor Relations Board's (NLRB) new standard for determining joint-employer status could affect the employment practice liability space.
• AI and the implications of President Biden's AI Executive Order for employers in both the D&O and employment practice liability spaces.
• The current legal uncertainties surrounding the Employee Retirement Income Security Act (ERISA) and the possible impact on fiduciary insurance. 

D&O Liability

Cyber exposures broaden for boards, management

The evolving cyber threat landscape is compelling companies to heighten their cybersecurity awareness and defenses, especially since they must now comply with the Securities and Exchange Commission’s (SEC) cyber disclosure rules.

The increased emphasis on protecting investors from the impacts of cyber-related threats means that boards, C-Suite executives, chief information security officers (CISOs), and others may face wider exposure to actions by the SEC.

In 2023, the SEC brought several enforcement actions against companies, accusing them of having misled investors about the impact of a cyber event. In one case, the SEC claimed that a broker-dealer misled investors about the level of security measures it had implemented to keep customer order information safe from theft. In another case, which was settled, the agency accused a software company of misleading investors about the impact of a ransomware attack. According to the SEC, the company’s internal communications did not allow for adequate communication and disclosure of updated information concerning an attack.

More recently, the SEC filed charges against a cybersecurity company and its CISO for allegedly violating securities laws by sending misleading communications to investors following a large-scale cyberattack. A company’s CEO and CFO are more commonly named in enforcement actions and shareholder suits; the fact that the CISO is a named target of the SEC’s enforcement action reflects a more aggressive focus by the agency and its enforcement. Additionally, the SEC’s sharpened focus, coupled with a vigilant plaintiffs’ bar that is closely monitoring regulatory enforcement activity, could lead to a greater frequency of CISOs being named in securities class actions. But, that remains to be seen — particularly as companies work to comply with the new cyber rules.

We are also seeing new risks emerge. A recent cyberattack by a ransomware gang on a digital lending company is reflective of the complex challenges companies face when confronting cyber risk. Following the attack, the ransomware gang reached out to the SEC and reported its own victim for failing to comply with the new cyber disclosure rules by not telling investors about the attack within four days. It is unclear whether the SEC will actually take action against the company based on this tip, but the incident illustrates the complexities of balancing cybersecurity with investor communications. 

SEC reveals heightened enforcement activity in 2023 report

In November, the SEC released a detailed report outlining its enforcement activity over the last fiscal year. The agency brought 784 enforcement actions in the 2023 fiscal year, a 3% increase over the prior year. This resulted in $5 billion in financial remedies, the second highest amount recovered by the SEC in its history. Part of that $5 billion included a $1 billion return to investors.

A key aspect of its enforcement activity was the SEC’s whistleblower program. In 2023, the SEC awarded whistleblowers almost $600 million — the highest ever awarded in a single year. This included an award of $279 million to a single informant.

The SEC recovered over $400 million to settle charges against various financial services companies that were accused of violating recordkeeping requirements. The SEC also recovered over $175 million from a multinational financial services corporation on charges that it misled investors about its anti-money laundering compliance program.

Additionally, the agency obtained damages payments in connection with ESG-related matters, accounting issues, human resources violations, insider trading, fraudulent revenue recognition, and numerous other topics.

Considering the increased scrutiny by the SEC, it is important for companies to be familiar with the coverage in their D&O programs for regulatory exposures. Individual executives facing SEC enforcement actions may be indemnified by their companies and a D&O policy will usually cover defense costs. However, policy terms can vary on coverage for civil money penalties, depending on the nature of the allegations and penalties at issue.

SEC actions against the corporate entity are generally covered by D&O policies, but coverage may not extend to preliminary investigations and fact-finding efforts by regulators. Some insurers will offer varying degrees of coverage for investigations against the corporate entity, providing coverage up to and through any resulting enforcement action.

Lastly, when presenting to underwriters during renewal negotiations, companies should be mindful of potential regulatory exposures. It’s important to inform underwriters of specific strategies deployed by the board and executive team to protect the organization from exposure to areas the SEC has brought enforcement activity over.

[back to top]

Employment Practices/Wage & Hour Liability

National Labor Relations Board finalizes the new joint employer rule standard

The National Labor Relations Board (NLRB) has issued its final rule establishing a new standard for determining joint-employer status under the National Labor Relations Act. The new standards replace a rule adopted in 2020 and make it easier for companies to be classified as joint employers. 

Under the new standard, an entity can be considered as a joint employer if it shares or has a say in determining the essential terms and conditions of employment for employees. The NLRB lists wages, benefits, hours of work, assignment of duties, supervision, work rules governing performance of duties, hiring and firing, and working conditions related to safety and health as essential terms. 

The key factor in determining joint-employer status is the entity’s authority to control these aspects of employment, regardless of whether it actually exercises that control or whether the control is direct or indirect. This is a departure from the previous standard, which focused on the alleged joint employer possessing and exercising “substantial direct and immediate control” over the essential terms or conditions of employment.

From a practical standpoint, companies now face increased exposure to any labor law violations of their business counterparties. Additionally, being classified a joint employer has implications for collective bargaining obligations since companies that fall under this classification may be required to engage in collective bargaining with the employees of other entities. Joint employers may also be held jointly and severally liable for unfair labor practices committed by the other employer.

The new standard is expected to have a significant impact on retailers and other employers in commercial arrangements, including franchisors-franchisees, contractors-subcontractors, and employers that use staffing agencies. 

The rule has already been legally challenged. On November 9, 2023, the U.S. Chamber of Commerce and a coalition of business groups filed a lawsuit in the Eastern District of Texas against the NLRB, arguing that the rule is unlawful and fundamentally changes the liability of employers. On the other hand, on November 8, 2023, the Service Employees International Union (SEIU) filed a petition for review in the D.C. Circuit. The petition does not specifically state the basis for the petition. 

The new rule was originally scheduled to take effect on December 26, 2023, but, in response to the legal challenges, it has been extended to February 26, 2024.

It will take time for the legal disputes to be resolved. In the meantime, companies should review their contracts and agreements to assess the potential impact of the new rule on their potential joint-employer liability.  

[back to top]

D&O Liability and Employment Practices/Wage & Hour Liability

Artificial intelligence (AI) is the hottest topic across the business environment. This rapidly advancing field focuses on the development of intelligent machines capable of performing tasks that typically require human intelligence. AI systems use algorithms and data to learn, reason, and make decisions, mimicking human cognitive abilities.

While AI presents multiple opportunities to improve efficiencies and optimize processes, among others, there are also emerging risks that companies must be prepared to address. Aside from the potential of shareholder lawsuits, there are also risks of employer-related suits when companies use AI in the employment life cycle — for example to screen resumes, conduct pre-employment assessment, analyze productivity, and measure performance.

In October 2023, President Biden signed the landmark Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, an acknowledgement of the technology’s rapid expansion. This serves as a comprehensive roadmap for the federal government’s approach to the rapidly evolving AI landscape. The order focuses on several areas, including leadership and coordination in the use of AI across the government, ethical and responsible AI use, appropriate training to workers using AI, privacy, safety, and security cooperation, and regulatory oversight. The order also establishes the National Artificial Intelligence Initiative Office within the Office of Science and Technology Policy to coordinate AI-related activities across federal agencies.

Potential D&O challenges for organizations

Shareholder lawsuits involving AI brought against companies in the past were mostly related to allegations that the companies misled investors about the timeline for the release of an AI-powered product or that executives exaggerated the financial opportunities presented by the technology. Some organizations that use AI in their products or services have also been accused by authors and artists of intellectual property right violations and infringement. To date shareholder claims have not focused on AI exposures, but that could change as more companies adopt the technology and make representations to investors about its prospects.

For example, the management of companies that rely on AI as part of their service offering — whether lending, accounting, staffing, or some other professional service — could face lawsuits if the risks are not adequately monitored. And when its competitors are using AI technology and gaining a competitive edge, a company’s board may face a breach of fiduciary duty claim for failing to adequately prepare for competitive threats.

Another type of potential claim is by consumers — or an agency on their behalf — arguing that AI incorporated in a service resulted in an error or other harm. And employees or prospective employees could sue an organization over its use of AI in hiring or promotion decisions. A regulatory enforcement suit or class action could have a deleterious impact on a company’s stock or bottom line. This could give rise to both breach of fiduciary duty claims or securities fraud claims.

We are closely monitoring this exposure to identify any litigation trends against companies’ management and boards relating to the use of, or impacts from, AI.

Implications of President Biden’s AI Executive Order for employers

The Executive Order recognizes the potential risks of AI to workers and addresses areas that require caution from employers, such as AI enforcement by civil rights agencies and the interplay between AI monitoring and worker protections. It also emphasizes the safety and security of AI systems, highlighting the importance of testing and evaluations, including post-development performance monitoring, to ensure compliance with federal laws. This aligns with existing regulations in New York City, where the use of automated employment decision tools requires mandatory testing. Biases embedded in the training data can lead to discriminatory outcomes. 

Further, the Executive Order addresses worker protections, stating that AI “should not be deployed in ways that undermine rights, worsen job quality, encourage undue worker surveillance, lessen market competition, introduce new health and safety risks, or cause harmful labor-force disruptions.” The Secretary of Labor is directed to issue guidance on employers' obligations to compensate workers when deploying AI to monitor or augment their work.   

It also recognizes the potential for unequal treatment of individuals with disabilities in the context of AI, particularly regarding the use of biometric data. It encourages the Architectural and Transportation Barriers Compliance Board to provide technical assistance and recommendations on the risks and benefits of using biometric data as an input in AI systems. 

The Executive Order builds upon previous efforts to regulate AI in the workplace, including the Blueprint for an AI Bill of Rights and the Executive Order directing agencies to combat algorithmic discrimination. The Equal Employment Opportunity Commission (EEOC) has also prioritized the issue of discriminatory AI usage in its strategic enforcement and provided guidance on compliance with Title VII and the Americans with Disabilities Act (ADA) when using AI tools.

Employers should anticipate further regulations related to AI and take action to proactively understand where AI is currently being used in their workplaces. The coverage under an employment practices policy is typically broad enough to include AI-related discrimination claims. However, there could be exclusions for confidential information or related to the Biometric Information Privacy Act (BIPA), such as the use of facial recognition tools, that may have implications for an AI related discrimination claim. 

[back to top]

Fiduciary Liability

Understanding prohibited transactions and the impact on fiduciary liability

As part of its goal to safeguard against conflicts of interest within retirement plans, the Employee Retirement Income Security Act (ERISA) prohibits transactions between the plan and a party of interest. These so-called prohibited transactions can involve either services or goods.

However, there is an exception to this rule; ERISA allows for reasonable arrangements for necessary services if compensation remains within reasonable limits.

The interpretation of what constitutes “reasonable” has been subject to interpretation, with different courts adapting varying approaches to interpreting prohibited transaction rules.

In November 2023, the Second Circuit Court of Appeals supported the defense in a case alleging prohibited transactions under a 403(b) defined contribution plan. The plaintiffs argued that the plan paid fees to its own recordkeeper as part of the transaction. The appeals court stated that for the transaction to be prohibited, the plaintiffs must demonstrate that the ERISA exemptions do not apply. 

This contrasts with a 2009 ruling in the Eighth Circuit, which allowed plaintiffs to proceed in a similar action without having to prove the transaction was unreasonable. The Ninth Circuit took a similar decision. Both circuits received criticism that this open-ended approach could lead to litigation any time a service provider is engaged, even for necessary services. On the other hand, the recent Second Circuit ruling would make the burden for plaintiffs much greater than in other jurisdictions.

Several other courts have issued varying opinions in prohibited transaction cases.

The Third Circuit held that allegations must show an intent to benefit the party of interest. The Seventh Circuit held that a transaction must look like self-dealing. The Tenth Circuit held that a prior relationship must exist between the service provider and the fiduciary.

Considering the conflicting opinions among various circuit courts, it is possible that this issue may eventually head to the Supreme Court.   

The current legal uncertainties may have an impact on fiduciary insurance, often leading to underwriters assuming they will incur significant defense costs. Difficulty assessing risk may lead to underwriters limiting or excluding coverage for prohibited transactions. In this environment it is important for fiduciaries and their employers to stay informed of current requirements and court decisions and be prepared to adapt to any changes to regulations or their interpretation. It is also critical to understand the intricacies of prohibited transactions and how they may impact fiduciary insurance.

Lawsuits question handling of forfeited funds in 401(k) plans

A number of 401(k) plan sponsors are facing lawsuits that question their handling of forfeited funds, potentially violating federal law. The lawsuits focus on contributions made to an employee’s 401(k) account by an employer, which are often subject to vesting periods and can be forfeited — either partially or entirely — if the employee leaves the company.

The recent lawsuits allege that employers used forfeitures to reduce their required contributions to the plans rather than using these funds to alleviate the administrative expenses borne by plan participants. This practice, the lawsuits allege, is in violation of ERISA, which requires fiduciaries to act in the best interests of plan participants. 

Plan documents provide varying levels of detail on how forfeited funds should be used, with some plans providing specific instructions while others are more ambiguous. The recent suits are not focused on the plan details but rather on whether employers are fulfilling their fiduciary obligations to act in the best interest of the participants, as mandated by ERISA.

No decision has been taken on these cases and it remains unclear whether they will trigger similar lawsuits. However, this provides another example of new creative plaintiff allegations that may make underwriters question the profitability of fiduciary insurance. Especially in view of the current cases, fiduciaries should consult with their ERISA counsel to determine best practices when dealing with forfeitures. This is especially important since fiduciary insurers may start to ask questions about the plan’s position on the use of forfeited funds during renewal meetings.

Uncertainty surrounding the enforceability of mandatory arbitration clauses persists

The enforceability of mandatory arbitration clauses with class action waivers in plans governed by ERISA has faced increased scrutiny in recent years. And uncertainty is set to persist after the Supreme Court declined to hear a case about the matter.

Employers that include mandatory arbitration clauses with class action waivers in their 401(k) plans were often seen by fiduciary insurers as having a stronger risk profile and underwriters were more likely to provide these companies with a quote. However, the enforceability of these provisions has been subject to legal challenges over the past two years. Defendants typically argue that ERISA includes a clause enforcing the governance of plan documents and state that a requirement for arbitration in the plan documents should be respected. Plaintiffs, on the other hand, have argued that the class action waiver infringes upon their right to pursue relief on behalf of all participants and their individual accounts and is therefore unenforceable.

Court decisions have been inconsistent, contributing to the prevailing uncertainty. In a recent Fifth Circuit case, the Department of Labor filed an amicus brief in support of limiting defendants’ ability to force arbitration.

Fiduciaries should review plan documents to understand the arbitration and class action waiver requirements. Consider engaging outside ERISA counsel to advise on the enforceability of such language. Until courts come to consensus on this issue, fiduciary underwriters will likely discount the favorability of mandatory arbitration provisions under the assumption that class actions will be allowed to proceed and lead to higher defense costs. This could impact the effectiveness of arguments for lower retentions for clients with such provisions in their plan documents. 

[back to top]