THOUGH THE IMPACT OF COVID-19 ON DIRECTOR AND OFFICER (D&O) LIABILITY INSURANCE IS EVOLVING DAY-TO-DAY, SEVERAL PROMINENT COVERAGE ISSUES HAVE ALREADY PRESENTED THEMSELVES – SUCH AS COVID-19 SECURITIES CLASS ACTIONS AND/OR SHAREHOLDER DERIVATIVE CLAIMS, AND CYBER SECURITY AND PRIVACY CLAIMS – WHICH DIFFER FROM LIABILITY CONSIDERATIONS PRESENTED DURING THE PRIOR SARS AND MERS OUTBREAKS.

Updated April 8, 2020

Coronaviruses represent a large family of viruses that can cause respiratory illnesses.¹ The 2003 Severe Acute Respiratory Syndrome (SARS) epidemic in China represented the first severe virus that resulted from a coronavirus, affecting over 8,000 individuals.² The second outbreak of Middle East Respiratory Syndrome (MERS) occurred in 2012 in Saudi Arabia. It affected almost 2,500 individuals and had a mortality rate of 34.45%.³ Now, on December 31, 2019, Chinese authorities reported the outbreak of a new strain of coronavirus, called severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), which causes the coronavirus disease 2019 (COVID-19).⁴ Since December, COVID-19 has spread to over 184 countries/regions and has infected over 1.5 million individuals and growing, causing varying degrees of fever, dry cough, shortness of breath, and a mortality rate of about 3.6%.⁵

D&O Exposures

Companies (and their directors and officers) generally did not face third-party liability claims relating to the response to the SARS and MERS outbreaks. However, with COVID-19 and the sharp drop in stock prices that has accompanied it, this has changed. Companies – in addition to their directors and officers sued in their individual capacities – are turning to their D&O insurance policies for coverage for third-party claims arising from COVID-19:

• One of the largest areas of exposure for public companies (and to some extent, private companies) is securities class actions and/or shareholder derivative claims relating to affirmative acts of mismanagement and/or failure to act/disclose by officers and directors in response to the COVID-19 outbreak.
• Another major area of concern relates to liability arising from cyber security and privacy issues, given that many company employees are now working remotely to avoid exposure to COVID-19. The failure to sufficiently protect a company’s network could leave the company vulnerable to cyberattacks, ransom demands, loss of company data, and overall exposure for failing to insure against cyber risks.

• While the full impact of COVID-19 is yet to be determined, other potential areas that may impact D&O exposures include civil liability surrounding alleged breaches of contract involving major customers or suppliers, and loss of liquidity and subsequent bankruptcy proceedings.

Such exposures are no longer theoretical, as some already have come to fruition in the securities and cyber security arenas:

As to securities class actions, the first lawsuit was filed on March 12, 2020 against Norwegian Cruise Line Holdings, Ltd. under Section 10(b) of the Securities and Exchange Act of 1934 and Rule 10b-5 for making false and misleading statements in its 8-K and 10-K public filings in February 2020.⁶ The complaint alleged that (1) “the Company was employing sales tactics of providing customers with unproven and/or blatantly false statements about COVID-19 to entice customers to purchase cruises, thus endangering the lives of both their customers and crew members;” and (2) “as a result, Defendants’ statements regarding the Company’s business and operations were materially false and misleading and/or lacked a reasonable basis at all relevant times.” An example of such statements is that “despite the current known impact [of COVID-19],” “the Company’s booked position remained ahead of prior year and at higher prices on a comparable basis” and that the Company “has an exemplary track records of demonstrating its resilience in challenging environments” and that it “proactively implemented several preventive measures to reduce potential exposure and transmission of COVID-19.”

On the same day, a second securities class action lawsuit was filed against Inovio Pharmaceuticals for representing that it was able to develop a COVID-19 vaccine “within three hours” and that its plan was to start trials in April 2020.⁷ In response to these statements, Inovio’s shares “more than quadrupled” within a few trading days. However, “in truth, Inovio had not developed a COVID-19 vaccine” and its statement that it designed a vaccine in three hours was deemed “ludicrous and dangerous” by others. Overall, the stock price dropped by 71% and shareholders suffered a $643 million loss of market capitalization.

Though not aware of D&O lawsuits filed as of yet, another area of potential exposure under D&O policies relates to a company’s disclosure of its response to the COVID-19 crisis. Specifically, on March 4, 2020, the Securities and Exchange Commission (SEC) advised that companies are to provide “investors with insight regarding their assessment of, and plans for addressing, material risks to their business and operations resulting from the coronavirus to the fullest extent practicable to keep investors and markets informed of material developments.”

As to cyber security, in mid-March 2020, the U.S. Health and Human Services Department was subject to a cyberattack on its computer system aimed at undermining the government’s response to COVID-19 through “a campaign of disruption and disinformation.”⁸ “Fake” text messages also were sent from an unknown sender warning the public that the “president will order a two week mandatory quarantine for the nation.” The National Security Council issued a warning about these “fake” messages. Cyberattacks also are appearing in the form of phishing emails sent to company employees working remotely.⁹ Such emails are designed with urgent instructions from management and/or information about the latest COVID-19 protections. The email entices the reader to click on the email so as to unwittingly download malware onto the employee’s device and the company’s computer systems. The use of personal laptops creates further vulnerability to attacks because home equipment is often out-of-date with the latest security updates.

Overall, though many existing D&O policies may not be written with cyber and technology related risks in mind, the failure to protect against and insure for privacy or cyber liabilities could potentially lead to D&O liability.

D&O Coverage Issues

Coverage under a D&O policy for the above exposures will vary according to the individual terms and conditions of the policy. Nevertheless, securities class actions and shareholder derivative claims are claims that typically fall within the scope of the insuring agreement under a D&O policy. In assessing the potential for coverage, careful review of several exclusions and other issues is necessary. For example, the language of any bodily injury exclusion should be reviewed for its breadth (e.g., claims “arising from” bodily injury vs. claims “for” bodily injury) as well as any exceptions to that exclusion, such as securities actions.

As is often the case with D&O claims, the language of the conduct exclusion (i.e., dishonest, fraudulent, malicious, and criminal acts) should be reviewed to determine whether its application requires a final adjudication exhausted by appeal or only “in fact” confirmation of such conduct. Moreover, claims also may implicate the professional services exclusion to the extent an employee’s professional services to the company gave rise to the claim, such as legal advice from an in-house counsel, forensic accounting services by the Chief Financial Officer, or otherwise.

As to cyber security and privacy, direct losses caused by a cyber event may need separate cyber insurance. To the extent the cyber event triggers a securities class action, however, there are a number of exclusions (including those discussed above) that may require consideration. For example, the exclusion for war or terrorism should be considered in the event of a cyberattack because there are instances in which cyberattacks are orchestrated by state actors or quasi-state actions and/or terrorist organization criminal enterprises – as opposed to random, “lone wolf” actors.¹⁰

Overall, though the landscape is evolving day-by-day, we hope that the above overview highlights initial coverage issues and exposures within the D&O space relating the COVID-19 crisis.

¹ Marco Cascella, Michael Rajnik, Arturo Cuomo, Scott Dulebohn, and Affaela Di Napoli, Features Evaluation and Treatment Coronavirus (COVID-19), National Center for Biotechnology Information (Mar. 8, 2020), available at https://www.ncbi.nlm.nih.gov/books/NBK554776/.
² SARS (Severe Acute Respiratory Syndrome), World Health Organization (last visited Mar. 18, 2020), available at https://www.who.int/ith/diseases/sars/en/.
³ Middle East respiratory syndrome coronavirus (MERS-CoV), World Health Organization (last visited Mar. 18, 2020), available at https://www.who.int/news-room/fact-sheets/detail/middle-east-respiratory-syndrome-coronavirus-(mers-cov).
⁴ Daniel Jernigan, Update: Public Health Response to the Coronavirus Disease 2019 Outbreak, Centers for Disease Control and Prevention (Feb. 24, 2020), available at https://www.cdc.gov/mmwr/volumes/69/wr/mm6908e1.htm.
⁵ Coronavirus COVID-19 Global Cases by Johns Hopkins CSSE, Johns Hopkins University & Medicine (last visited Mar. 18, 2020), available at https://coronavirus.jhu.edu/map.html.
⁶ Kevin LaCroix, Cruise Line Shareholder Files First Coronavirus-Related Securities Suit, D&O Diary (Mar. 13, 2020), available at https://www.dandodiary.com/2020/03/articles/securities-litigation/cruise-line-shareholder-files-first-coronavirus-related-securities-suit/ (link to complaint: https://www.dandodiary.com/wp-content/uploads/sites/893/2020/03/norwegian-cruise-lines-complaint.pdf).
⁷ Kevin LaCroix, Pharma Company Hit with Securities Suit over COVID-19 Vaccine Claims, D&O Diary (Mar. 15, 2020), available at https://www.dandodiary.com/2020/03/articles/securities-litigation/pharma-company-hit-with-securities-suit-over-covid-19-vaccine-claims/ (link to complaint: https://www.dandodiary.com/wp-content/uploads/sites/893/2020/03/inovia-complaint.pdf).
⁸ Shira Stein and Jennifer Jacobs, Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak, Bloomberg (Mar. 16, 2020), available at https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response.
⁹ Brenda Sharton, Will Coronavirus Lead to More Cyber Attacks?, Harvard Business Review (Mar. 16, 2020), available at https://hbr.org/2020/03/will-coronavirus-lead-to-more-cyber-attacks.
¹⁰ Isaias Alba IV, Is Cyber Insurance Worthless in the Age of Quasi-State Sponsored Hacking?, JD Supra (Mar. 11, 2019), available at https://www.jdsupra.com/legalnews/is-cyber-insurance-worthless-in-the-age-28621/.