Directors and Officers (“D&O”) and cyber-related incidents continued to make headlines while ramped up regulatory enforcement and new legislation significantly altered the insurance landscape for both policyholders and insurers. Other noteworthy decisions reinforced the importance of foundational insurance coverage principals. Now that 2023 has wrapped, we highlight and review some of the most significant decisions and insurance developments that will continue to impact the world of insurance in 2024 and beyond.

Directors & Officers

In 2023, policyholders saw favorable interpretations of coverage under their D&O policies. These recent policyholder wins demonstrate an expansive view of potential D&O coverage and serve as a good reminder for policyholders to consider whether coverage could be triggered under all of their policies when faced with a loss.

  • D&O Can Be a Source of Coverage for Opioid Suits, The North Carolina Mut. Whole Company v. Federal Ins. Co., No. 1:22-CV-553, 2023 WL 5312234 (M.D.N.C.)

Courts nationwide have issued a wide range of decisions on insurance coverage for lawsuits arising out of the opioid epidemic under commercial general liability policies. On August 17, 2023, a North Carolina federal court illustrated why coverage is also available under Directors and Officers (D&O) liability insurance policies. In The North Carolina Mut. Whole Company v. Federal Insurance Co., No. 1:22-CV-553, 2023 WL 5312234 (M.D.N.C.), the court determined a drug wholesaler’s D&O policy provided coverage for more than one hundred underlying lawsuits, rejecting the insurer’s argument that two exclusions, the contract and professional services exclusions, barred coverage.

The decision offers positive takeaways for policyholders: first, the decision underscores that exclusions cannot apply expansively to effectively eviscerate coverage, as would have occurred here under the insurer’s expansive view of the professional services exclusion. Second, the decision confirms potential coverage for claims arising from the manufacture, distribution and sale of opioids.

  • Delaware Court Finds Broad D&O Coverage for Directors and Officers in SPAC Claim, March 1, 2023, Clover Health Invs., Corp. v. Berkley Ins. Co., C. A. N22C-06-004 MMJ CCLD (Del. Super. Ct. Feb. 6, 2023)

A Delaware court issued a significant opinion in a directors and officers liability claim involving a special purpose acquisition company (“SPAC”). In an issue of first impression in Delaware, the Superior Court in Clover Health Investments Corp. v. Berkley Ins. Co. held that directors and officers of the post-merger entity were “Insured Persons” under the SPAC’s D&O policy because they were acting in “functionally equivalent” roles to directors and officers of the SPAC when the alleged pre-merger wrongful conduct took place.

The Clover Health opinion touches a number of important insurance issues. While certain issues are unique to D&O claims arising from SPAC transactions, others may have broader implications for D&O coverage in Delaware beyond SPAC deals.

First, the decision provides an expansive view of potential D&O coverage under policies issued to SPACs, including for wrongful acts allegedly committed by future directors and officers before the transaction as long as they were acting in a “functionally equivalent” role to that of a SPAC officer and director at the time of the alleged misconduct. Second, the decision is another example of a Delaware court correctly adhering to basic principles governing insurance policy interpretation, including that courts should interpret insurance contracts according to their plain, ordinary meaning and resolve ambiguities in favor of coverage consistent with the reasonable expectations of the insured. Third, the ruling in the policyholder’s favor on SEC investigation coverage based on the definition of “Claim” may be even more impactful to future D&O coverage disputes beyond those involving SPAC transactions. Finally, the decision is yet another example of the potential longstanding impact of the pro-policyholder decision, RSUI Indem. Co. v. Murdock, et al., No. 154, 2020, C.A. No. N16C-01-104 CCLD (Del. Mar. 3, 2021)—this time on the critical issue of allocation using the Larger Settlement Rule.

  • An Uncharted Frontier: Nevada First State to Prohibit Defense-Within-Limits Provisions

On October 1, 2023, Nevada became the first state to prohibit defense-within-limits provisions in liability insurance policies, potentially changing the D&O insurance landscape going forward. Defense-within-limits provisions—resulting in what is called “eroding” or “wasting” policies—reduce the policy’s applicable limit of insurance by amounts the insurer pays to defend the policyholder against a claim or suit. These provisions are commonly included in errors and omissions (E&O), directors and officers (D&O) and other management liability policies. This contrasts with other policies, most commonly commercial general liability policies, which provide defense “outside of limits” where defense costs do not reduce the policy’s limit. 

Prohibiting defense-within-limits provisions may, however, be a double-edged sword. On the one hand, the provisions preserve coverage for settlements and judgments because costly litigation will not reduce the policy’s limits. On the other hand, where a policy’s limits are not reduced by defense costs, it could lessen the incentive for claimants to settle early in litigation to avoid the risk of eroding liability limits by defense costs. The new law also creates uncertainty in the insurance marketplace. Nevada policyholders may see increases in premiums and other changes to the structure of their liability insurance products to mitigate the increased risk to insurers because of the new law. 

Government Enforcement Actions

Government enforcement actions, including those resulting from security failures to protect data (including employee information), improper data collection practices, failure to disclose a data breach or deceptive privacy practices, were also pervasive in 2023, showing policyholders that regulatory defense coverage is increasingly important. The DOJ, FTC and SEC were all involved in investigating potential violations of law following cyber incidents and prosecuting companies, including their directors and officers, who were found to have failed to protect data. 

  • Cyber and D&O Insurance: Maximizing Coverage for Companies and Executives from Cyber Incidents, July 25, 2023

In 2023, regulators cracked down on companies that failed to secure data or fail to promptly disclose cyber incidents. In October 2021, Deputy Attorney General Lisa Monaco announced the launch of the Civil Cyber-Fraud Initiative, led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch. The Civil Cyber-Fraud Initiative was created to “utilize the False Claims Act (‘FCA’) to pursue cybersecurity related fraud by government contractors and grant recipients.” The announcement put executives and boards on alert after agencies and shareholders showed a willingness to pursue individual directors following cyber incidents.

  • Recent FTC Enforcement Action Merits Cyber Insurance Coverage Review, February 27, 2023

The Federal Trade Commission (FTC) took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information. In general, the Rule requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records. GoodRx agreed to pay a $1.5 million civil penalty for its violation and will be prohibited from sharing user health data with third parties for advertising purposes. While GoodRx denies any wrongdoing it stated that it agreed to the settlement to avoid a costly legal battle.

The FTC’s unprecedented use of the Health Breach Notification Rule highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.

The US Environmental Agency continued to address the Per- and polyfluoroalkyl Substances (“PFAS”) issue which have increasingly become the target of federal and state regulation in everything from drinking water, groundwater, site contamination, waste, air emissions, firefighting foam, personal care products, food and food packaging, and now consumer and commercial products.

As regulators increased their focus on PFAS, enforcement actions rose as well. This was in addition to third-party actions already being brought nationwide. The claims of groundwater contamination and exposure to PFAS-containing products were directed at manufacturers and other businesses in the supply chain.

In this client alert, we examined how a company’s commercial general liability (“CGL”) policies may cover PFAS-related claims. While these policies typically cover bodily injury or property damage when the occurrence that caused the injury or damage took place during the policy period, since cases generally allege that PFAS contamination and exposure has occurred over a long period of time, decades in many instances, there may be coverage under older CGL policies.

Crime

In 2023, courts also faced novel issues implicated by crime protection insurance policies. Fraudsters continued to wreak havoc on companies by impersonating employees and intercepting internal communications. Despite the increasingly narrow view of coverage for fraudulent transfer losses presented by insurers, policyholders have found some relief.

  • Fifth Circuit Affirms Crime Policy’s Applicability to Fraudulent Transfer, Valero Title Inc. v. RLI Ins. Co., No. 22-20155 (5th Cir. Feb. 1, 2023)

The Fifth Circuit affirmed that a title company’s cri