Specialty Podcast: Updates from the Courtroom - Impactful Litigation Decisions Shaping Insurance

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Mike Radak (00:09):
Hey everybody, this is Mike Radak. I'm one of the senior claims attorneys at Alliant Insurance, joined by Peter Kelly and David Finz from our claims and legal team today. We've got lots of important issues to discuss today, and before we jump into them, reminder that you can find summaries of each of the topics that we discuss in our monthly Executive Liability Insights Newsletter. So without further ado, Peter's going to kick us off today in discussing a case that has a favorable ruling from a policy holder perspective, with respect to D&O insurance coverage. This case addresses what we consider to be one of the fundamental purposes of D&O insurance, which is to protect the individual Ds and Os whose business decisions potentially make them liable for, in their capacity as managers or directors and officers of the company. And this case talks about how D&O insurance should and could respond in the event of certain lawsuits regarding indemnification. So Peter, I'll turn it over to you to talk about the Jasper case.

Peter Kelly (01:18):
Thanks, Mike. Yes, this is an important case. It's also because of the parties here. Chubb is the largest public company D&O carrier out there, and it concerns the policy that was placed by Alliant. They're no longer clients I believe due to an acquisition, but we have some good solid language here. Chubb tried to throw everything but the kitchen sink to avoid coverage. I'm going to preface this by saying, as Mike pointed out, this is a big deal because this is why we buy D&O. It's to protect personal assets or D&Os, and we cannot allow defense costs to be clawed back. In this case, the SEC filed the civil enforcement action against the former CFO of a semiconductor manufacturer, securities violations related to stock option backdating, which is a common occurrence, and inaccurate regulatory filings. The company agreed to pay the CFO's defense cost pursuant to indemnification agreement, which characterized the advancement as an undertaking, which the CFO agreed to repay if it was determined that he was not entitled to indemnification. Later beyond the enforcement action, there was a derivative in class action suits as well that followed, which were eventually settled. When the CFO took it all the way, the jury found the CFO liable for fraudulent conduct, securities fraud and making knowingly false statements to the SEC. So, because of that finding of fraud under the indemnification agreement, the CFO was required to repay the defense expenses that had been covered by the company. They then turned to Chubb to recover the legal defense costs that were advanced, and Chubb denied coverage and coverage litigation ensued. The CFO is required under the terms of the indemnification agreement to repay the company from these expenses, and Chubb took the position that the former CFO's obligation here was "the substantial equivalent of restitutionary damages," which were excluded from the policy's definition of loss.

Chubb was going on the theory that the CFO had wrongfully obtained and was unjustly enriched by the company's advancement of these legal fees. Chubb was relying on the policy's definition of defense costs, which did not include amounts substantially equivalent to disgorgement or restitution. Essentially, Chubb was arguing that the CFO had received payment that he was not entitled to, needed to pay it back, which the policy wouldn't cover. Now the policy here, standard D&O policy, side A covered non-indemnifiable loss, which was defined as loss incurred by the CFO for which the company refuses to indemnify him. Loss included defense costs that the CFO is legally obligated to pay, and defense costs included that portion of non-indemnifiable loss, constituting reasonable unnecessary fees resulting from the defense and appeal of the claim against that CFO. The court found that this advancement fits squarely within the definition of non-indemnifiable loss because the CFO, pursuant to that indemnification agreement, became legally obligated to repay the company, and the company in turn refused to indemnify. Ultimately, the court determined that this repayment was not restitution because in the insurance context, restitution is the return of something wrongfully received. Here, the CFO never wrongfully received, never obtained or kept any of the company's advances. Those advances were paid directly to the CFO's defense counsel to provide defense for the matter. The court looked at this and said that this coverage of the CFO's legal costs are consistent with the generally understood purpose of D&O insurance, that this was not restitution. In addition to that argument, Chubb also argued that this coverage would be prohibited by California's Insurance Code Section 533, which codifies California's public policy against insuring willful criminal and fraudulent conduct. Unfortunately, this section 533 is seen far too often in the D&O context when it shouldn't be. 533 is really supposed to avoid coverage in a criminal context like a drunk driver causes an accident, causes harm, and then that drunk driver should not benefit or profit from insurance coverage.

Here, the CFO would not profit by virtue of the policies coverage, and so the payment of the non-indemnifiable loss would not be against public policy. 533 forbids any contracts that indemnify for loss or responsibility resulting from willful wrongdoing. This prohibition, however, does not extend to insurance contracts providing for defense, only indemnification, and Chubb didn't stop there. I also pointed to three additional policy exclusions as alternate grounds to avoid coverage. They looked to the entity versus insured exclusion, essentially arguing that this was a dispute between the CFO and the company. The insurer should be excluded. They also looked at exclusions for loss arising from improperly gaining profit or financial advantage and for loss derived from committing a criminal or fraudulent act. But the court pointed out that each of these exclusions expressly stated that it should not apply to defense costs. There was a carve back for all of these exclusions for defense costs, and the court found that the plain meaning of that language contradicted Chubb's position. Ultimately, this was a good outcome derived from good policy language and highlights the importance of having the right language in your policy because at the end of the day, this CFO could have left holding the bag and on the hook for all those defense expenses. But this is also concerning because despite the plain meaning of the language, didn't stop Chubb from not only taking this position initially, but from actually litigating it. To get to the point where we have this decision in front of us on this issue took a long time. Undoubtedly there were plenty of discussions much earlier on about coverage, and we really never should have gotten to this point. Also concerning is we glossed over the fact that this was the appellate level court. In the lower court, the trial court actually originally agreed with Chubb, both on the characterization of the loss as restitutionary damages and on its public policy 533 argument, but hopefully a case, an outcome like this will deter any similar carrier behavior or posturing in the future.

Mike Radak (07:43):
Yes, thanks Peter. That was a great summary. Definitely a concerning and interesting case, especially with the 533 arguments that you mentioned. The restitution and disgorgement argument is one we see all the time on the D&O coverage front, and at the end of the day, D&O insurance is to cover in a minimum defense cost for individual Ds and Os when they're in these situations. Good to see that the court got this one right after reviewing everything. I was going to talk briefly about a ruling that came out of the Texas Federal Court on December 3, 2024, where they blocked the enforcement of the Corporate Transparency Act, at least for the time being. Corporate Transparency Act, for those that don't know, it’s federal law that aims to combat money laundering, fraud and other illegal activities by requiring certain businesses to submit detailed information about their owners. It's referred to as beneficial ownership interest that needs to be reported to the government. The idea is that it increases the transparency and corporate ownership structures and supposedly prevents wrongdoing that's going on behind the scenes. In the case at issue in Texas, six plaintiffs sued claiming that the Corporate Transparency Act was unconstitutional.

The federal court agreed with them in a very lengthy 46-page opinion, and they definitely did not mince words with regard to what the court's opinion was of the Corporate Transparency Act and the constitutionality of the act. Here's an example of some of the language that they use: The Corporate Transparency Act represents a federal attempt to monitor companies created under state law—a matter that our federalist system has left almost exclusively to several states. The Corporate Transparency Act ends a feature of corporate formation as designed by various states, which is anonymity, and they even referred to it as a quasi-Orwellian statute. It has significant implications on the dual system of government. After argument, the court determined the government was unable to provide any tenable theory that the act falls within Congress's power, and they issued an immediate injunction of the Corporate Transparency Act. The court stated all the deadlines for companies to comply with the act, including the requirement to file the beneficial ownership information reports, by January 1, 2025. As with most things in our legal system, the story doesn't end there.

Immediately, the Department of Justice appealed the ruling on December 5. The Financial Crimes Enforcement Network moved to stay the injunction pending the appeal, and the Fifth Circuit put some really tight deadlines on briefing of the issue. It's possible we will get a ruling on at least the motion to stay the injunction before the end of this year. I'm keeping a close eye on the developments of this one. Obviously, while this sounds like good news for business owners that have to comply with the act, based on the timing of where we are in terms of almost at the end of 2024, the issue is what happens if the injunction is stayed and businesses need to file in order to comply with the January 1 deadline. My takeaway is that those businesses should be prepared to file the report should the injunction get stayed, and if they pull the injunction before the end of the year, could still result in certain fines and significant penalties. It's an important issue to keep an eye on, especially since we're two weeks away from the end of 2024, but interesting ruling. With that, we'll kick it over to David to talk about some of the cyber issues he's been monitoring.

David Finz (11:17):
Thanks, Mike. One area that I really want to focus on today is regulation of the financial service industry. Much of the enforcement action that we are seeing right now is emanating out of New York state. Much of that enforcement activity is centered around the New York State Department of Financial Services Regulations, known locally here as Part 500. The most recent high profile consent order that has come out of Albany relates to a 2020 cyber breach that exposed the personal data of about 120,000 New York auto insurance policyholders, which triggered an investigation for violation of Part 500. In this case, the hackers stole sensitive information, and then used that stolen data to fraudulently claim unemployment benefits, which can help explain why the state government was particularly interested in this incident. This breach sheds light on the inadequacy, to this day, of cybersecurity protocols on the part of some insurance companies. Now in this matter, the New York State Attorney General responded by utilizing once again the state's strict privacy regulations for financial institutions. They targeted two auto insurers who were impacted by the breach for their weak data security practices. The insurers have been fined a combined $11 million, and they've also agreed to implement therapeutic measures, if you will, aimed at strengthening their cybersecurity measures, including risk assessments and addressing other concerns raised by the state. This recent consent order highlights the continued focus on the part of the New York state government around cybersecurity for financial institutions operating in New York.

Keep in mind that the New York State DFS Regs, this Part 500, has become a template or role model that many other states and even federal banking regulators have followed in patterning their own cybersecurity regulations. It's very important to look at the standards this set forth in Part 500 on the part of financial institutions to help them avoid the imposition of similar penalties and these types of investigations being brought against them. Also, you can't overlook the importance of cyber insurance here. Businesses need to ensure that the language of their policies triggers coverage for regulatory action, not just being predicated on a data breach, which again, in this case it was, but also simply for the alleged violation of the state's data privacy regulations, which again, the state has the authority to open those investigations independent of whether there is a breach. You want to make sure that your insurance policy will respond to that sort of proceeding as well. Not all cyber insurance policies are created equal. There's not a lot of standardization in the wording. Because of that, you need to look very carefully at the language in your carrier's particular form to make sure that the coverage for regulatory proceedings is broad enough to be triggered, not just by a response to a data breach on the part of regulators, but any violation of the applicable data privacy regulations. Overall, the lapses in security here, that were cited by the state against these two insurers, reflects the Attorney General's continued aggressive stance towards enforcement. We all know that New York styles itself as the financial capital of the world. As a result of that, you can certainly say that financial institutions are part of the critical infrastructure and essential to the economy of the state. Because of that, we can expect that the Attorney General will continue to enforce Part 500, and this should serve as a cautionary tale for businesses with respect to the state's proactive approach to enforcing these regulations and the importance of policy wording in your cyber insurance to cover these regulatory proceedings. So with that, I'll turn it back over to Mike.

Mike Radak (15:23):
Yes, thanks David. Really interesting stuff. Well that does it. We look forward to talking to you all again, thanks for listening.