In this note we look at the exposures that directors and officers (D&Os) may face as a result of the COVID-19 crisis, in addition to setting out some considerations they should be taking into account during these times.

Being a director in this day and age is increasingly challenging. In the UK, directors face a wide range of exposures which may make them subject to an official inquiry or investigation, or having to defend themselves in civil or criminal proceedings, in which their conduct and decision-making is examined. In this age of increased senior management accountability, the board and its members are, more and more, expected to adequately recognise, manage and mitigate risks. This is set against a backdrop of heightened shareholder awareness, engagement and activism, the omnipresent reputational risk and strengthened corporate governance requirements to consider risks which do not necessarily translate to a direct financial risk.

The coronavirus presents unique challenges for D&Os. Given how quickly the virus is spreading, how inconsistent the approaches of governments have been, and the already significant impact it has had on the financial markets and global economy, it is very difficult for D&Os to ensure that they are responding effectively to the crisis. While the early stages of the coronavirus outbreak appeared to hit those companies which had international supply chains encompassing China as well as airlines, the situation has developed at such a pace so as to impact domestic supply chains due to travel restrictions and social distancing/isolation.  The latter has in turn led to a reduction in demand for a wide range of products and services such that the outbreak has the real potential to impact companies of all sizes operating in virtually all industries.

With that in mind, do D&Os pre-emptively take action, which may turn out to be premature or unnecessary? Do they wait and see and risk not being able to adapt quickly enough once the coronavirus situation worsens? What is the financial impact of supply and/or demand changes currently, and how do these look going forward based on a range of scenarios? What protections should be put in place for employees? How can customers be reassured and their needs continue to be serviced? What should they disclose to regulators and shareholders? Are they able to even fully assess the impact the virus may have on their business given that it is ever-evolving?

While everyone's primary focus at this time is on the health and wellbeing of individuals and all D&Os are struggling with a fast-changing situation such that one would hope that the frequency of D&O exposures will be limited, in the event that D&Os make errors in their business continuity planning, there are a number of possible claims they may face, which we focus on below from an English law perspective.

Shareholder derivative claims

In solvency, directors owe their duties to their company. These are codified in the Companies Act 2006 (CA 2006) sections 171-177. The duty to promote the success of the company (section 172) and the duty to exercise reasonable care, skill and diligence (section 174) are the most likely duties to be called into question, with claimants potentially alleging mismanagement/negligence in directors' responses to the coronavirus crisis if loss to the company occurs. For example, one can envisage claimants arguing that directors: failed to have in place disaster contingency plans; inadequately implemented contingency plans; failed to exercise the contingency plan at all or in a timely fashion; failed to adapt plans in the light of new information; had an overreliance on a particular supply chain; failed to take into account/follow government protocols. Such failures could lead to business disruption and stock price drops, resulting in losses to the company.

A derivative claim is an action brought by one or more shareholders against the company's directors, seeking redress on behalf of the company for a wrong committed by those directors.  If successful, the relief is granted and any damages are awarded in favour of the company itself, not the shareholder. Section 260(3) CA 2006 provides that a derivative claim may be brought only in respect of a cause of action arising from an actual or proposed act or omission involving negligence, default, breach of duty or breach of trust by a director of a company. Permission of the court is required in order to pursue a derivative action: such permission has only been granted in a small number of cases since the provisions came into force in October 2007, as the hurdle is set quite high by the courts. Given procedural difficulties in establishing such claims, we are of the view that directors will need  to have seriously breached their duties in order for such a claim to proceed, let alone succeed. As such, we consider that the derivative claim risk is relatively low in comparison to other risks directors may face as a result of the coronavirus crisis.

It should of course be borne in mind that there are a number of avenues to relief from liability for breach of duty (which apply beyond derivative proceedings, including in an insolvency context): these include ratification by the company (section 239) and court ordered relief in circumstances where the directors can show that they have acted honestly and reasonably and have considered all circumstances such that they ought fairly to be excused (section 1157).

Risk management considerations (non-exhaustive)
  • Hold regular meetings/briefings on the coronavirus crisis and take detailed minutes of decisions and action plans.
  • Continually review contingency and operational resilience plans and update as necessary as the situation develops.
  • Consider what internal or external resources may need to be brought in to help keep the board informed.

Investor claims

A greater risk is claims by investors following share price drops. There is and will continue to be greater scrutiny on company disclosures regarding the impact of the coronavirus on the company and it will be very difficult for companies to draw the right line in their disclosures as anything they do or do not say could significantly impact share prices.

In addition to raising allegations of negligence or mismanagement relating to the preparation, response or management of the crisis as it relates to their business operations, investors may also, therefore, allege that disclosures about the impact of the coronavirus on the company were misleading or inadequate. Indeed, as discussed in more detail later in this article, two actions have already been filed in the US and it is perfectly possible that more will be brought in due course.

Shareholders may also apply hindsight to the situation and analyse early disclosures to allege failures by the company and its directors to adequately disclose or update disclosures on the situation as the risk landscape evolved. However, given stock market volatility, claimants will face challenges in showing that their losses were not caused by factors other than a failure to disclose (or inadequate disclosure).  

In the UK, such claims could be based on common law (for example, the torts of deceit or negligent misstatement) or statute. The statutory claim is under section 90A Financial Services and Markets Act 2000 (FSMA) in respect of misstatements or omissions in an issuer's periodic financial disclosures (for example, annual and half-yearly reports and accounts), or in information published to the market by means of a recognised information service.  Section 90A is an action with potentially very wide scope but, as yet, has received no judicial consideration (though a group action is currently progressing through the courts and is due to go to trial this year). Section 90A is a partly fraud-based action and provides that an issuer of securities is liable to pay compensation to a person who:

  1. acquires, continues to hold or disposes of the securities in reliance on published information, and
  2. suffers loss in respect of the securities as a result of—
    1. any untrue or misleading statement in that published information, or
    2. the omission from that published information of any matter required to be included in it.

It further provides that the issuer will be liable in respect of any untrue or misleading statement only if "a person discharging managerial responsibilities within the issuer knew the statement to be untrue or misleading or was reckless as to whether it was untrue or misleading." Similarly, the issuer will only be liable in respect of the omission of any matter required to be included in published information if "a person discharging managerial responsibilities within the issuer knew the omission to be a dishonest concealment of a material fact."

For most issuers, persons "discharging managerial responsibilities" within an issuer will be the directors and not any wider group of senior managers. This definition would suggest that it is sufficient for one director to have sufficient knowledge as opposed to any group that constitute the directing mind and will of the issuing company so it avoids difficult questions of attribution of knowledge. This is a broadening of the historic test under the common law.

Section 90A only refers to "compensation" and is silent on the loss methodology which should be applied – how to value any claim resulting from the coronavirus outbreak will be very challenging. Given the fraud-based nature of the offence and the requirement to demonstrate reliance, as already pointed out, claimants may also face challenging causation hurdles – can they prove that the disclosure (or lack of) caused the loss when the financial markets as a whole are in turmoil as a result of the crisis? Can they prove they relied on the disclosure?

While a claim under section 90A can only be brought against the issuer, not against any directors, it seems possible that directors could have a back-to-back liability to the issuer pursuant to section 463 of CA 2006 (which provides that a director is liable to compensate the company for any loss that the company suffers as a result of any untrue or misleading statement in, or omission from, certain reports) or otherwise for breach of fiduciary duty or negligence.

There is also the spectre of reputational risk which may affect financial performance. For example, did the company prioritise financial gain over the health of employees? Did the company exploit customers' fears for profit? These side reputational issues could well result in a loss of confidence in the company, leading to stock drops and shareholder claims.  

Risk management considerations (non-exhaustive list)
  • Consider carefully what disclosures you might need to include in your year-end accounts relating to these events.
  • Consider whether to refer to the possible impact of COVID-19 on your business in your reporting of principal risks and uncertainties.
  • Where mitigating actions can be taken, these should also be reported alongside the description of the risk itself.
  • Monitor developments and ensure the provision of up-to-date and meaningful disclosure.
  • Keep detailed records of decisions and action plans.

Regulatory action

In the UK, while there is no one regulator enforcing director duties for all UK companies, the Financial Conduct Authority (FCA) regulates D&Os of firms which fall within its regulatory scope. Further, it is the responsible regulator for the Listing and Disclosure Rules and the Transparency Rules and it has the ability to take action against directors for being knowingly concerned in contraventions of the Listing Principles, Disclosure Rules and Transparency Rules (see section 91(2) FSMA) and a recent example of such an action is the fines imposed last year on the CEO and FD of Cathay International Holdings Limited.  The Prudential Regulation Authority (PRA) is also relevant for certain financial institutions.

Both the FCA and the PRA have set out their expectation that firms have contingency plans in place that are effective and proportionate for their business as a result of the coronavirus outbreak. Firms are required by the FCA to "take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems" (Principle 3 of the FCA's Principles for Businesses). PRA-regulated firms "must have effective risk strategies and risk management systems" (Fundamental Rule 5 of the PRA's Fundamental Rules and Principles for Businesses). Demonstration of appropriate and effective oversight of operational resilience might include evidencing the identification of important business services, and mapping and setting impact tolerances as well as the firm's ability to remain within these tolerances.

The FCA/PRA have also stated that they are "actively reviewing" the contingency plans of a wide range of firms. In particular, the FCA has stated that this will include "assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers during the outbreak." This would include a firm being able to identify with clarity who is responsible for operational resilience. The FCA and PRA have no objection, in principle, to staff working from back-up sites or from home provided that the firm is still able to serve its customers and meet its regulatory obligations.

The failure of a firm to have adequate contingency plans in place could give rise to regulatory exposures and reputational loss.

In relation to corporate governance, the Financial Reporting Council (FRC) (which is responsible for the UK Corporate Governance Code) has released recommendations on coronavirus disclosures, stating: "Given the potential for rapid spreading of the virus, required disclosures will likely change over time as more information about the epidemic emerges. As a result, companies will need to monitor developments and ensure that they are providing up-to-date and meaningful disclosure when preparing their year-end reports."

However, the primary focus by the FRC on financial reporting will be on the auditors that it regulates, not on directors (whom it does not).

The outbreak will also pose regulatory challenges for senior managers under the Senior Managers & Certification Regime (SMCR).  For example, individuals that perform the Chief Operations Function (SMF24) have responsibility for managing the internal operations of a firm: this typically includes, amongst other things, business continuity. Where firms do not have an individual performing the SMF24 function, it will be for a firm to have determined the most appropriate person within the firm, who will be accountable for operational resilience. It is anticipated that the FCA and PRA, in due course, may require firms to identify/appoint a senior manager with responsibility for coronavirus contingency planning.

Aside from those senior managers with responsibility for operational resilience and business continuity, other senior managers will need to consider the impact on their area of responsibility. For example, a senior manager will need to consider what information they will need in order to understand how the situation is impacting the business, particularly where aspects of service delivery have been outsourced within the UK or abroad. Firms will also need to consider how senior management will appropriately supervise staff working remotely.

Under the SMCR, if a firm breaches one of the FCA's requirements, the senior manager responsible for that area could be held individually accountable if they failed to take reasonable steps to prevent or stop that breach, potentially leading to regulatory penalties and censure. Therefore, senior managers should consider whether they have the management information required to address issues arising from the coronavirus outbreak and to ensure that they record the basis for the steps they take in light of such information.

Risk management considerations (non-exhaustive list)
  • Similar considerations apply to regulatory exposures as to investor claims (set out above).
  • Be prepared to explain and justify your contingency and operational resilience plans to regulators. 
  • Where FCA-regulated firms do not have an individual performing the SMF24 function, it will be for a firm to have determined the most appropriate person within the firm, who will be accountable for operational resilience.

Insolvency claims

The current environment increases the chances that companies will run into financial difficulties. D&Os need to consider whether the company is at risk due to an impact on revenues and how to weather the storm. The impact is already being felt. The imposed lock-downs, travel limits and wavering consumer confidence will only exacerbate the problem.

Companies may also face serious debt burdens, possibly prompting costs to be cut by laying off workers and divesting investments, in a bid to avoid default. There are also increased solvency risks for companies with lower demand and lower cashflow but ongoing overheads, particularly if they are also covering workforce sick leave costs. In particular, so-called "zombies", or companies that survive only by issuing new debt as they earn too little to even make interest payments on their debt, may be particularly susceptible to failure. According to the Bank for International Settlements, such zombie companies account for 16 percent of all publicly traded companies in the U.S., and more than 10 percent in Europe. Many of these companies are in the commodities industry, which has been hit hard by the coronavirus.

Traditionally, directors faced a number of exposures arising from an insolvency which could see them facing investigations, claims and prosecutions (for example, for wrongful trading, fraudulent trading, misfeasance or breach of fiduciary duty). However, COVID-19 has brought directors' duties into the spotlight and there are currently calls to urgently reform insolvency laws to prevent companies, in financial difficulty due to the impact of the coronavirus pandemic, from being forced to file for insolvency and to suspend wrongful trading laws. On 28 March the government announced that it would introduce new legislation (apply from 1 March 2020) as soon as possible to suspend wrongful trading laws with the detail of the proposed legislation awaited.

Breach of contract/third party claims

A defendant will be liable for procuring a breach of contract where they intentionally induce or procure the breach of a contract between the claimant and a third party without reasonable justification, and the claimant suffers economic loss as a result (Lumley v Gye (1853) 2 E&B 216). An example may be where companies try to set up an alternative supply chain in order for production to continue. Not only may the company breach its own direct contracts, but it may also induce companies further down the supply chain to breach their contracts, potentially leading to claims.

Knowledge is key; there must be proof that the defendant actually knew that they were inducing or procuring an act that was a breach of contract and that they intended this consequence. There must, therefore, also be knowledge of the contract itself (OBG v Allan [2007] UKHL 21). Whilst this may be a large risk for companies, can the directors be personally liable for causing the breach if they authorised it on behalf of the company? The answer is yes, though the application may be limited in practice. In Antuzis & Ors v DJ Houghton Catching Services Ltd & Ors [2019] EWHC 843 (QB), the Court held that the directors of the company were personally liable for breaches of statute and contract by the company in not paying minimum wage, holiday pay or overtime to agricultural workers. The general principle is that directors will not be liable for the torts of the company committed at their direction if they acted in good faith (Said v Butt [1920] 3 KB 497). The conduct that is relevant is the conduct in relation to the director's duties towards the company not the third party. Specifically, here, the duty in question was the section 172 CA 2006 duty: the duty to promote the success of the company. In this case the company was 100% owned by the two directors and they were not acting in good faith as they knowingly behaved in such a way as to damage the company's reputation by causing the company to breach its contractual obligations to the claimants. They, therefore, could be held personally liable. However, the facts of this case are quite particular and it is unlikely that there will be many claims against D&Os in this regard.

Force majeure clauses will be examined closely over the coming weeks, as such clauses may excuse companies from liability for non-performance. This is already the case in China where the China Council for the Promotion of International Trade has already issued more than 1,600 force majeure certificates covering contracts worth more than $15bn.

How the force majeure clause is worded will dictate whether the coronavirus constitutes a force majeure event. Even if there is no force majeure clause, parties may assert that the contract was nonetheless frustrated due to impossibility/illegality. Again, this is likely more an issue for the company than their directors.

Risk management considerations (non-exhaustive)
  • Businesses should review their main customer and supply contracts to assess whether they need to be/can be cancelled or are being inadvertently amended or whether rights are being waived as a result of COVID-19.
  • Review all relevant contracts and seek legal advice as necessary as to terms and course of action.
  • Contract parties should be careful in discussions with suppliers or customers hit by COVID-19 that they do not, either through their actions or by what they regard as informally agreed solutions, amend or waive rights under a contract unless they have fully thought through the consequences. Many contracts will provide that any amendments or waivers have to be in writing to be valid but care should be taken in this area.
  • Establish clear communications with your lenders, your customers and suppliers regarding COVID-19.

Cyber risks

Cybersecurity should be at the top of a board's agenda already but with resources and attention being diverted to handle the coronavirus crisis, companies may be left exposed. There is also the risk that the increase in remote working could create new cybersecurity concerns and expose the company and its data.

The supervisory assessment of firms' operational resilience is a priority for regulators and enforcement action will be taken as necessary if systems and controls are deemed inadequate (for example by the FCA and/or by the ICO). In addition to corporate failings, D&Os could also be subject to regulatory action for failing in their supervisory duty to protect the data of the organisation and its customers, or for a lack of proper controls to prevent cyber attacks and fraud. D&Os may also be at risk of breach of duty claims (though note that derivative actions generally are hard to establish), and if the company suffers a stock drop or goes into insolvency as a consequence of the cyber incident, directors may also face claims by shareholders and liquidators. Directors may also be exposed to privacy claims if data is lost.

Risk management considerations (non-exhaustive)
  • Proactively engage with risk by performing a detailed risk assessment and implementing clear and robust data privacy and cyber security strategies.
  • Ensure all senior management understand, promote and implement cyber security and data privacy policies and that all staff are reminded of their obligations and the company's policies and procedures.
  • Ensure cyber strategy is reviewed and revised periodically.

Health and safety at work

The risk and consequences of facing a health and safety prosecution have been increasing in recent years. The insured defence costs associated with such prosecutions can be considerable.

Companies and directors are under a duty to do all that is "reasonably practicable" to protect the health and safety of their employees1 and also have duties to non-employees and must conduct their work activities in a manner that does not expose non-employees to health or safety risks2. Businesses are expected to carefully consider, in line with their usual health and safety practices, reviewing and implementing an appropriate response to the coronavirus risk.

Worker safety is hitting the headlines, with reports regularly coming in about failures in the workplace. For example, healthcare workers note a lack of personal protective equipment. Whilst the government has said that construction work could continue if it can be done safely in the open air, many workers are reporting packed trains to get to sites and that few safeguards have been put in place by employers for the sites. There have also been reports in the U.S. of retail staff in large chain stores working in crowded stores without distancing requirements being observed/enforced or additional protective equipment put in place. Further, vulnerable staff have reportedly been unable to withdraw from work for fear of not getting paid.

Companies and their D&Os open themselves up to investigations, prosecutions and claims if they fail to protect their employees.

Government and HSE advice should be followed. The HSE has recently issued updated guidance in relation to:

The latest information and advice from the HSE can be found here. In particular, key advice from the HSE includes:

  • All staff to work from home, if possible, unless it is absolutely necessary to go into work.
  • Advise staff to not work if they are sick.
  • Ensure appropriate training is given to any remaining workers who may be required to carry out unfamiliar tasks.
  • Review risk assessments and apply the necessary control measures to take account of the reduced workforce and the remaining pool of skills available.
  • Consider extra precautions if workers, who normally work in a group, are required to work alone or in a remote location.
  • Employee sickness absences may create a need for other employees to work longer hours to keep the business going: ensure you comply with the Working Time Regulations 1998, with appropriate daytime working hours, night shifts and rest breaks.
  • Consider whether it is advisable for a worker to wear a face mask, depending on the nature of the work and the outcome of your risk assessment.

Investigations and prosecutions by the HSE and other regulators of infectious diseases have historically been focused on E-coli bacterial infections. The risk of a raft of prosecutions following an influenza-type outbreak therefore seems remote. However, businesses and directors should always remain alive to the possibility of investigation/prosecution in cases where there has been a serious failure to take appropriate protective measures, in which substantial fines and imprisonment are available as sentencing options. There is also precedent for non-causative prosecutions, for example in cases where control measures have not been put in place, even where there may be causation issues over how those affected contracted the virus.

Risk management considerations (non-exhaustive)
  • Ensure government and HSE measures are followed and keep staff informed of the company's policies, and changes to these policies, on a regular basis.
  • For more information on workplace issues, please consult Clyde & Co's Coronavirus Information Hub, which has several articles issued by the Employment team.

Comment

Given this is such a fast-moving situation, it is currently unclear what the full impact of coronavirus will be on D&Os. Given the significant adverse impact the pandemic has already had on the global economy and financial markets, however, it is inevitable that D&O claims will arise, although the ultimate exposure remains to be seen.

For information on the impact of the coronavirus, please view our Coronavirus Information Hub.

Footnotes

1 Section 2(1) of the Health and Safety at Work Act 1974

>2 Section 3(1) of the Health and Safety at Work Act 1974

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.