With the Labour government now in power, it can be said with some certainty that there are numerous changes to UK regulation on the horizon. Picking up where Rishi Sunak left off, Keir Starmer has already made clear that he intends to address areas that are key to economic growth – AI regulation and green investing being two that immediately spring to mind.
And it’s not just the regulatory landscape that is evolving. From the ever-increasing threat of cyber attacks to new disclosure requirements around ESG, Directors, Officers, and others within key functions at regulated firms could find themselves facing great personal exposure in relation to their roles.
These individuals need to be conscious of the risks associated with recent rule changes, as well as those coming down the line. We have looked at several of these below from a risk management perspective.
New public listing rules
11th July saw the Financial Conduct Authority (FCA) announce new rules on public listing. The rules, which came into effect from 29th July and are part of the FCA’s attempt to boost the UK’s capital market, give company leaders the ability to make decisions without shareholder votes and allow companies to issue dual-class share structures. While events such as reverse takeovers and removing a company’s shares from an exchange will still require shareholder approval, significant and related party transactions do not. This means that companies will be able to enter into transformation acquisitions or disposals far more freely.
While in compliance with these new regulatory norms, the company heads behind such transactions need to be wary that a removal of prerequisites does not imply shareholder’s acquiescence to such decisions. The FCA itself notes that the new rules allow for greater risk, but believes that they better reflect the risk appetite the economy requires to achieve growth. Maintenance of shareholder involvement, through the continuation of aspects such as shareholder circulars, may prove key in avoiding accusations of negligence in relation to the Directors’ fiduciary duties to their shareholders.
Additionally, the removal of the need for sponsor guidance when entering a potential transaction creates liability for the company in not receiving specialist advice throughout the process. In the event of a significant transaction, the absence of sponsor assurance that the responsibilities of the company have been met can also be seen as an added risk, with any accusations of negligence falling solely with the company going forward.
Evolving cyber risk
Today, addressing the threat of cyber attacks should be considered part and parcel of running a business. Total losses due to cybercrime cost the UK economy an estimated £30.5 billion in 2023, according to a study by Beaming and Censuswide, and Verizon reports that 3.4 billion emails are sent containing a malicious link every day. Even more concerningly, 74% of all cyber breaches result from a human error.
While specialist cyber policies provide essential elements of cover in relation to the direct repercussions of an attack – including direct costs to respond, liability to others and business interruption – Directors face the indirect risk of accusations of negligence in relation to the company’s policy on, and handling of, cyber security.
In the UK, Directors' fiduciary duties to the company are generally codified under the Companies Act 2006, including the duty to exercise reasonable care, skill and diligence in the conduct of their role. A Director’s failure to understand and mitigate cyber risk by neglecting to implement appropriate security measures may therefore be considered a breach of these duties. This in turn can lead to a claim being brought against the Directors by the company or by shareholders through a derivative action.
The FTC taking action against Drizly CEO James Cory in the USA is suggestive should the UK authorities further follow the lead of its US counterparts. After all, we have already seen the FCA taking action against Equifax last year, fining the company £11,164,400 for its failure to manage the security of UK consumer data it had outsourced to its parent company in the US.
Increasing reporting requirements on ESG
Introduced at the beginning of 2023 with the aim of enhancing sustainability reporting requirements, the Corporate Sustainability Reporting Directive (CSRD) represents a significant shift for a wide range of businesses in the EU. The first companies to be affected by the Directive will have to apply the new rules for the first time in the 2024 financial year, for reports published in 2025. As a result, ESG disclosures will increase and more companies will be subject to the mandatory reporting, including SME businesses.
From a UK perspective, any company with securities listed on an EU regulated market will still be subject to the CSRD, as will any EU subsidiaries or branches that meet the threshold requirements. Assessing the need for this compliance places another responsibility on Directors, with specialist analysis in relation to ESG being needed from the creation of an internal function or using a third-party professional.
Now is also the time to consider the broader implications of this regulation. The importance of the directive makes it highly likely that regulations regarding sustainability and monitoring will become more pervasive over time. The Labour government has already announced plans to use technology to track and reduce carbon emissions more effectively. This, coupled with the launch of GB Energy, all show that a similar path to the EU would appear to be on the horizon.
Directors face greater exposure than ever
As you can see, the overall theme is that Directors’ accountability is gradually increasing in relation to company decision making. Alongside claims case studies highlighting this, emerging regulation is another indicator of the increasing risk Directors face in their roles. For example, the Economic Crime and Corporate Transparency Act 2023 places direct responsibility on the Directors for applicable companies' prevention of and response to direct financial loss. Directors therefore need to be more concerned than ever before with their own internal risk frameworks and governance.
This is where external risk management and mitigation tools could prove to be a worthwhile consideration; in particular, individual insurance coverage can be invaluable in the event of a claim. Directors’ and Officers’ Liability insurance continues to be designed for the emerging risks that come from modern technology and new regulation. Having affirmative coverage clauses included in relation to the proximate causes of claims ensures the policies respond to protect the individuals at risk, whether such causes are based in regulation, cyber incidents or fiduciary duty.