- Strategic Structuring
- Risk Mitigation
Capital Markets
- Digital Engagement
- Market Visibility
Public Perception
- Shareholders Services
- EDGAR Filings
PUBLIC COMPANY RISK & INSURANCE · BROKER GUIDE · 2026
A note on how these policies interact: a single event can trigger multiple policies simultaneously. A cyberattack, for instance, can generate costs under a Cyber policy, a securities class action under D&O, a consumer lawsuit under General Liability, and a fraudulent wire transfer under Crime — all from one incident. Smart program design means those policies work together, not against each other.
D&O insurance is the policy most people think of first for a public company — and for good reason. It funds the defense and settlement of claims alleging that directors and officers acted wrongfully: securities class actions, shareholder derivative suits, and regulatory investigations are its primary territory. Without adequate D&O coverage, the personal assets of executives and board members are exposed in litigation that can run for years and cost tens of millions in defense fees before any settlement is paid.
Public company D&O policies are built around three coverage buckets. Side A covers losses the company cannot or will not indemnify — most importantly, derivative lawsuit settlements, where Delaware and many other states prohibit the company from reimbursing directors because the money flows back to the company itself. Side B reimburses the company after it has already funded a director's or officer's defense or settlement. Side C covers the company directly for securities claims — typically shareholder class actions alleging fraud or misrepresentation in the securities markets.
Side A typically carries no retention, meaning it responds from the first dollar when indemnification isn't available. Sides B and C carry retentions that can run into the tens of millions for larger companies. One structural feature matters enormously: defense costs in most D&O forms are paid from within the same limit. Every dollar your lawyers spend reduces the pool available for settlement. In complex, multi-year litigation, that dynamic makes choosing the right total tower limit a high-stakes financial decision, not a routine purchasing exercise.
The litigation environment for public companies is more intense than many executives appreciate until they're in it. According to Cornerstone Research and the Stanford Law School Securities Class Action Clearinghouse, plaintiffs filed 207 federal and state securities class actions in 2025, down slightly from 226 in 2024 — but the Disclosure Dollar Loss index (a measure of market-cap decline associated with alleged fraud) hit a record $694 billion in 2025, up from $429 billion in 2024. Fewer cases, but substantially larger ones. [1]
On settlements, Cornerstone Research's 2024 annual review shows an average settlement of $48.7 million in 2023 (the 2015–2023 average was $50.7 million) and a 2023 median of $15.4 million — a 13-year high at the time. In 2024, the average came in at $42.4 million across 88 settlements, with a median of $14 million. The 2025 median reached $17.3 million, the highest since 1997. [2] The median time from case filing to settlement hearing has held around 3.3–3.7 years across 2023–2025 — meaning years of defense costs erode the available limit before a dollar of settlement is paid.
Meta Platforms (Cambridge Analytica), November 2025: Zuckerberg and other current and former Meta directors agreed to a $190 million derivative settlement — paid entirely by D&O insurance — to resolve shareholder claims that the board mishandled the Cambridge Analytica data privacy scandal and engineered a $5 billion FTC settlement in a way that personally shielded Zuckerberg from financial exposure. Shareholders had originally sought $7–$8 billion. Because it was a derivative case — the money goes back to the company — Delaware law prohibits indemnification by the company. D&O insurance (Side A) was the only available source of funds. The settlement is the second-largest Caremark oversight settlement in Delaware Chancery Court history. The board also agreed to governance reforms on privacy oversight, insider trading, and whistleblower protections. [3]
Boeing 737 MAX derivative litigation, final approval March 2022: Boeing directors agreed to a $237.5 million settlement — fully funded by D&O insurers — to resolve claims that the board failed in its safety oversight obligations before the two 737 MAX crashes that killed 346 people. At the time of final court approval, it was the largest Caremark oversight settlement in Delaware history (a record later surpassed by Meta). Total insurer exposure, including years of defense costs, was substantially higher than the headline number. The case produced extensive governance reforms around safety reporting and board composition. [4]
SVB Financial Group, ongoing as of 2025: Following Silicon Valley Bank's collapse in March 2023, a federal court denied motions to dismiss in June 2025, keeping securities claims alive based on alleged failures to disclose interest-rate risk and held-to-maturity accounting exposure. The Federal Reserve's post-mortem cited management and supervisory weaknesses — exactly the regulator narrative plaintiffs use in parallel litigation. The case illustrates that a bank failure is simultaneously a regulatory event and a multi-year D&O event. [5]
Practical reality: every time a public company files a Form 8-K with bad news — a guidance cut, a restatement, an SEC inquiry — the probability of a securities class action rises. With a median time to settlement of 3.3+ years, the defense costs alone over that period can significantly erode whatever limit was purchased at the last renewal.
Employment litigation is the highest-frequency management liability exposure for large public companies. Every hire, promotion, compensation decision, and termination is a potential claim. EPL insurance covers wrongful termination, discrimination, harassment, and retaliation. It belongs alongside D&O — not inside it. Standard D&O forms exclude employment-related liability and wage-and-hour claims at the entity level, which means without a standalone EPL tower, a company is self-insuring those exposures entirely.
The EEOC's FY2024 annual report quantifies the baseline exposure: 88,531 new discrimination charges were filed in the year ending September 2024 — a 9.2% jump from FY2023 — and the agency secured nearly $700 million in monetary relief for over 21,000 individuals, the highest total in its recent history. [6] Those figures represent only what goes through EEOC channels. Private lawsuits don't route through the EEOC and account for a far larger volume of potential claims.
For public companies, EPL risk intersects with D&O in a way boards frequently underestimate: when workplace misconduct becomes public — through litigation, media, or a whistleblower — shareholders may allege the company failed to disclose a material risk. The SEC has made clear that disclosure controls extend beyond financial reporting to material non-financial risks. A significant harassment or discrimination scandal that was never flagged in risk factors or MD&A can generate a D&O claim layered directly on top of the EPL one.
One structural limitation deserves attention at renewal: wage-and-hour claims — overtime disputes, misclassification cases, break-time violations — are commonly excluded from EPL coverage or limited to a defense-cost sublimit only. For California-exposed companies or those with large hourly workforces, this gap can be substantial. Wage-and-hour class actions routinely settle in the tens of millions, but a standard EPL policy may fund only a fraction of that cost.
Cyber insurance has become a standard part of the public company program in under a decade. The NAIC's cybersecurity insurance data shows U.S. cyber direct written premium growing from $2.25 billion in 2019 to $7.08 billion in 2024 — more than tripling in five years. [7] The market growth reflects a risk that now reaches every part of the organization, from the network perimeter to the boardroom.
A standalone cyber policy covers two categories of loss. First-party costs — incident response, forensics, breach notification, credit monitoring, public relations, ransomware payments — respond immediately after an incident. Third-party liability — consumer class actions, regulatory fines, claims from business partners — develops more slowly but can be substantially larger. For public companies, there is a third layer that sits between the two: SEC disclosure obligations. Since the SEC's 2023 cybersecurity rules took effect, material cyber incidents require a Form 8-K Item 1.05 disclosure within four business days of a materiality determination. That disclosure event frequently triggers a D&O claim alleging prior risk factor disclosures were inadequate — meaning a cyber incident can become a D&O claim through the disclosure pipeline.
T-Mobile data breach, 2021–2023: T-Mobile's August 2021 breach, affecting approximately 76.6 million people, produced some of the clearest public data available on how a major cyber incident is actually financed. The company disclosed a $350 million class action settlement (final approval June 2023), $150 million in incremental security spending commitments, and insurance reimbursements — all separately quantified in its 10-K filings. The public accounting makes this one of the most transparent examples of how settlement costs, remediation spending, and insurance recovery interact in a large-scale breach. [8]
Two structural issues deserve explicit attention when designing cyber coverage. First, the war exclusion: following the 2017 NotPetya cyberattack, multiple property insurers attempted to deny coverage by classifying the attack as a 'hostile' or 'warlike' act attributable to a state actor. Merck's protracted litigation over that denial went to the New Jersey Appellate Division, which ruled in 2023 that those insurers could not apply the war exclusion to bar coverage under the property policies at issue. [9] The ruling confirmed that cyber losses can flow into property towers and catalyzed the market to tighten war exclusion language across both cyber and property policies. Second, silent cyber: non-cyber policies — property, GL, crime — may carry ambiguous language about whether cyber-caused losses are covered. These positions should be resolved explicitly at each renewal, not left to claims-time argument.
Not every corporate financial loss flows through a network breach. A large share of financial crime at public companies involves someone being persuaded — an employee with payment authority receiving a convincing instruction to wire money somewhere it shouldn't go. Crime insurance (also called fidelity insurance) addresses employee dishonesty, funds transfer fraud, and social engineering schemes that bypass cybersecurity controls entirely and land directly in treasury operations.
The FBI's IC3 reported that Business Email Compromise — where a fraudster impersonates an executive, vendor, or business partner to redirect a wire payment — generated $2.74 billion in reported losses in 2022, $2.95 billion in 2023, and $2.77 billion in 2024, with over 21,000 complaints filed annually. The cumulative three-year total is nearly $8.5 billion. [10] These losses typically involve no system intrusion — just a convincing email and an authorized transfer — which is precisely why a cyber policy alone may not respond.
Coverage outcomes in BEC losses often turn on specific wording: whether the crime policy contains a 'social engineering' endorsement or a 'funds transfer fraud' insuring agreement broad enough to capture authorized-but-deceived payments. The standard 'computer fraud' insuring agreement in older forms may not apply when no computer was actually compromised. For companies that process significant payment volumes, getting this language right at placement — and pairing it with internal controls like dual authorization and vendor change-of-banking-instructions verification — is simultaneously a loss-prevention measure and a condition of coverage.
Commercial General Liability insurance is the anchor for third-party bodily injury, property damage, and personal and advertising injury exposures. It also sits behind most vendor and counterparty contract requirements — a certificate of insurance request almost always specifies GL. A standard public company structure starts with a $1 million per-occurrence primary policy, with umbrella and excess layers added based on industry, product exposure, and contractual requirements.
3M Combat Arms earplug MDL: Mass tort litigation demonstrates most vividly why GL towers need to be sized seriously. 3M reached a roughly $6 billion resolution framework to settle approximately 250,000 lawsuits alleging that its military earplugs were defective and caused hearing damage. The company's SEC filings documented the settlement structure and stated intent to pursue insurance recoveries. [11] The convergence of product liability at scale, bankruptcy strategy, and insurance collections shows why the total amount of GL capacity matters — and so does its architecture across primary, umbrella, and excess layers.
The broader GL market has been reshaped by what underwriters call social inflation: rising jury verdicts, expanding theories of liability, and litigation funding that makes smaller cases economically viable to pursue. The NAIC's 2024 industry analysis showed the U.S. P&C combined ratio around 101 in 2024, meaning the industry paid out more in losses and expenses than it collected in premium — a dynamic that drives pricing and capacity decisions at renewal across all liability lines. [12]
Property insurance covers physical assets, and — more importantly for most boards — the revenue and earnings impact when those assets are unavailable. Business Interruption and Extra Expense coverages answer the question that matters most: how long could the company be down, and what does it cost in lost revenue and incremental expense while it recovers? Sizing those limits requires analysis of maximum probable downtime periods, supply chain dependencies, and contractual obligations to customers during a disruption.
The Merck/NotPetya case is directly relevant here: when a 2017 cyberattack caused extensive operational disruption at Merck, the company pursued recovery through its property policies, not just its cyber coverage. The 2023 New Jersey Appellate Court ruling confirmed that cyber-caused losses can fall in the property tower when the policy language allows it. [9] That creates a program design question every public company should resolve deliberately: where does cyber-caused business interruption sit, and are the property and cyber policies coordinated to cover that exposure without duplication or gap?
E&O insurance covers claims alleging failure in professional services — where a client or customer suffers financial loss and attributes it to the company's error, omission, or negligence. For technology companies and service businesses, E&O and cyber coverage increasingly overlap: a software outage or service failure can generate both a network-interruption claim under cyber and a service-failure claim under E&O, and allocation between the two policies at claim time can become a major source of friction if they were not designed together.
CrowdStrike, July 2024: CrowdStrike's faulty software update in July 2024 caused widespread operational failures across airlines, hospitals, financial firms, and others globally. The incident produced a securities class action from shareholders alleging they were misled about software reliability (a D&O claim), alongside customer and business loss claims sitting at the E&O and cyber business interruption boundary. [13] The case has become a standard reference in technology company policy reviews for why the E&O and cyber boundary needs to be explicitly addressed — not assumed — at each policy placement.
Fiduciary liability insurance covers alleged breaches of ERISA fiduciary duty — the obligation to manage employee benefit plans (401(k), pension, health) in the exclusive interest of plan participants. The most common claims are excessive fee cases (a 401(k) charged higher fees than comparable alternatives available in the market) and imprudent investment selection. These are class actions by nature, can involve the full plan's asset history, and often settle for meaningful sums relative to the size of the employer.
The Department of Labor's ERISA enforcement arm, EBSA, reported recoveries of $1.384 billion in FY2024 and approximately $1.4 billion in FY2025 — a consistent level of enforcement pressure that reflects how actively the DOL and plaintiffs' bar pursue these claims. [14] One important boundary: ERISA also requires a separate fidelity bond to protect plan assets from fraud and theft by plan officials. This is a statutory minimum compliance requirement — it is distinct from fiduciary liability insurance, and it is not optional.
The most important insight about public company insurance is that the policies don't operate independently. They interact constantly, and the interactions matter most in exactly the scenarios that are hardest to anticipate. Three structural principles tend to determine whether a program performs when needed:
The management liability suite works as a coordinated whole — or it doesn't work well. D&O, EPL, and Fiduciary are designed to complement each other: D&O employment exclusions push employment claims to EPL; ERISA exclusions push benefit plan claims to Fiduciary. If those towers are sized inconsistently, or if their retentions don't align with each policy's actual claim frequency and severity, the gaps only become visible when a claim is already in progress.
Cyber loss can land in multiple policies. The Merck and T-Mobile cases both show cyber events generating claims across multiple policy lines — property, cyber, and potentially D&O from the disclosure obligation alone. Silent cyber — ambiguous language in non-cyber policies about whether cyber-caused losses are covered — should be resolved explicitly at renewal. The question 'which policy responds?' should never have to be answered for the first time after a major incident.
The claims-made vs. occurrence distinction has real dollar consequences. D&O, EPL, Fiduciary, Cyber, and E&O are typically claims-made policies — coverage is determined by when the claim is made and reported, not when the underlying event occurred. GL and property are typically occurrence-based. A limit that was cut at the last renewal to reduce premium may be the limit that responds to a claim developing from conduct that was already in motion when that decision was made.
The right question for boards and CFOs is not: 'what is the most efficient program that checks all the boxes?' It is: 'if the scenario our General Counsel worries about most actually happens, does our program respond — and at what limits?' Working backward from that scenario is the most reliable way to identify gaps that routine coverage summaries tend to obscure.
Public company insurance programs are often built incrementally: a D&O policy added at IPO, a cyber endorsement tacked on when the underwriter required it, an umbrella that hasn't been restructured since the last major acquisition. The result reflects the history of purchasing decisions rather than the company's actual risk architecture today.
The cases in this article — Meta's $190 million Cambridge Analytica derivative settlement, Boeing's $237.5 million safety oversight settlement, Merck's multi-year battle over NotPetya losses, T-Mobile's $350 million breach settlement, and CrowdStrike's outage triggering D&O, E&O, and cyber claims simultaneously — share a common structure: each one involved multiple policies at once, significant legal uncertainty about which policy responded, and outcomes shaped by decisions made long before the event occurred. Those scenarios reward programs designed with intentionality and penalize ones assembled reactively.
Whether you are reviewing your program ahead of an IPO, a significant acquisition, or an annual renewal, the disciplines that most consistently make a difference are: designing the management liability suite as a coordinated whole; pressure-testing cyber coverage against your worst-case scenario rather than the average incident; and confirming that property and business interruption limits reflect current replacement costs and actual income exposure. We help with all of it.
[1] Cornerstone Research and Stanford Law School Securities Class Action Clearinghouse, Securities Class Action Filings — 2025 Year in Review (January 28, 2026). 207 total filings in 2025 vs. 226 in 2024; DDL Index $694B (all-time record) vs. $429B in 2024; core filings 201. https://www.cornerstone.com/insights/press-releases/overall-size-of-securities-class-action-filings-reached-new-heights-in-2025/
[2] Cornerstone Research, Securities Class Action Settlements — 2024 Review and Analysis (March 26, 2025) and 2025 Review and Analysis (February 2026). 2023 average $48.7M; 2023 median $15.4M (13-year high); 2015–2023 average $50.7M; 2015–2023 median $11.3M; 2024 average $42.4M; 2024 median $14M (88 settlements); 2025 median $17.3M (highest since 1997); median time to settlement 3.3–3.7 years across 2023–2025. https://www.cornerstone.com/insights/reports/securities-class-action-settlements/
[3] Reuters / Insurance Journal, Meta Settles Cambridge Analytica-Related Claims for $190 Million (November 20, 2025). Settlement paid entirely by D&O insurance; second-largest Caremark oversight settlement in Delaware Chancery Court history; governance reforms on privacy oversight, insider trading, and whistleblower protections included. Case: Facebook Derivative Litigation, 2018-0307, Del. Ch. https://www.insurancejournal.com/news/national/2025/11/26/849021.htm
[4] Delaware Court of Chancery, In re The Boeing Company Derivative Litigation (C.A. No. 2019-0907-MTZ). $237.5M D&O-funded settlement; final approval March 22, 2022; largest-ever Caremark cash settlement in Delaware at time of approval. https://www.dandodiary.com/2021/11/articles/shareholders-derivative-litigation/boeing-air-crash-derivative-lawsuit-settles-for-237-5-million/
[5] U.S. District Court, order denying motions to dismiss in SVB Financial Group securities litigation (June 13, 2025). Federal Reserve Board, Review of the Federal Reserve's Supervision and Regulation of Silicon Valley Bank (April 2023). https://www.federalreserve.gov/publications/files/svb-review-20230428.pdf
[6] U.S. Equal Employment Opportunity Commission, FY2024 Annual Performance Report (January 17, 2025). 88,531 new charges in FY2024 (up 9.2% from FY2023's 81,055); nearly $700M in monetary relief for over 21,000 individuals — highest recovery in agency's recent history. https://www.eeoc.gov/2024-annual-performance-report
[7] NAIC, Cybersecurity Insurance Report, 2025 edition (covering 2019–2024 data). U.S. cyber direct written premium: $2.25B (2019) to $7.08B (2024). https://content.naic.org/sites/default/files/insurance-topics-cyber-insurance-report.pdf
[8] T-Mobile US, Inc., Annual Reports on Form 10-K (FY2022 and FY2023). August 2021 breach; approximately 76.6M individuals affected; $350M class settlement final approval June 29, 2023; $150M incremental security commitments; insurance reimbursements separately disclosed. https://investor.t-mobile.com/sec-filings
[9] Superior Court of New Jersey, Appellate Division, Merck & Co. v. ACE American Insurance Co. et al. (Opinion affirmed May 1, 2023). War/hostile action exclusion held inapplicable to bar property coverage for NotPetya cyberattack losses at non-military company. https://www.dandodiary.com/2023/05/articles/cyber-liability/merck-wins-notpetya-insurance-coverage-appeal/
[10] FBI Internet Crime Complaint Center (IC3), 2024 Internet Crime Report (April 23, 2025). BEC reported losses: $2.74B (2022), $2.95B (2023), $2.77B (2024); complaints above 21,000 annually; cumulative 2022–2024 BEC losses nearly $8.5B. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
[11] 3M Company, Form 8-K (July 26, 2023) and related SEC filings. Approximately $6B Combat Arms Earplug MDL resolution framework; approximately 250,000 lawsuits; stated intent to pursue insurance recoveries. https://investor.3m.com/sec-filings
[12] NAIC, U.S. Property & Casualty Insurance Industry — 2024 Full Year Results. U.S. P&C combined ratio approximately 101 in 2024; liability and umbrella lines affected by social inflation trends. https://content.naic.org/sites/default/files/research-actuarial-us-pc-qrtly.pdf
[13] Reuters, CrowdStrike faces investor lawsuit over massive software outage (August 7, 2024); U.S. District Court securities litigation ongoing through 2025–2026. July 2024 faulty update caused global operational disruptions; parallel customer loss claims in E&O/cyber context. https://www.reuters.com/technology/crowdstrike-faces-investor-lawsuit-over-massive-software-outage-2024-08-07/
[14] U.S. Department of Labor, Employee Benefits Security Administration (EBSA), FY2024 Enforcement Fact Sheet and FY2025 highlights. ERISA-related recoveries: $1.384B (FY2024); approximately $1.4B (FY2025). https://www.dol.gov/agencies/ebsa/about-ebsa/our-activities/resource-center/fact-sheets
Ways to take your company public: SPAC, IPO, and Direct listing
Unlocking Corporate Success: Essential Legal Concepts Every Director and Officer Must Know
Choosing Your Insurer: Understanding Insurance Company Credit Ratings