Corporate Governance · Risk Strategy

The unhedgeable board: Personal liability in an age of uninsurable risk

The architecture of modern board service was built on one foundational assumption — that risk could be layered, priced, and ultimately transferred. That assumption is breaking down. Most directors haven't internalized it yet.

Alex Kruzel Alex Kruzel December 2025 Telesto Insight
Corporate governance and director liability

There is a conversation I find myself having with increasing regularity with board members across industries, geographies, and ownership structures. It goes something like this: they have reviewed their D&O policy, confirmed their indemnification agreement, maybe even checked their cyber insurance. They believe they are protected. Then I start asking questions — and the confidence begins to erode.

The question is never whether the policy exists. The question is whether it covers what you actually think it covers — and whether the risk environment you're operating in today was remotely anticipated when those protections were written. In most cases, the answer to both is no.

We have arrived at a remarkable and underappreciated inflection point in corporate governance. The traditional instruments of risk transfer — insurance, hedging vehicles, contractual indemnification — are facing structural limits precisely when the underlying risks are becoming structurally larger. This is not a temporary softening in one market. It is a multi-vector contraction of private sector risk tolerance, happening simultaneously across cyber, physical property, and geopolitical exposure. And it is landing squarely on the personal balance sheets of individual directors.

$0B
Global insured weather-related catastrophe losses, 2024 — 40% above ten-year average
Swiss Re
$11.2B
US cyber insurance market premiums written in 2024, with coverage gaps expanding faster than premium growth
NAIC
+0%
Rise in Chapter 11 filings, 2023 to 2024 — indemnification void in insolvency
US Bankruptcy Courts
0K
California FAIR Plan policies — up from 140K in 2018 as private insurers withdraw
California FAIR Plan

I — The myth of risk transfer at the board level

For the better part of three decades, the governance framework for senior corporate leaders has been built around a deceptively elegant idea: that personal liability risk is manageable through layered insurance programs. Directors & Officers coverage, supplemented by indemnification agreements, cyber policies, and political risk insurance, was supposed to create a protective architecture that converted existential personal exposure into manageable, priced, and transferred risk.

The architecture is cracking — and the cracks are not evenly distributed. They are deepest exactly where company risk is greatest: in technology-intensive operations, in globally distributed businesses operating in politically volatile environments, and in asset-heavy enterprises with significant coastal or high-weather-risk real estate.

The most consequential problem I encounter is not that directors lack protection. It is that they believe they have more protection than they actually do. The gap between perceived coverage and actual coverage is not a minor technical matter. It is the difference between a board member who walks into a meeting understanding their personal exposure and one who discovers it in discovery.

"The question is never whether the policy exists. The question is whether it covers what you actually think it covers — and whether the risk environment you're operating in today was remotely anticipated when those protections were written."

II — Three converging failures of risk transfer

What is unusual about this moment — and what makes it genuinely different from prior cycles of insurance market hardening — is that the contraction is happening across three structurally distinct risk categories simultaneously. Each would be concerning on its own. Together, they are rewriting the baseline assumptions of corporate risk management in ways that most boards have not yet confronted.

Cyber insurance's exclusion proliferation. The cyber insurance market is nominally soft. Premiums have declined modestly. But the coverage landscape tells a different story. Insurers are systematically narrowing what they will cover through exclusion clauses that have become broader and more consequential with each renewal cycle. State-sponsored cyberattacks — now among the most common vectors against corporate infrastructure — are explicitly excluded from most policies, with "war exclusion" language interpreted broadly enough to capture any event with a plausible nation-state connection. The 2024 CrowdStrike outage, which affected over 8.5 million Microsoft systems globally, illustrated the "systemic risk" category that insurers are now racing to exclude.

The more insidious problem is the gap between D&O and cyber coverage. Many D&O policies contain broad cyber exclusion clauses. Many cyber policies contain securities exclusions. The result is a zone of unallocated risk: decisions made by boards during or in response to a cybersecurity incident may be covered by neither. I regularly sit with boards that have purchased both products and believe the combination provides comprehensive protection. The fine print tells a different story.

Physical property and climate-driven uninsurability. This is no longer a future projection. It is present-tense commercial reality. In 2024, globally insured weather-related losses reached $137 billion — 40% above the ten-year average. The California FAIR Plan — the state's insurer of last resort — now covers over 610,000 policies, up from 140,000 in 2018. State Farm and Allstate have withdrawn from California's high-risk markets entirely. Major carriers have followed in Florida, Louisiana, and parts of the Gulf Coast. What is emerging is a new asset category: properties that are not merely expensive to insure, but commercially uninsurable in the private market.

Political risk and geopolitical exposure. The Strait of Hormuz is the most vivid current example of a broader phenomenon I have been tracking for several years. Following escalations involving the US, Israel, and Iran, major maritime insurers suspended or catastrophically repriced war-risk coverage for ships transiting the Persian Gulf. The Lloyd's Market Association designated the entire Persian Gulf a high-risk area, triggering mandatory additional premiums and policy cancellations. The Trump administration was compelled to direct the US Development Finance Corporation to establish a $40 billion reinsurance facility to backstop what private markets would not cover.

The lesson for corporate boards extends well beyond shipping. When geopolitical risk escalates to the level of active conflict, the private insurance market does not simply become expensive — it exits. Companies with supply chains, manufacturing operations, or commercial interests in geopolitically volatile regions are running on the implicit assumption that government backstops will materialize if private markets fail. That assumption has no contractual basis and should not be treated as a governance tool.

Key Coverage Gaps to Question

The protection gap: Where insurance fails corporate directors

Click any row to see the specific coverage failure mechanism. Data reflects 2025 market conditions.

Cyber — State
92% war exclusions
92%
Most cyber policies apply a "war exclusion" to state-sponsored attacks. The attribution problem makes this exceptionally broad — insurers can invoke the clause whenever a nation-state nexus is plausible, even without proof. The 2024 CrowdStrike outage illustrates how quickly this exclusion activates at scale.
D&O / Cyber Gap
78% cyber carve-outs
78%
A majority of D&O policies now include broad cyber exclusion language — meaning any board decision made in the context of a cyber incident may fall outside coverage. Cyber policies simultaneously contain securities exclusions, creating a liability gap for directors that neither product covers.
Coastal Property
67% carrier withdrawal
67%
Major carriers have withdrawn from California, Florida, Louisiana, and Gulf Coast markets. The California FAIR Plan has grown 335% since 2018. Companies with undisclosed asset concentrations in these regions face fiduciary exposure.
Political / War
100% Gulf suspended
100%
P&I clubs including Gard, Skuld, and NorthStandard issued cancellation notices for the Persian Gulf with 48 hours' notice. War-risk premiums surged from 0.15% to over 5% of hull value. The DFC had to create a $40 billion backstop. Private markets exited entirely.
Insolvency Gap
Indemnification void
85%
Chapter 11 filings rose 52% from 2023 to 2024. In insolvency, corporate indemnification of directors is legally prohibited. Side A D&O becomes the only protection. 85% of directors on boards of companies that subsequently file for bankruptcy face personal exposure not covered by indemnification.

Sources: Swiss Re, Munich Re, NAIC, Lloyd's · 2025

III — Which boards face the most acute exposure

One of the most useful frameworks I have developed working across PE-backed portfolio companies and public corporation boards is a simple risk multiplier: the more a business exhibits certain structural characteristics, the more exposed its directors are to the specific failure modes described above. The four multipliers are: global operational footprint, capital intensity, workforce scale, and technology dependency. A company that scores high on all four is operating in territory where traditional risk transfer tools are simultaneously failing.

Click any sector below to explore specific liability vectors.

Energy & Utilities
Energy Infrastructure & Midstream
Geopolitical Cyber Climate Regulatory
● Highest Exposure
Gulf and LNG supply chain exposure means war-risk coverage may evaporate with 48 hours' notice. Critical infrastructure is a primary target of state-sponsored cyber operations explicitly excluded from most policies. Board question: Has your company modeled operations without insurance backstop in a Gulf conflict scenario?
Financial Services
Private Credit, Banking & FinTech
Cyber Regulatory Geopolitical AI Liability
● Highest Exposure
The D&O / cyber coverage gap is most acute here. AI-related securities class action filings doubled from 2023 to 2024. FCA and SEC enforcement of disclosure obligations is intensifying. Board question: Does your D&O policy explicitly address AI-driven decisions?
Manufacturing & Supply Chain
Global Manufacturing
Geopolitical Cyber Supply Chain Climate
● Highest Exposure
Supply chain cyber attacks via third-party vendors create attribution problems that void most policies. Operations in regions with poor governance infrastructure face political risk for which private coverage is thinning. Board question: What percentage of your supply chain operates in regions your political risk insurer would exclude today?
Real Estate & Infrastructure
Commercial Real Estate & Logistics
Climate Property Cyber Valuation
◐ Elevated Exposure
Coastal and wildfire-zone real estate is entering commercial uninsurability. Portfolio companies carrying real estate acquired before climate-driven uninsurability became market reality may be overvalued. Board question: Does your most recent asset valuation incorporate climate-driven insurance unavailability over a 10-year hold?
Healthcare & Life Sciences
Healthcare Systems & MedTech
Cyber Regulatory AI Liability Employment
◐ Elevated Exposure
Healthcare is the most targeted sector for ransomware. AI-driven clinical decision tools are creating new personal liability vectors for directors. Employment practices claims remain the leading source of D&O losses. Board question: Has your board formally approved an AI governance framework — and documented that approval?
Technology & Software
Enterprise Tech & SaaS
Cyber AI Liability Regulatory Securities
◐ Elevated Exposure
AI-related securities filings doubled year-on-year in 2024. The CrowdStrike outage created estimated insured losses of $300M–$1B — illustrating systemic risk that insurers now explicitly exclude. Board question: Is your company's AI deployment documented at the board level in a way that would withstand securities litigation scrutiny?
Consumer & Retail
Consumer Brands
Supply Chain Geopolitical Cyber Climate
○ Monitoring Required
Exposure is indirect but growing. Sourcing from geopolitically volatile regions creates supply chain disruption risk that political risk insurance may not cover. Directors should be stress-testing supply chain insurance assumptions against current political risk market conditions.
Industrials
Heavy Industry & Chemicals
Climate Environmental Cyber Workforce
○ Monitoring Required
Environmental liability exposure is growing as climate events trigger chemical releases. OT/IT convergence creates cyber-physical risk where traditional cyber policies exclude bodily injury — and general liability policies exclude cyber perils. The gap is expanding.
Education & Nonprofits
Mission-Driven Organizations
D&O Coverage Employment Funding Cyber
○ Monitoring Required
The nonprofit D&O market shows the most deterioration: carriers are actively reducing coverage limits. Bankruptcy risk at a 14-year high means personal indemnification protection is most vulnerable. Federal funding disruptions in 2025 are accelerating organizational stress precisely as coverage is narrowing.

Telesto synthesis · Swiss Re · Munich Re · NAIC · SEC filings · 2025

Director liability across the PE investment lifecycle

Click any stage to examine specific personal liability questions for PE-appointed and independent directors.

Deal Origination & DD
3
risk vectors
Close & Board Formation
4
risk vectors
100-Day Plan
3
risk vectors
Value Creation
5
risk vectors
Stress / Restructuring
6
risk vectors
Exit Preparation
4
risk vectors
Deal Origination & Due Diligence: What PE Firms Are Not Asking
Questions for the Investment Committee
What We Find in Practice
Has the target's existing D&O program been stress-tested against current cyber and climate exclusion language?
Most DD processes review insurance certificates, not policy language. The exclusion fine print is rarely examined until a claim is made.
Does the target have physical assets in geographies where property insurance is thinning or withdrawing?
Climate uninsurability is not typically modeled in asset valuations. It affects exit multiples and debt covenants in ways not yet priced.
What is the company's supply chain political risk exposure?
Supply chain mapping rarely identifies second- and third-tier supplier exposure in geopolitically volatile regions.
Close & Board Formation: Getting the Governance Architecture Right
Personal Liability Priorities at Close
The Non-Obvious Risks
Ensure D&O Side A coverage is in place separately from entity coverage before the first board meeting.
PE-appointed directors may face conflicts that void indemnification protections.
Review indemnification agreement enforceability in the jurisdiction of incorporation, including insolvency scenarios.
Fund-level D&O coverage may not extend to portfolio company board service.
Understand whether existing insurance programs carry the exclusions described in this analysis.
The cyber / D&O gap is particularly acute for newly formed boards that inherit legacy policy language.
100-Day Plan: Embedding Risk Governance Into Value Creation
What the 100-Day Plan Should Include
Why It Matters for Director Liability
Map physical assets against climate-driven insurance availability projections over the hold period.
Climate uninsurability that develops mid-hold creates a valuation and disclosure question directors must demonstrate they anticipated.
Commission a full insurance program gap analysis across all major risk vectors.
Most portfolio company management teams assume coverage is comprehensive. The gap analysis routinely surfaces material exposures.
Establish board-level documentation protocols for AI deployment, cybersecurity, and geopolitical risk.
Documentation is the primary defense in D&O litigation. Boards that cannot demonstrate deliberate oversight are personally exposed.
Value Creation: Managing Personal Exposure Through Transformation
High-Risk Strategic Decisions
Director Liability Considerations
Geographic expansion into emerging markets or politically volatile regions
Political risk insurance for new markets must be reviewed against current coverage availability — not assumed from prior experience.
Technology platform upgrades or AI integration at scale
Board-level approval and documentation of AI governance frameworks is becoming a securities litigation standard.
Acquisition of assets in high-risk climate zones
Post-acquisition, the board inherits both the physical risk and the fiduciary responsibility.
Workforce restructuring in multi-jurisdiction operations
Employment practices liability remains the leading D&O loss driver.
Leveraged capital structure decisions
As Chapter 11 filings rise, directors of highly leveraged portfolio companies should not conflate entity protection with personal protection.
Stress & Restructuring: When the Protections Disappear
What Changes in Distress
The Personal Exposure That Emerges
Corporate indemnification becomes legally void in bankruptcy for claims involving negligence or breach of duty.
Side A D&O is now the only protection. Directors who treated entity indemnification as their primary backstop discover the gap at the worst moment.
Creditors and shareholders become adversarial stakeholders with aligned incentives to pursue personal claims.
Claims will be constructed around the decisions that led to distress. Board documentation becomes the primary evidentiary battleground.
Insurers may dispute coverage for distress-related D&O claims on "prior knowledge" exclusion grounds.
If board minutes show directors were informed of material risks, insurers will argue prior knowledge voids coverage.
Exit Preparation: The Disclosure Exposure PE Firms Most Often Miss
Exit-Specific Liability Vectors
What Buyers Are Now Examining
Disclosure of insurance program gaps in the sale process — particularly climate uninsurability and cyber coverage holes.
Sophisticated buyers routinely reviewing policy language, not just certificates. Material gaps discovered post-close become indemnification claims.
Representation and warranty insurance limitations in volatile geographies.
RWI underwriters are increasingly excluding coverage for geopolitical risks and climate-driven asset impairment.
Board documentation quality for AI, cyber, and ESG decisions made during the hold period.
The quality of board-level documentation is becoming a direct input to exit valuation and D&O tail coverage.

IV — The questions I cannot stop asking

Part of what makes this moment so interesting — and so difficult — is that the most consequential questions are genuinely unresolved. The governance literature has not caught up with the insurance market's structural shift. These are the questions I keep returning to in my work — and that I believe every board member with significant global, technology, or asset exposure should be asking right now.

Open Questions in Director Liability

What keeps me thinking — and what should keep every board member thinking.

01

At what point does a board's failure to explicitly address insurance coverage gaps — rather than simply assume coverage — constitute a breach of its oversight duty? The SEC has begun treating cybersecurity as a disclosure obligation. Is uninsurability next?

02

When the government becomes the insurer of last resort — as happened with the DFC and Strait of Hormuz coverage — does that implicitly change the standard of care expected of boards that relied on the prior private market?

03

For privately held companies, where disclosure obligations are lower and governance practices more variable, is the personal liability risk for directors actually higher than for their public company counterparts?

04

As climate-driven uninsurability spreads, will fiduciary duty claims against boards that approved real estate acquisitions in high-risk zones become as common as the post-financial-crisis wave of risk oversight litigation?

05

The D&O market is nominally soft. But if the coverage is soft while the risk is hardening — more exclusions, broader carve-outs — does lower premium actually reflect greater personal risk, not less? Are directors reading the signal backwards?

06

As AI-driven decisions made by algorithms the board approved but cannot fully explain become the subject of securities litigation, what does "informed oversight" actually mean? Can a board credibly claim it exercised oversight of a system it did not understand?

V — Governing what cannot be transferred

I do not pretend to have resolved these questions. But I can offer a framework for how I would want my clients — and any board I advise — to approach them. The principles are straightforward, even if the execution is not.

First, stop assuming coverage. Commission an independent, line-by-line analysis of your D&O, cyber, property, and political risk insurance against the specific exclusions and coverage gaps described in this analysis. Do not rely on certificates or broker summaries. Read the policies. Stress-test them against realistic scenarios.

Second, separate personal protection from entity protection. Directors — particularly those serving on boards of leveraged, PE-backed, or financially stressed companies — should ensure that Side A D&O coverage, personal indemnification, and advancement provisions are in place, reviewed, and adequate. The protections that matter most are those that survive when the company cannot or will not indemnify.

Third, document governance deliberately. Board minutes, committee reports, and resolution records are the primary evidentiary record in D&O litigation. They are also the primary basis for insurer coverage determinations. If your board considered a cyber risk, a climate exposure, or an AI governance question — document that it was discussed, what information was reviewed, and what decisions were made. The absence of documentation creates a presumption of absence of oversight.

"The companies that navigate this landscape well will not be those that spend the most on insurance. They will be those whose boards govern with enough sophistication to understand what insurance actually covers — and enough integrity to act on what it doesn't."

We are entering an era in which the personal liability exposure of corporate directors is genuinely structural — not cyclical, not temporary, not manageable through the traditional toolkit alone. The risks are real, they are growing, and they are landing on individual balance sheets in ways that the governance architecture of the prior era was not designed to handle.

The question for every director is no longer "am I covered?" It is: "do I understand what I am not covered for — and am I governing accordingly?"

That is the conversation I am most interested in having.

About the Author
Alex Kruzel

CEO & Founder, Telesto. Alex advises corporate boards, management teams, and private equity sponsors on geopolitical risk, operational resilience, and sustainability strategy across the US and globally. She is the author of The Courage to Continue: Stay the Course on Sustainability to Secure Our Future.

For advisory engagement or speaking inquiries, visit alex-kruzel.com or telestostrategy.com.

Alex Kruzel
Alex Kruzel
CEO & Founder, Telesto · Board Director · Author

Sources: Swiss Re (2025), Munich Re (2025), NAIC (2025), Lloyd's of London, California FAIR Plan, SEC, US Development Finance Corporation, US Bankruptcy Courts, Reuters. All data points cited from publicly available industry research and regulatory disclosures.