1. 1. In the legal Llano Estacado[1] of D&O liability, recourse for fines and D&O insurance

The question of whether companies can take recourse against the responsible board members for fines imposed on them in accordance with Section 43 GmbHG, Section 93 AktG is controversial, is not uniformly decided by the courts[2], was the subject of our blog post of 14 August 2023[3], is now before the German Federal Supreme Court (Bundesgerichtshof [BGH])[4] and is currently also occupying the legislator in the field of cyber security[5]. In addition, liability issues regularly give rise to questions regarding insurance cover. This also applies to recourse for fines: liability and coverage are intertwined. In the case of recourse for fines, some coverage issues are still unresolved. However, they are of great importance for the parties involved. A recent judgment of the Regional Court of Frankfurt addresses some of these coverage issues.[6] Specifically, the Regional Court ruled (1) on the procedural requirements for an action for declaratory judgment by the insured manager against the D&O insurer, (2) on the admissibility of D&O insurance against recourse for fines and (3) on the conditions under which insurance cover for "knowing" breaches of duty is typically excluded under the D&O insurance terms and conditions. In addition to these signposts, as mentioned above, the legislator is also getting involved in the discussion on recourse for fines as part of the planned implementation of the EU's NIS 2 Directive. The guideposts resulting from all of this are important for D&O practice and will be outlined and commented on below.

1. 2. The paradigmatic facts before the Frankfurt Regional Court

A company participated in information exchanges with competitors, which the FCO punished as an intentional antitrust violation with fines against the manager (member of the management board of an AG) and against the company. The company then took legal recourse against the manager before the Düsseldorf Regional Court (liability proceedings). The Düsseldorf Regional Court partially upheld the recourse, while the Higher Regional Court denied it. [7] While the proceedings before the Higher Regional Court were still pending, the board member demanded cover from the D&O insurer, on the one hand under the D&O insurance policy that the company had taken out and on the other hand under the insurance policy against the deductible that the board member had also taken out with the same insurer.

According to the insurance conditions, the insurance cover did "not extend to contractual penalties, fines and monetary penalties" of the insured manager. However, insurance cover was expressly provided for "compensation of a punitive nature and for recourse claims of the insured companies against insured persons due to contractual penalties, fines and monetary penalties imposed on insured companies, if and to the extent that their inclusion in the insurance cover is not prohibited by law".

The insurer refused cover on the one hand because the board member had knowingly breached his duties. The fact that he was aware of the existence of the duty and its breach could be inferred from a number of indications, in particular the training and experience of the board member and the duration of the cartel infringement. Secondly, recourse to fines was "not insurable" due to a breach of good practice. The board member argued that he had not knowingly breached any duties. All participants in the information exchanges had assumed that they were permissible under antitrust law. He had found these exchanges when he took office and had never been made aware of the risk of a breach of antitrust law by the Management Board member responsible for legal matters. The head of the legal department had also seen no indications of a violation of antitrust law and had not pointed out any possible violation.

The proceedings and the arguments of the parties involved are typical of such conflicts, as are the clauses in the D&O insurance conditions quoted above. The judgment is therefore particularly interesting.

1. 3. Manager may file advance coverage action against insurer

The Regional Court first confirms the possibility of a declaratory action (Feststellungsklage) by the manager against the insurer if the insurer refuses cover and the liability has not yet been finally decided ("advance coverage action"). The aim of such proceedings is to establish that the insurer must grant insurance cover in respect of a "precisely defined" liability claim. In principle, the insured manager cannot bring an action for performance because the insurer can choose between indemnifying claims and defending against them and cannot be denied this right to choose. According to the Regional Court, this only changes once the existence of the liability claim has been legally established by final judment.[8] Then an action for performance is possible and necessary. However, this must also be put into perspective, as the Regional Court states with regard to the action for declaratory judgment concerning the insurance of the board member against his deductible: According to the Regional Court, there is basically no interest in a declaratory judgment if a plaintiff could achieve the same goal with an action for performance. However, according to the BGH, even if an action for performance is possible, an action for a declaratory judgment remains admissible if, from the point of view of procedural economy, a meaningful and appropriate settlement of the issues that have arisen can be expected because it is to be expected that the debtor will also comply with a declaratory judgment. This is regularly the case with insurers as debtors. [9]

1. 4. Permissibility of D&O – insurance against fine recourse liability

If the possibility of recourse against managers for fines is denied, the question of D&O cover becomes superfluous. If, on the other hand, recourse is affirmed, the question arises as to the possibility of coverage by D&O insurance. Most legal authors havepointed out that such cover cannot be denied with reference to § 138 of the German Civil Code (Bürgerliches Gesetzbucht [BGB]). [10] It is true that insuring one's own risks of fines is said to violate the meaning and purpose of the relevant statutory sanctions. ^[11] In the present case, however, it is a matter of covering the board member's recourse liability for the fine. However, it has also been disputed in the literature that the recourse for fines constitutes pecuniary losses within the meaning of D&O insurance, as the payment (indirectly) serves the purpose of prevention. ^[12] In contrast, the Regional Court of Frankfurt follows the prevailing opinion and does not see a breach of Section 138 BGB. This is because the D&O insurance is not an own-damage cover of the insured company, but a "third-party liability insurance" because the company insures the liability of the management board as the insured person towards its own company. Furthermore, the fine constitutes a financial loss and there are no compelling objections to a claim for compensation. This is because the original sanction remains with the company and takes effect there first, while the recourse is only undertaken subsequently and with an uncertain outcome. [13] These considerations of the Regional Court must apply all the more in the case of insurance conditions such as those in dispute, which, as quoted above, not only cover "financial losses", but also "compensation of a punitive nature and for recourse claims of the insured companies against insured persons due to contractual penalties, fines and monetary penalties imposed on insured companies, if and insofar as their inclusion in the insurance cover does not conflict with any statutory prohibition".[14] With reference to Thomas[15], the LG further argues that the recourse claim is not a sanction imposed by public order, but that the fine in the liability relationship loses its fine character and becomes a "normal" financial loss liability of the board member. The following should be added: Corporate fines are also intended to absorb the profits that the offense has generated for the company (cf. § 17 para. 4 of the Act against Misdemeanors (Gesetz gegen Ordnungswidrigkeiten [OWiG]) ^[16]. However, this does not argue against recourse. Under liability law, the principles of equalization of benefits apply in the case of recourse for fines, so that the company does not retain any pecuniary benefits from the offence. [17] Any advantage gained reduces the damage, and this inevitably also applies to the insurance cover because the cover follows the liability. ^[18]

1. 5. Conclusions from the draft act on the implementation of the Cyber Security Directive

In the draft implementation of EU Directive 2022/2555 of 14.12.2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) [19], the legislator also classifies corporate fines as recoverable financial losses:

The NIS 2 Directive requirements to improve cyber security at public and private "entities" that operate critical IT infrastructure. The directive by no means only concerns the responsibilities and working methods of national authorities, but is a comprehensive codification of cybersecurity in the EU member states. It also encroaches on the competencies and areas of responsibility of the managers of the companies and authorities covered ("institutions"). It also stipulates, as is common practice with EU directives, in its Art. 40 that the Member States must also adopt provisions on sanctions to be imposed in the event of breaches of the relevant requirements and that these sanctions must be "effective, proportionate and dissuasive". On the basis of such common requirements, the member states primarily provide for corporate fines, and it is these corporate fines that give rise to the questions of recourse to fines against the responsible managers.

However, the NIS 2 Directive goes beyond these standard requirements. It also addresses the management bodies' own responsibility[20]: According to Article 20(1) of the Directive, Member States must ensure that the management bodies of significant and important entities "approve the cybersecurity risk management measures taken, monitor their implementation and can be held liable for breaches of this Article by the entities concerned".[21] According to Article 32(6) of the Directive, Member States must ensure that the relevant managers are "empowered to ensure that the entity complies with this Directive" and "can be held liable[22] for breaches of their obligations to ensure compliance with this Directive". Although public administration bodies are privileged throughout, "liability privileges under national law" (such as Section 839 of the German Civil Code) remain unaffected for them. Private companies do not benefit from such privileges.

The Federal Ministry of the Interior's draft bill of 03.07.2023 for an "Act implementing the NIS-2 Directive and regulating the essential principles of information security management in the federal administration"[23] ("BSIG-E") picks up the ball of the Directive in a remarkable way: According to § 38 para. 1 BSIG-E, directors of so-called "important" and "particularly important" institutions are obliged to "approve the cybersecurity risk management measures taken by these institutions to comply with [the BSIG] and monitor their implementation". The commissioning of a third party to fulfill the obligations ... is not permitted". The wording gives the impression that the measures in question are developed and installed at the working level of the company (with or without cooperation with the competent authorities) and that the management may not oppose them. The unfortunate wording does not change the fact that the essential issues of cybersecurity must be accompanied, decided and monitored by the management under company law. Section 38 (2) BSIG-E is relevant here, according to which managing directors who violate their duties "in accordance with paragraph 1 ... are liable to the institution for the damage caused." (Directors in the public administration sector are excluded). According to Section 38 (3) BSIG-E, a waiver of claims for compensation by the institution or a settlement thereof is ineffective, unless there is an insolvency situation. The German legislator is thus not only ignoring the recital (128) of the Directive mentioned in footnote 20, but is also making the requirement of personal liability of directors in accordance with Art. 20 para. 1, Art. 32 para. 6 of the Directive particularly strict. It is significant for the discussion on recourse to fines that, according to the explanatory memorandum to § 38 para. 2, "[t]he concept of damage ... includes both recourse claims and claims for fines". If this stroke of the pen of the BSIG-E becomes law, the legislator would thereby recognize that a fine is indeed a sanction, but - as stated by the Regional Court of Frankfurt - represents a financial loss for recourse purposes, which must ultimately be borne by the responsible party. The BSIG-E proves that, from a legislative point of view, the objections against the recourse to fines (tailoring the fine to the company, etc.) [24] do not prevail. From the author's point of view, however, this brings the constitutional and EU law aspects to the foreground. [25] The German legislator cannot dispose of these in the BSIG either

1. 6. Prerequisites for "knowing" breaches of duty

Finally, of considerable practical importance are the statements with which the Regional Court denies the knowing breach of duty of the board member and the relevant exclusion of cover of the insurance conditions:

The LG first repeats the general understanding according to which the concept of a knowing breach of duty presupposes a breach of duty with positive knowledge of the existing obligation; conditional intent, where the insured person only considers the obligation to be possible, is just as insufficient as negligent ignorance.[26] If the insured person is mistaken about a legal obligation or its content in the sense of a factual or legal error, he or she lacks the necessary awareness of a breach of duty. [27] In this case, the insurer must prove the awareness, namely by circumstantial evidence, as these are internal circumstances. [28] According to the Regional Court of Frankfurt, the insurer must present corresponding connecting facts for this purpose. This only does not apply if there is no breach of elementary professional duties (cardinal duties), the knowledge of which can be assumed for every professional according to life experience. [29] In the case of such cardinal duties, it is sufficient, according to the Regional Court, if the insurer first presents facts which at least indicate that the insured person was aware of the breach of duty. The Regional Court classifies the duty of legality in the cartel sector as a fundamental professional duty, but not in areas where the legal situation is too complex. In this sense, the Regional Court considers the area of information exchange to be too complex. Irrespective of this, the board member had "demonstrated sufficient circumstances" to prevent the conclusion that the breach of duty was knowingly committed. Here, the court essentially refers to the fact that the person concerned was already aware of the information exchanges when he joined the company and that these were not questioned by anyone, that he was not a lawyer and not responsible for legal issues, and that the in-house lawyer had not pointed out the problem, the in-house lawyer only became aware of the antitrust problems of the information exchanges at a late stage, and an external legal opinion - obtained at a late stage - came to the conclusion that "by and large" the company's conduct complied with antitrust law. Therefore, the court affirmed a legal error and denied knowledge in the sense of the insurance conditions.

1. 7. Summary

The Regional Court of Frankfurt sets guiding principles (1) on the admissibility of the anticipated coverage proceedings by declaratory action of the insured manager, (2) on the admissibility of D&O insurances against recourse against fines as well as on recourse against fines as such and (3) on the conditions under which the exclusion of coverage due to "knowing" breaches of duty applies. All three areas are important in practice. The statements of the Regional Court of Frankfurt are convincing and continue the discussion. As far as the controversial question of recourse to fines is concerned, it is necessary to await the decision of the Federal Court of Justice in the proceedings pending there on this question on the one hand and the further development of § 38 BISG-E with the implementation of the NIS-2 Directive on the other.

[1] The Llano Estacao (Staked Plains) is a dry plateau on the border between New Mexico and Texas. Due to a mistranslation of the name, Karl May was misled in "Among Vultures" into believing that stakes had been placed there as signposts. According to May, robbers, so-called "stakemen", moved the stakes in order to mislead travelers, cause them to die of thirst and rob them. In contrast, the stakes of the Frankfurt Regional Court appear reliable.

[2] Overview by Reuter, Der Bußgeldregreß gegen Manager aus verfassungs- und EU-rechtlicher Sicht, CCZ 2023, 289, 290 ff.

[3] https://www.reutercomplianceblog.com/artikel/neues-zum-bussgeldregress-lg-dortmund-bejaht-olg-duesseldorf-verneint-den-regress-wegen-gwb-unternehmensbussen-gegen-das/; in more detail Reuter, Der Bußgeldregreß gegen Manager aus verfassungs- und EU-rechtlicher Sicht, CCZ 2023, 289 ff.

[4] In more detail, Der Bußgeldregreß gegen Manager aus verfassungs- und EU-rechtlicher Sicht, CCZ 2023, 289 ff.

[5] See item V infra.

[6] LG Frankfurt am Main, Urt. v. 20.01.2023, Az. 2-08 O 313/20.

[7] More notes in Reuter, Der Bußgeldregreß gegen Manager aus verfassungs- und EU-rechtlicher Sicht, CCZ 2023, 289, 291 f.

[8] Armbrüster, r + s 2010, 441, 447.

[9] BGH, Urt. vom 15.03.2006, Az.: IV ZR 4/05, para. 19 m. w. N..

[10] Thomas, NZG 2015, 1409, 1416 f.; Reuter, Unternehmensgeldbußen, Organregress, Grenzen der Versicherbarkeit und Gesellschaftsrecht: eine systemische Verletzung der Grundrechte der Anteilseigner? BB 2016, 1283, 1286 und 1288.

[11] Hauger/Palzer, ZGR 2015, 33, 64; Thomas, NZG 2015, 1409, 1416 f.; Reuter, Unternehmensgeldbußen, Organregress, Grenzen der Versicherbarkeit und Gesellschaftsrecht: eine systemische Verletzung der Grundrechte der Anteilseigner? BB 2016, 1283, 1286 und 1288, wohl auch Lange, D&O-Versicherung und Managerhaftung, 2. Auf 2022, § 8, para. 24; a. M. Koch, Liber Amicorum für M. Winter, S. 327, 331; Kaulich, Die Haftung von Vorstandsmitgliedern einer Aktiengesellschaft für Rechtsanwendungsfehler, Diss. 2012, S. 316.

[12] Gruber/Mitterlechner/Wax, D&O-Versicherung mit internationalen Bezügen, 2012, § 7, para. 8; m. w. N. bei Lenz, in: van Bühren (Hrsg.), Handbuch Versicherungsrecht, 6. Aufl. 2015, § 25, para. 62.

[13] The court refers to Mitterlechner/Wax/Witsch, D&O-Versicherung, 2. Auflage 2019, § 7 para. 16; Bayer/Scholz, GmbHR, 2015, 449.

[14] See Reuter, Unternehmensgeldbußen, Organregress, Grenzen der Versicherbarkeit und Gesellschaftsrecht: eine systemische Verletzung der Grundrechte der Anteilseigner? BB 2016, 1283, 1286 und 1288.

[15] Thomas NZG 2015, 1409, 1416.

[16] Lenz, in: van Bühren (Hrsg.), Handbuch Versicherungsrecht, 6. Aufl. 2015, § 25, para. 58, m. w. N., siehe zum abschöpfenden Charakter einer Geldbuße der Kommission auch BFH, Entscheidung v. 7. Dezember 2022 – I R 15/19.

[17] As for the criticism regarding the practice of confiscation of profits, see Reuter, Unternehmensbußen – ein verfassungsrechtlicher Holzweg, ZIP 2018, 2298, 2300.

[18] In more detail Reuter, BB 2016, 1283, 1288. In the case of fines for violations of antitrust law, antitrust damages actions lasting several years regularly follow the fine decision, in which the amount of the damage and thus the amount of the advantage gained is disputed. Only after these actions have been concluded can it be determined whether and to what extent an advantage will remain with the company.

[19] Further development of the (firs) NIS-Directive of 2016 („EU-Richtlinie über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen in der Union“).

[20] In the French version: „puissent être tenus responsable“; in the English version: „can be held liable“.

[21] In the French version: „puissent être tenus responsable“; in the English version: „can be held liable“.

[22] In the French version: „puissent être tenues responsables“; in der englischen Fassung: „Member States shall ensure that it is possible to hold such natural persons liable“.

[23] https://intrapol.org/wp-content/uploads/2023/07/230703_BMI_RefE_NIS2UmsuCG.pdf.

[24] Overview in Reuter, Der Bußgeldregreß gegen Manager aus verfassungs- und EU-rechtlicher Sicht, CCZ 2023, 289, 290 ff.

[25] Ibid., p. 293 ff.

[26] Instead of all Prölss/Martin/Voit, 31. Aufl. 2021, AVB D&O Abs. A_7 A-7, Abs. A_7_1 para. 2.

[27] Mitterlechner/Wax/Witsch, D&O-Versicherung, 2. Auflage, 2019, § 7 para. 6.

[28] Prölss/Martin/Voit, 31. Aufl. 2021, AVB D&O Abs. A_7 A-7, Abs. A_7_1 para. 4.

[29] BGH r+s 2015, 133; OLG Köln r+s 2012, 172 = VersR 2012, 560; BGH r+s 2015, 133 para. 20.