C-Suite’s Rising Legal Exposure Demands Stronger Safeguards

Courts, regulators, enforcers, and plaintiffs’ counsel used to clearly distinguish between entity-level and individual responsibility. But emerging theories of corporate officer liability are eroding that long-standing separation.

Recent developments in Delaware and federal enforcement policy signal a heightened risk of personal civil and criminal exposure for executives under both state fiduciary duty doctrines and federal fraud and control-person statutes.

Given these changes, as well as the rise of novel exposure points, companies should establish or review safeguards designed to prevent misconduct and create defensible documentation of oversight.

Delaware Litigation

In the landmark In re McDonald’s Corp. Stockholder Derivative Litigation, the Delaware Court of Chancery dramatically extended executive civil legal exposure. The court held that corporate officers (not just board members) owe Caremark-style oversight duties within their respective spheres of responsibility.

For executives, the implications are significant. Failing to act on credible warning signs regarding compliance, workplace conduct, or operational risks can trigger personal derivative liability, even absent direct participation in wrongdoing.

Post-McDonald’s cases have begun applying this reasoning to a range of C-suite positions. For example, in July, the court in Hizkiyev & Barak v. Kaseya, Inc. cited McDonald’s Corp. in concluding that officers and key managerial employees owe the same fiduciary duties as directors.

The broadening of executive legal exposure likely will extend to jurisdictions beyond Delaware, particularly as aggressive plaintiffs’ firms test the boundaries of officer oversight obligations.

Federal Enforcement’s Focus

At the federal level, the Department of Justice continues to make individual accountability a central pillar of its enforcement strategy. This has remained as true during the Biden administration as is in the Trump administration.

For example, federal enforcement officials have linked individual accountability to incentives for self-reporting and cooperation. Biden-era DOJ leadership emphasized that companies seeking cooperation credit must identify all individuals involved in misconduct, regardless of position. They also warned that executives who obstructed or ignored internal warnings could face personal exposure even if their company ultimately avoided prosecution.

These policies have continued under the Trump administration. The June 9 Foreign Corrupt Practice Act guidelines put individual accountability at the center of the DOJ’s enforcement policy.

Similarly, the Criminal Division’s corporate enforcement and voluntary self-disclosure policy and guidance on coordinating corporate resolution penalties in parallel criminal, civil, regulatory, and administrative proceedings—citing Justice Manual 1-12.000—remain focused on holding accountable individuals who are considered most responsible for “corporate malfeasance.”

The Securities and Exchange Commission likewise continues to invoke Section 20(a) control-person liability and the books-and-records provisions to pursue CFOs, controllers, and compliance officers who “caused” inaccurate disclosures or internal control failures. This approach reflects the broader trend toward holding senior leaders responsible not just for what they knew, but for what they purportedly should have known.

Collectively, these developments mark a paradigm shift from corporate to personal culpability.

New Risk Areas

The emerging risk landscape extends beyond traditional financial controls. Enforcers, regulators, and private plaintiffs in the US, Europe, and elsewhere are increasingly targeting environmental, social, and governance disclosures; forced-labor compliance; and artificial intelligence governance as new areas where executives face personal legal exposure.

For example, false or overstated ESG commitments, whether in sustainability reports or SEC filings, can underpin securities fraud or consumer-protection claims. Executives responsible for ESG reporting or data-management programs could be held liable for misrepresentations or for failing to implement adequate oversight mechanisms.

Similarly, supply-chain transparency laws such as the German Supply Chain Due Diligence Act and the US Uyghur Forced Labor Prevention Act have created new obligations that can implicate officers when compliance systems are deficient.

AI-related risks follow the same trajectory. As companies deploy AI tools in decision-making, hiring, and risk assessment, regulators and enforcers are warning that executives can’t delegate accountability to algorithms.

In short, the scope of what constitutes “oversight” has broadened dramatically, requiring senior leaders to anticipate nontraditional risk domains previously viewed as peripheral to their fiduciary duties.

Practical Implications

To navigate this shifting environment, companies and their leadership teams should prioritize structural and procedural safeguards that both prevent misconduct and create defensible documentation of good-faith oversight. Key steps to consider include:

• Clarify role definition. Delineate the responsibilities of operational, risk, and compliance executives to reduce role ambiguity and overlapping accountability.
• Formalize governance protocols. Establish and document escalation procedures for compliance issues, ensuring that red flags are tracked and resolved at the appropriate managerial level.
• Review directors-and-officers insurance coverage. Confirm that Side A/B/C policies extend to officer-level oversight and regulatory claims, and that indemnification provisions remain robust.
• Preserve privilege during investigations. Coordinate with outside counsel to structure internal investigations in ways that protect attorney-client privilege while demonstrating diligence to stakeholders and ensuring the integrity of investigative findings.
• Document training and oversight. Regularly train senior management on fiduciary and compliance obligations, maintaining contemporaneous records that evidence proactive oversight.

Companies should also reassess their executive onboarding and certification processes, ensuring that officers acknowledge their oversight duties and understand the personal consequences of noncompliance. A well-crafted governance memo or certification statement can help memorialize these expectations and support defense arguments in derivative or regulatory proceedings.

Outlook

The convergence of Delaware fiduciary duty expansion and intensified federal enforcement and regulatory oversight signals a new era of personal accountability, both civilly and criminally. The once-clear gap between entity level, board member, and individual executive liability is narrowing.

Emerging domains such as ESG, supply-chain transparency, and AI oversight have created novel exposure points that require cross-functional awareness. Effective oversight is no longer just good governance; it is personal risk mitigation. Demonstrating a credible, well-documented culture of compliance can mean the difference between defending a more diffuse corporate decision and defending oneself in court.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

T. Markus Funk, a former federal prosecutor and conflict-deployed State Department lawyer, is a partner in White & Case’s litigation and white collar practice.

Carolyn Pelling Gurland, a former assistant district attorney in New York, is a partner in White & Case’s litigation and white collar practice.

Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case.

Write for Us: Author Guidelines