Your D&O Policy Is Not the Safety Net You Think It Is
Directors & Officers insurance was built for civil disputes — not for federal criminal prosecution. When the DOJ, a state regulator, or the SEC classifies executive conduct as a willful violation, the protections most executives assume they have don't just shrink. They reverse. The policy that paid your defense can become a personal debt the day you're convicted or sign a plea.
Fewer than 5% of executives know this: if you are found guilty — or accept a plea — your D&O carrier has the contractual right to claw back every dollar it spent defending you. Federal defense bills routinely cross $4 million. That money is not forgiven. It becomes a personal, non-dischargeable debt owed at the worst possible moment.
D&O Insurance Illusion and Your C-Suite Liability
If Guilty or a Plea Deal, D&O Insurance Does Not Pay
D&O Insurance, C-Suite Liability and DOJ Willful Violation
Executive legal exposure & insurance constraints — PDF report. Target: CEO | CTO | CISO.
Why Your D&O Insurance Policy Will Probably Not Save You
A candid look at federal conviction rates, the recoupment trap, and the $15.45M personal exposure scenario every C-suite executive should understand.
Executive Briefing
Three Realities Your Broker Never Walked You Through
If you are a CEO, CTO, or CISO, you carry risks that quietly belong to you personally — not to the company, not to the board, and not to your insurance carrier. The three realities below are drawn directly from DOJ enforcement data and the standard language of modern executive liability policies. Most executives don't learn them until a subpoena arrives, and by then the most important decisions about their personal exposure have already been made for them.
Reality #1
The DOJ Files Cases It Already Expects to Win
Federal prosecutors do not gamble. By the time an Assistant U.S. Attorney brings charges, the investigation has typically been quiet, years-long, and thoroughly documented. That is why the overall federal conviction rate runs between 90 and 95 percent, and why the DOJ's Fraud Section secured 235 convictions from 265 individuals charged in 2025 alone. Roughly 90 percent of defendants plead guilty rather than face trial — not from weakness, but from arithmetic. Federal sentencing guidelines impose dramatically longer sentences after a trial loss than after a plea. By the time charges hit your desk, your realistic options have already narrowed to two: accept a negotiated outcome, or roll the dice against an opponent that wins more than nine times out of ten.
Reality #2
The C-Suite Is Now the Primary Target
For most of the last two decades, corporate prosecution meant prosecuting the corporation. That era is over. The DOJ has made individual accountability an explicit enforcement priority, and the charging data backs it up. In closely-held organizations — where the line between “the company decided” and “a person decided” is short — top management is now convicted in roughly 51 percent of cases.
The 2022 federal conviction of Joseph Sullivan, Uber's former Chief Security Officer, made the new reality unmistakable. Sullivan didn't write malware. He didn't steal data. He made decisions about disclosure — and those decisions became a federal conviction. The message reached every security officer in the country: your title does not insulate you. Your decisions define your exposure.
Reality #3
Your D&O Policy Becomes a Loan the Moment You're Convicted
This is the part that fewer than 5% of executives understand, and it is the most expensive misunderstanding in the C-suite.
When criminal charges are filed, your D&O policy will likely begin paying your defense bills. Lawyers, expert witnesses, investigators, forensic analysis, trial preparation. In a complex federal case those bills routinely cross seven figures, and in high-profile matters they exceed $4 million before trial even begins. This is called advancement of expenses, and at first it feels like the system is working exactly as promised.
Here is the clause almost no one reads: advancement is not the same thing as payment. It is a conditional loan. Virtually every modern D&O policy contains a “fraud” or “illegal acts” exclusion, triggered by a final, non-appealable adjudication of willful or criminal conduct. The moment that finding is entered — whether by guilty plea or jury verdict — the insurer's recoupment right activates. The carrier can claw back every dollar it advanced toward your defense.
“Read that twice. The money that paid your defense team becomes a debt you personally owe, due upon conviction. It is not forgiven. In most circumstances, it is not dischargeable in bankruptcy.”
It is a personal obligation tied directly to your criminal judgment. The insurance that felt like protection turns, in the worst case, into a high-interest, non-dischargeable loan with a repayment trigger that fires at the exact moment of maximum financial distress.
The Math of a Single Willful Violation Conviction
Below is a realistic illustration of personal financial exposure for an executive convicted of a willful violation in a significant healthcare or data privacy case. Every line item is grounded in actual DOJ enforcement patterns, federal sentencing data, and standard D&O policy language. Every dollar is owed personally — no insurance absorbs the impact.
| Exposure Item | Amount |
|---|---|
| Defense costs advanced by D&O carrier over 3 years | $4,200,000 |
| Criminal fine imposed at sentencing | $2,500,000 |
| Court-ordered restitution to victims / government programs | $8,750,000 |
| D&O recoupment claim (clawback of advanced defense funds) | $4,200,000 |
| Total Personal Financial Exposure | $15,450,000 |
Healthcare fraud penalties can reach three times the amount of improper billings, with per-claim multipliers on top. State data privacy regulators now routinely impose eight-figure penalties for breaches tied to willful security failures. Securities and financial fraud cases regularly produce individual fines and disgorgement in the tens of millions. The defense-cost figure is conservative for a three-year federal prosecution.
What D&O Covers — and What It Quietly Excludes
Standard Directors & Officers policies are written for civil litigation, not criminal prosecution. The moment a regulator classifies conduct as willful or criminal, the protections most executives assume they have evaporate.
Criminal Conduct Exclusion
Every modern D&O policy excludes coverage for intentional criminal acts. Under the willful Violation doctrine, executives who knew about a risk — HNDL threat, quantum threat, a compliance gap, a known vulnerability — and chose not to act can be prosecuted criminally. Watch the videos or read the PDFs to appreciate your vulnerability and risk.
Willful or Deliberate Acts
When a regulator demonstrates that an executive had actual knowledge of a risk — such as the published 2029 Q-Day timeline, finalized NIST PQC standards, or a documented compliance escalation — and chose inaction, that inaction is classified as a willful violation. Explicitly excluded.
Criminal Fines & Statutory Penalties
D&O insurance does not cover criminal fines, court-ordered penalties, or restitution. Not partially. Not under special circumstances. Never. Insurers are legally prohibited from indemnifying individuals against the punitive consequences of proven criminal conduct.
Personal Restitution Orders
Federal and most state courts routinely order convicted executives to personally repay victims of data breaches, fraud, or regulatory violations. Your risk profile from regulations is far higher with the 50 states. Go to our State Penalties page under Reg Compliance on the navigation bar to see four interactive maps for four regulations in 50 states. How many states have imprisonment as a criminal penalty for C-suite executives for violating their regulations: 37 states for AI regulations, 39 states for healthcare regulations and 21 states for privacy regulations. Most of these state regulations went into effect January 1st, 2026 and if you go to the home page and download the 16-page PDF and go to page 9 you will see saved Google searches showing the levied criminal penalties, restitution and imprisonment sentences for doctors, business owners and the C-suite. Restitution orders come directly out of personal assets — homes, retirement accounts, investment portfolios. D&O does not absorb them.
Defense Cost Recoupment
The clause almost no executive reads: defense costs advanced by the carrier are conditional. Upon a final adjudication of willful or criminal conduct, the insurer's recoupment right activates and the advanced funds become a personal debt. Most policies make this debt non-dischargeable in bankruptcy.
Shareholder Derivative Suits
Standard D&O does cover civil shareholder suits for breach of fiduciary duty — but only if the underlying conduct was not intentional. A board that ignored documented compliance or cybersecurity risks may lose this protection too, exposing directors personally under the Caremark standard.
“I Delegated It” Will Not Save You
Every executive's instinct, faced with this kind of risk, is to reach for delegation. You have a Chief Compliance Officer. You have a General Counsel. You have outside auditors and a risk committee. Surely their sign-off transfers the risk away from you.
It does not.
The willful violation standard does not require that you personally executed the prohibited act. It requires only that you knew — or were reckless about — a specific regulatory obligation, and that you had the authority to cause the organization to comply. For a sitting CEO, CTO, or CISO, both boxes are almost always already checked.
What's left is the evidence. And that evidence increasingly lives in electronic form: emails to the board, Slack messages to compliance, quarterly risk reports, memos from outside counsel, minutes of executive committee meetings. Prosecutors rarely need a confession anymore. They rely on a documented trail — electronic, thorough, time-stamped, and preserved — showing that an executive was aware of a risk and failed to act.
Here's the critical reversal every CEO and board member should understand:
When a CTO or CISO formally notifies the CEO and Board of Directors of a technical inability to meet a critical obligation — regulatory compliance, the Harvest-Now-Decrypt-Later threat, an unpatched vulnerability — the primary liability for inaction shifts to the CEO and BOD. From that moment forward, inaction by the CEO or Board can itself constitute a willful violation.
Awareness, once established in writing, does not disappear. A wise CTO or CISO would send their recommendation to your general counsel and we have never met an attorney that will disagree with a CTO or CISO concerning either HNDL or regulatory compliance.
Fact is Microsoft, IBM and Google have all predicted global encryption will be broken in 2029 by quantum computers and that is called Q-Day and it is the “Mother of all Regulatory Nightmares” — if you want to know why, visit our PQC+™ and HNDL page and watch the videos and read the PDFs. Do you realize that you are probably liable for all 50 states' regulations? The reason is which state has regulatory jurisdiction is determined by the driver's license or primary residence of your patient / client and not your headoffice. Want to know more? Visit our Reg Compliance page and watch a video and read a PDF.
This is why every compliance escalation that lands on an executive's desk should be treated as a legal notice. Awareness is the precondition of willfulness. How you respond once you're aware decides whether that awareness becomes your defense — or the centerpiece of the indictment.
The Legal Doctrines Prosecutors Use to Convert Inaction Into Criminal Liability
Prosecutors and regulators don't have to invent new theories. They use established legal frameworks — frameworks that convert ordinary cybersecurity and compliance failures into criminal exposure, and trigger D&O exclusions in the process.
Willful Blindness Doctrine
Transforms negligence into criminal intent
Courts hold that deliberately avoiding knowledge of a known risk is legally equivalent to actual knowledge. An executive who fails to investigate a published threat — after warnings from NSA, CISA, NIST, or peer institutions — cannot later claim ignorance as a defense.
Park Doctrine
CEO liability without personal involvement
The Supreme Court established that corporate officers can be held criminally liable for regulatory violations simply by virtue of their authority and responsibility to prevent them — without requiring proof that they personally committed the underlying act.
Learned Hand Formula
Inaction becomes mathematically indefensible
Courts weigh the burden of precaution against the probability and severity of harm. With Q-Day timelines published, NIST PQC standards finalized, and migration costs documented, the calculus strongly favors prosecution of inaction.
Caremark Standard
Board-level fiduciary exposure
Directors owe a fiduciary duty to actively oversee material corporate risks. Post-Caremark, boards that lack a functioning cybersecurity oversight committee — or that fail to act on documented PQC, compliance, or breach risks — face personal liability in shareholder derivative actions.
Four Actions Every C-Suite Executive Should Take Now
By the time a subpoena or target letter arrives, the most important decisions about your personal exposure have already been made. Remediation at that point is damage control, not protection. The four actions below should be treated as ongoing executive hygiene — not a one-time legal project.
Commission an independent personal review of your D&O policy.
Retain independent coverage counsel — not your corporate broker — to walk through the recoupment provisions, the exact language of the fraud exclusion, the trigger for "final adjudication," and the definition of "insured person." CISOs in particular: get written confirmation that your specific role is covered.
Separate your personal exposure from the company's.
Ask your General Counsel a different question than you normally ask. Not "what is the company's risk," but "what is my personal criminal exposure in my current role." The answers are usually different. Sometimes very different.
Document your responses to every compliance escalation.
When a risk is flagged to you, your written response becomes your defense — or the prosecution's exhibit. Ambiguity reads as willful disregard. Clarity reads as due care. Deploy certified technology where the obligation calls for it — courts and regulators treat documented certified deployment as material evidence of reasonable care.
Consider individually-held Side A DIC coverage.
Side A Difference-in-Conditions coverage is a supplemental layer that activates when corporate indemnification isn't available. It does not solve the criminal-fine problem, but it materially reduces the defense-cost recoupment risk. For executives in high-exposure roles, it is worth pricing.
The Only Defense That Works Is the One That Prevents the Charge From Attaching
Because D&O insurance cannot cover criminal exposure — and can actually amplify personal financial loss through recoupment — the rational strategy is not better insurance. It is preventing criminal liability from attaching in the first place.
Charges become far less likely. Documented compliance, certified PQC deployment, and board-level oversight evidence give prosecutors no clear path to a willful disregard theory.
If charges do attach, penalties drop materially. Courts and regulators treat documented good-faith remediation as substantial mitigation at sentencing.
The Bottom Line
The DOJ convicts at rates approaching certainty. Its Fraud Section is structurally focused on individual executives. The willful violation standard is designed to reach decisions made at your level. And the D&O policy that feels like protection is, in a criminal conviction scenario, a defense-funding loan with an activation trigger at the worst possible moment — one that never covers fines, penalties, or restitution.
This is not a pessimistic forecast. It is the operating reality reflected in the DOJ's own enforcement data and the standard language of the insurance industry.
The executives who navigate this landscape well are not the ones who trust their coverage. They are the ones who read it, stress-test it, and make decisions today assuming it may not hold — and who deploy the documented, certified compliance that gives them a real defense.
The safety net is narrower than the marketing suggests. Plan accordingly.
This page is intended for informational and educational purposes only and does not constitute legal, financial, or insurance advice. Executives should consult qualified counsel and experts regarding their specific circumstances, policy terms, and jurisdiction.
Data sources: DOJ Fraud Section 2025 Year in Review; DOJ Criminal Division public reports; Alston & Bird LLP DOJ Analysis (Feb. 2026); Arnold & Porter / AFS Law DOJ Fraud Section Takeaways (2025); Wiley Law DOJ Year-in-Review Alert (2025); U.S. Sentencing Commission Annual Report (2024); Transactional Records Access Clearinghouse (TRAC); NACD Director Essentials on D&O Insurance; Harvard Law School Forum on Corporate Governance.