Many directors assume their board seat comes with automatic personal protection. That assumption is partly correct — but the protection is conditional. It breaks down in specific, predictable situations, most of which are avoidable.
This article covers what actually creates personal liability exposure, which legal protections apply and when they fail, and the concrete steps board members can take before and during service to protect themselves.
TL;DR
- Board members can be held personally liable, but protections hold for directors who act in good faith, stay informed, and document their reasoning.
- The business judgment rule is your primary legal shield; it requires evidence of a sound process, not just good intentions.
- D&O insurance has limits — understand Sides A, B, and C before shared policy limits run out during your defense.
- Cyber risk is a direct personal liability trigger, especially under SEC disclosure rules that took effect in 2023 — boards that can't demonstrate informed oversight are exposed.
- Pre-board due diligence and governance discipline during service are the two most controllable areas you can actually control.
What "Personal Liability" Actually Means for Board Members
Incorporation creates a legal entity separate from its directors. The organization — not individual board members — is generally responsible for debts and judgments. This applies to both for-profit corporations and incorporated nonprofits.
But the corporate shield is not absolute.
When the Shield Breaks Down
Courts may disregard the corporate form entirely when directors cross specific lines. The triggers that expose directors personally include:
- Fraud or intentional harm — misrepresentation, deliberate concealment, or bad-faith conduct
- Personal participation in tortious conduct — being the one who actually causes harm, not just being on the board when it happened
- Commingling personal and organizational funds — a California Supreme Court case (Automotriz del Golfo de California v. Resnick) found liability where individuals supplied funds personally and held assets in their own names
- Knowingly approving illegal acts — in Miller v. AT&T, the Third Circuit held that the business judgment rule cannot shield directors from decisions that constitute illegal acts
- Failure to ensure payroll tax deposits — the IRS Trust Fund Recovery Penalty applies to nonprofit board members who qualify as "responsible persons"; the penalty equals the full unpaid trust fund tax balance
The Business Judgment Rule
Courts generally defer to board decisions when directors acted in good faith, were adequately informed, and had no personal conflict of interest. This deference is the business judgment rule — your primary legal defense.
The protection is not automatic. It requires evidence that a reasonable process was followed. Smith v. Van Gorkom is the clearest illustration: Delaware directors lost business judgment protection after approving a major merger in roughly two hours — without adequate valuation information or independent analysis. Good intentions weren't enough.
Who Can Sue a Director Personally
Potential claimants span a wide range of parties:
- Employees alleging discrimination or wrongful termination
- Shareholders alleging mismanagement
- Donors alleging misuse of restricted funds
- Regulators pursuing enforcement action
- Third parties harmed by organizational decisions
Cyber incidents extend this list further. The SEC's 2023 cybersecurity disclosure rules require material disclosure of cyber risks and incidents. Boards that misrepresent their cyber risk posture or fail to demonstrate informed oversight face both regulatory and civil exposure.
Before You Agree to Serve: Due Diligence Essentials
A lawsuit can target a board member's personal assets — real estate, savings, and in some states future earned income. Assess your personal exposure before accepting any governance role.
Insurance and Indemnification Review
Request the organization's full insurance portfolio before saying yes. At minimum, review:
- D&O coverage — Sides A, B, and C (see the Insurance section below for what these mean)
- Cyber liability — now commonly placed separately from D&O, not bundled as an add-on
- Employment practices liability (EPL) — covers wrongful termination and discrimination claims
- Commercial general liability and any relevant environmental or abuse/molestation coverage
Ask specifically about policy limits, exclusions, claims history, and whether limits are shared across the full board.
Also examine the bylaws indemnification clause. A strong clause commits the organization to protect board members from loss arising from their service — but indemnification typically stops at gross negligence, criminal conduct, and fraud.
Pay close attention to timing: some clauses cover defense costs in real time; others only reimburse after final judgment. In expensive litigation, that distinction can determine whether you're funding your own defense out of pocket for years.
Governance Maturity as a Risk Signal
Insurance covers the cost of a loss. Governance quality determines how likely that loss becomes. An organization's governance health is a direct proxy for your personal exposure — look for:
- Written conflict of interest policy (BoardSource found 96% of nonprofits had one — the absence is a red flag)
- Whistleblower policy
- Fiscal management controls and budget approval processes
- Records retention practices
Organizations serving vulnerable populations — youth, elderly, people with disabilities — and those in regulated industries like healthcare, financial services, and retail carry elevated scrutiny. For these organizations, ask specifically about prior incidents, regulatory actions, and whether the board has received formal governance training in the last two years.
Governing with Discipline: Active Oversight That Limits Exposure
Documentation as Your Legal Defense
When a lawsuit is filed, the first things courts and regulators examine are meeting minutes, written board decisions, conflict disclosures, and audit records. These documents are the evidence of good faith. Without them, directors have little defense even if they acted responsibly.
One specific point most board members miss: abstaining from a vote does not protect you. Under the Model Business Corporation Act, a director present when board action is taken is deemed to have assented unless they formally object or have their dissent entered in the minutes. A documented "no" vote with a stated rationale creates a defensible record. Abstaining does not, and in some governance structures it may be treated as tacit approval.
Treat dissent as a governance tool — courts look for evidence that directors were genuinely engaged, not just present.
Cyber Governance as a Board-Level Responsibility
Delegating cyber risk entirely to IT or management no longer constitutes adequate board oversight. Regulatory expectations under SEC cybersecurity disclosure rules and evolving case precedent now require boards to demonstrate they received, understood, and acted on cyber risk information — not just that management handled it.
The NACD's 2026 Director's Handbook on Cyber-Risk Oversight provides a framework built on six independently validated principles. The WEF's Principles for Board Governance of Cyber Risk similarly emphasizes cybersecurity as a strategic enabler requiring direct board engagement.
What inspectable cyber oversight looks like in practice:
- Regular briefings focused on risk trend and business impact — not technical noise
- A stable dashboard showing direction, not vanity metrics
- Clear escalation thresholds and defined decision rights for incident scenarios
- Pre-approved decision points for high-pressure situations (ransom demands, disclosure triggers, taking systems offline)
- Written records of what the board received, discussed, and decided
Tyson Martin structures this type of oversight infrastructure for boards and executive teams: plain-English risk posture briefings, trend dashboards, and documented decision rights designed to hold under regulatory scrutiny.
Cyber governance is one pillar of documented oversight. Conflict of interest disclosure is an equally direct obligation. Undisclosed conflicts surfacing in litigation are among the most direct paths to personal liability. Conduct formal annual disclosures and require real-time disclosure when relevant matters arise.
Insurance Layers Every Board Member Should Understand
D&O coverage is structured in three sides, each with different implications for individual directors:
| Coverage Side | What It Does | When It Matters |
|---|---|---|
| Side A | Pays directors directly when the organization cannot or will not indemnify | Insolvency, regulatory bar on indemnification |
| Side B | Reimburses the organization for costs it incurred defending directors | Most common path in standard litigation |
| Side C | Covers the entity itself | Public companies: primarily securities claims |
The shared-limit risk is real. In complex litigation, the entity's own defense costs under Side C can exhaust the policy before individual directors' needs are addressed.
Supplemental Personal Coverage
That shared-limit exposure is exactly why many directors purchase a personal Side A DIC (Difference in Conditions) policy as a secondary layer. This is particularly important when:
- Organizational D&O limits are thin or shared across a large board
- The organization's financial stability is uncertain
- You serve on multiple boards with different coverage profiles
AIG and Chubb both offer products specifically designed to protect directors' personal assets when indemnification or underlying insurance is unavailable or depleted.
Additional Coverage to Verify
These coverages now routinely require separate placement — standard D&O policies no longer reliably include them:
- Employment practices liability
- Cyber liability
- Environmental liability
- Crime/fidelity coverage
- Abuse and molestation liability (critical for organizations serving vulnerable populations)
Common Mistakes That Turn Board Service Into Personal Risk
1. Joining without verifying coverage and the indemnification clause. Many board members assume protection exists without reading the policies. Treat insurance verification as a prerequisite, not an afterthought. This is the most common and preventable source of personal exposure.
2. Treating board meetings as ceremonial. Courts look at whether directors were genuinely engaged — and Smith v. Van Gorkom made that standard explicit. Each of the following behaviors undermines the good faith and due care required for business judgment rule protection:
- Failing to read materials before meetings
- Not asking substantive questions during discussion
- Rubber-stamping management decisions without documented review
- Failing to record dissent in the minutes
If the record doesn't show engagement, the protection doesn't hold.
3. Treating cyber and technology risk as outside the board's scope. Post-SEC disclosure rules and evolving case law make this posture a direct liability. The board's obligation is to receive, engage with, and respond to cyber risk information in a documented way — technical fluency is not the requirement; documented oversight is. Boards that cannot produce that evidence are personally exposed when a significant incident or regulatory inquiry arrives.
Frequently Asked Questions
Can a board of directors be held personally liable?
Yes. Board members can be held personally liable for fraud, intentional harm, commingling funds, knowingly approving illegal acts, and failure to ensure payroll tax deposits. Acting in good faith with documented due care generally protects directors from liability for the organization's general debts or judgments.
What is the business judgment rule and how does it protect board members?
The business judgment rule is a legal doctrine that protects directors from liability for honest mistakes made in good faith, with adequate information, and without personal conflicts. Protection requires evidence of a sound decision-making process — intent without documented process won't hold up, as Smith v. Van Gorkom confirmed.
What does D&O insurance cover and what are its limits?
D&O policies have three components: Side A pays directors directly when the organization can't indemnify them; Side B reimburses the organization for directors' defense costs; Side C covers the entity itself. In complex litigation, shared limits can be exhausted by the entity's defense before individual directors see coverage — review your policy and consider supplemental personal Side A coverage.
Can a board member be held personally liable for a cyberattack?
A cyberattack alone doesn't automatically create personal liability. But failure to exercise informed cyber oversight — particularly under SEC disclosure rules — can expose board members to regulatory action and civil claims if material risk was misrepresented or governance was demonstrably absent.
What should I review before accepting a board position?
Before accepting, review:
- D&O insurance coverage and policy limits
- The bylaws indemnification clause
- The organization's claims history
- Governance policies (conflict of interest, whistleblower, fiscal controls)
- Risk profile — especially in regulated industries or organizations serving vulnerable populations
How does voting "no" on the record protect a board member?
A documented "no" vote with a stated reason creates an evidentiary record showing the director did not approve the action in question — critical if that decision later becomes the basis for litigation. Abstaining offers no such protection and courts may treat it as tacit approval.
