Blog

Misinformation as a Material Risk: Governance, Response, and Insurance Considerations

Management Liability
Lenin Lopez Headshot Lenin Lopez, Esq.
Calendar icon May 07, 2025
Clock icon
11 minutes

Misinformation isn’t just a public relations issue—it’s a corporate governance and legal risk that can impact stock prices, trigger regulatory investigations and litigation, and even endanger executives. In this week’s blog, my colleague Lenin Lopez explores how public companies can prepare for the reputational and operational threats posed by misinformation. He also breaks down certain insurance-related considerations, which can help companies navigate this complex and evolving risk. —Priya Huskins

The spread of misinformation goes beyond public relations and poses a real risk to business operations. Whether it's inaccurate information shared on social media, mischaracterizations in mainstream news or podcasts, or disinformation campaigns with malicious intent, the consequences can be swift and severe.

businesspeople looking over paperwork and desktop. Mixed emotions

For public companies, the stakes are especially high, including reputational damage, regulatory scrutiny, financial fallout, and even endangering the personal safety of employees and executive leaders. Consequently, executives and boards should strongly consider misinformation as a core enterprise risk.

This article will:

  • Explore the growing threats that misinformation poses to public companies
  • Outline how organizations can prepare for and mitigate misinformation-related risks
  • Examine the important role of directors & officers (D&O) liability insurance and other lines of coverage in supporting misinformation-related risk resilience.

Understanding the Misinformation Risk

“Misinformation” and “disinformation” are used interchangeably nowadays, so let’s start there.

While both misinformation and disinformation involve the spread of false information, their origins and intentions differ.

  • Misinformation is false or inexact information that is shared without the intent to deceive, like bloggers mistakenly reporting that a company’s marketing campaign and products are targeting children. More on that specific example later.
  • Disinformation is false information shared deliberately to influence public opinion, deceive, or manipulate. Think a third party launching a smear campaign falsely claiming a biotech company’s new gene therapy is unsafe, aiming to tank the company’s stock price and erode investor confidence.

Misinformation is a threat that has been tracked for some time. Back in 2021, the Pew Research Center issued a report noting that experts were predicting that by 2025, misinformation would be rampant, fueled in part by technological advancements. Skipping to the present, we have a recent report from the World Economic Forum that cites misinformation as the most severe global risk anticipated over the next two years. Like most things these days, AI plays a role, specifically in how generative AI can help to accelerate the development, spread, and weaponization of inaccurate information.

At least for companies, the threat of misinformation versus disinformation may be one of degree, but both could result in significant negative effects. Companies need to consider whether inaccurate information was maliciously created, but whatever the origin, the focus will ultimately be on how best to correct the public record.

With that in mind, let’s dive into a few real-world examples.

Real-World Examples: From Market Fallout to Tragedy and Personal Safety Concerns

The 2023 Target Boycott

In 2023, Target found itself at the center of a social media and political firestorm. In the leadup to Pride Month in June of that year, Target launched a Pride Month collection in its stores. The difference from years past was controversy related to swimwear it was selling that was described as “tuck friendly.” Viral social media posts falsely claimed the swimwear was being marketed to children. It wasn’t. Republican leaders and conservative media outlets made Target a topic of discussion, boycotts followed, and Target’s stock dropped $10 billion in market value in just 10 days. While Target quickly responded and made changes to its in-store displays, about $25 billion in shareholder value was erased over the next six months.

Notably, it wasn’t just the stock price and in-store foot traffic that were impacted. Target reported that threats were made against its workers and issued a statement stating as much.

How did this all start? Was it a case of misinformation or disinformation? It could have started as disinformation. Maybe someone wanted to get more views, clicks, or likes on a post. No matter what the case, as inaccurate information spreads, companies will want to figure out the most effective way to stop it.

The Target case illustrates how fast misinformation can escalate—and how difficult it can be to control the narrative once falsehoods take root.

Read more about the Target case: What You Don’t Disclose Can Hurt You: The Power of Proactive Risk Factor Disclosures

The UnitedHealth CEO Tragedy

The December 2024 murder of UnitedHealthcare CEO Brian Thompson was followed by a wave of conspiracy theories and false narratives online. Some of this misinformation targeted other executives in the healthcare sector, prompting concerns about the potential for misinformation to incite real-world violence. It escalated to the point that the New York Police Department issued a bulletin emphasizing the heightened risks for health care executives.

For UnitedHealth’s part, it first responded to claims regarding its handling of medical claims by issuing several statements in response to false narratives that were pervasive on social media, including this one. It also went a step further by removing executive photos from the company website. Other companies followed suit.

The focus on ensuring leadership safety has continued. A recent report indicated that companies have been increasing their security spending, and expectations are that security spending will continue to rise.

Brian Thompson’s murder and the aftermath underscore the need for a broader understanding of the risks misinformation poses—not just to companies, but to individuals associated with them.

How Public Companies Can Prepare

Misinformation moves faster than corporate approval chains. This is why proactive misinformation response planning should be an imperative, not just a “nice to have.”

What follows are a few steps companies should consider as part of their misinformation preparedness strategy.

  1. Monitor: Adopt Proactive Monitoring Systems to Track Misinformation and Emerging Threats

    The first step to combating misinformation is knowing when it’s happening. Many public companies already monitor news outlets, investor forums, and social media channels. Historically, this has been a way for a company’s investor relations and communications functions to gauge investor, customer, and other stakeholder sentiment.

    Over the years, more companies have been leveraging sophisticated monitoring tools to scour the web, including the dark web, for all information related to the company, employees, and its leadership. These efforts are typically beyond the scope of what can be accomplished in-house, so third-party tools are generally the best way to identify trending narratives and potential threats before they escalate.

    It’s best to have a multifunctional team—including individuals from investor relations, communications, risk management, corporate security, and legal teams—coordinate these monitoring efforts. If possible, companies should consider extending monitoring to track trends specific to their industry and competitors. That extra level of monitoring can potentially identify early warning signs of risks.

    This may beg the following question for some: How much does this all cost? While the cost will vary depending on how robust a monitoring system a company adopts, it may be best to categorize the risk of monitoring misinformation as a core risk management function, like cybersecurity threat detection.  

  1. Establish Clear Marketing and Social Media Policies

    Many misinformation crises originate—or at least accelerate—on social media. Internal missteps, like poorly received marketing campaigns or unvetted public statements, can trigger public backlash that spirals out of control. Bud Light’s now-infamous partnership with an influencer is one example where backlash from both sides of the cultural divide led to prolonged reputational fallout and declining sales.

    One way to reduce these risks is for companies to implement cross-functional review processes for all major public campaigns and establish clear protocols for employee conduct online. A strong corporate social media policy can clarify what is permissible and what isn’t, minimizing the chance of unintentional missteps and ensuring a coordinated response when crises arise. 

  1. Develop an Incident Response Plan for Misinformation 

    Many companies have some form of crisis management plan, like a cybersecurity incident response plan, but plans tailored to account for dealing with significant misinformation-related events are a rarity. They don’t have to be and shouldn’t be. As discussed in a prior article, one of the keys to building and maintaining organizational crisis preparedness and resilience is to establish a dedicated response team, including senior members of management, representatives from legal, investor relations, communications, human resources, and external consultants and advisors. Additionally, for a misinformation-related incident response plan, it’s ideal to have pre-approved communication strategies to respond to false narratives.

    A dedicated tabletop exercise focused solely on misinformation might feel overwhelming for boards and management teams, given the number of other exercises they already handle. However, misinformation could be integrated into an existing tabletop scenario. For example, a cybersecurity tabletop exercise could involve a ransomware attack alongside false claims that customer data was leaked and sold online. Two for the price of one. 

The Role of Insurance: D&O and Beyond

Insurance can play a critical role in mitigating the impact of misinformation-related events, but not all policies respond the same way (or as expected). What follows are a few insurance-related considerations.

D&O Insurance

Misinformation can easily trigger shareholder litigation, particularly if the narrative leads to a stock price drop or calls into question the adequacy of company disclosures. In these cases, a well-structured directors and officers (D&O) insurance program becomes an essential safeguard.

When placing or renewing D&O insurance, the company should ensure it secures sufficient limits to cover prolonged or high-profile litigation and also understand the extent of its coverage. For example, D&O insurance policies may refer to coverage for “reputation costs” and “crisis response costs.” On its face, one might expect that costs associated with a response to a misinformation-related event would be covered under such a policy. Not necessarily. These are defined terms and are typically defined narrowly as to the types of events that are covered.

This is why it’s important to work with a skilled broker to ensure you’re getting favorable and broad coverage options, and perhaps more importantly, to understand what is actually covered if you're looking to address misinformation risk through insurance.

Other Lines of Coverage

Cyber Insurance. This insurance may cover incidents where misinformation is linked to a data breach or the hacking of a company’s official accounts. That said, it’s important to remember that cyber insurance is designed to respond to the key driver of the peril, which is protection and access to data, as well as the investigation, coordination, and cooperation with law enforcement. That is, cyber insurance shouldn’t be expected to be the white knight policy if a company is looking for coverage for a broad scope of crisis response costs associated with a misinformation event.

Reputation Insurance. This insurance is intended to protect a company’s reputation and brand. In some cases, this insurance may provide threat mitigation and event response, as well as a certain degree of income loss protection. Examples of events where this insurance could come into play would be if a company employee violently drags an airline passenger off a plane, a celebrity spokesperson is arrested,  or your social media team sends a tone deaf email to every participant of the Boston Marathon. See here for an example of reputation insurance.

Learn more about cyber insurance: Cyber 101: Understand the Basics of Cyber Liability Insurance 

To no one’s surprise, there are several other policies that a company would be able to purchase that could potentially cover certain expenses associated with a misinformation event. However, all of these policies have limitations, so companies should work closely with experienced insurance brokers that can help them understand how coverages overlap, where they fall short, and whether certain coverages are even worth considering given the company’s risk profile.

Board-Level Questions on Misinformation Preparedness

The steps discussed so far in this article are, of course, actions for management. To help directors fulfill their fiduciary duty of oversight, here are a few key questions directors can ask to assess a company’s ability to detect, assess, and respond to misinformation threats. The answers to these questions may well determine how successfully a company will be able to weather a viral misinformation firestorm.

  • How quickly can we identify and assess a misinformation event?
  • Who is responsible for crafting and approving our public response?
  • When will the board be updated and what role, if any, will we as a board play during a misinformation crisis event?
  • Do we know how and to what extent our insurance coverage will respond if misinformation leads to litigation?  

Parting Thoughts

As the line between fact and fiction continues to blur, companies would be wise to adopt processes to detect and respond to false narratives. As discussed, this means investing in misinformation-related monitoring systems, formalizing response plans, and ensuring that insurance programs are aligned with a company’s risk profile and today’s evolving risks. 

Share

Author

Table of Contents

Insights

more