Financial R&R: Beyond the Breach - The Ashford Cyber Settlement, SEC Fallout and Hidden Insurance Risks
By Alliant Specialty / February 11, 2025
Ron Borys and Ryan Farnsworth welcome David Finz, Alliant Cyber, to discuss the recent SEC settlement with Ashford following its 2023 cyber breach. The team examines the backlash of alleged inadequate disclosures to investors about the breach’s magnitude. They discuss the insurance implications that cyber incidents can cause beyond cyber, such as triggering various policies like D&O and E&O, and stress the importance of early communication with brokers and a holistic view of coverage to avoid gaps.
Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.
Ron Borys (00:14):
Welcome everyone. I'm Ron Borys. I'm here with Ryan Farnsworth, and this is a special edition of the Financial R&R. Ryan and I came across some interesting news in the past week or so, specifically related to an asset management client. It was announced that there was a settlement as a result of an investigation in connection with a cyber breach. Given the sensitivity and focus on cyber, particularly for our clients that are highly regulated by the SEC and other regulatory bodies, we thought it would be a great opportunity for us to do a podcast with our resident expert, David Finz. David has been a frequent participant and speaker, guest on the Financial R&R, and we thought it would be a great way to get out there in front of this and share with our listeners our thoughts and views. Thanks for joining us today, David. Ryan, why don't you walk us through the background here.
Ryan Farnsworth (01:02):
Yes, no doubt. When I hear the word "cyber claim," I think of David Finz, and so we had to bring him on to talk through. Because this was a cyber claim 18 months or so ago, but now it's drawing additional eyeballs because many called it the last cybersecurity enforcement action by the SEC, led by the Gary Gensler administration, for lack of a better term. Everyone was focused on, what does that mean going forward? I think we'll save that topic for another day because the Ashford case is particularly interesting because it goes beyond the expected coverage that you would have as a result of a breach or a ransomware incident that Ashford experienced in 2023. But now of all people, the SEC is talking about disclosures and protecting investors and how that arises from a cybersecurity incident. Ashford, as a publicly traded company, did have the responsibility to disclose publicly once they had experienced this ransomware demand and cybersecurity attack where it declared that there was some information that was disclosed. And ultimately, the SEC said they didn't do that very well. Is that a good summation, David? I mean, as we think about the SEC and their involvement in cyber related disclosures, what is their expected role, and is it in line with what you would've expected here?
David Finz (02:27):
Yes. Thanks, Ryan, and thank you both for having me on again. This is an example of how the SEC has two different hats that they wear. There are times when the SEC is functioning as a data privacy regulator, such as when they bring an action against a broker, dealer or registered investment advisor for mishandling consumer information under Regulation S-P. That's not what we are dealing with here. In this instance, the SEC was acting as a protector of the investing public. This was a case about materially misleading information that investors relied upon in making a decision as to whether or not to buy stock in a company. In this case, the SEC alleged that Ashford did not disclose the magnitude, the extent of the incident. Because of that, investors were misled. That was the basis of this proceeding. Now they settled it, and I'm not suggesting that there was in fact any wrongdoing. I'm simply explaining the SEC's position here. This was an instance where the SEC was wearing its traditional hat as a defender of the investing public. This is not a cyber regulatory proceeding. Clearly, this started as a cyber incident, but what we are dealing with here really was a case about making sure investors have the right information they need to be able to make a prudent decision.
Ron Borys (03:55):
Yes. Those are great points, David. What I think would be really great for our listeners, something Ryan and I talk frequently on, on the Financial R&R about in other areas and topics is insurance implications because, as we know, most of these clients are buying cyber reliability insurance policies. Most of these clients are buying firm level investment advisor or investment management, E&O, D&O, et cetera. Clearly, here you have an event that theoretically, originally may have triggered or did trigger a cyber policy, but then the subsequent action from the SEC has implications in other areas. This is also why our brokers continue to focus and emphasize on the importance of looking at various policies, language, how they interplay with one another, how an event could impact multiple policies. Maybe we can talk a little bit about that.
David Finz (04:40):
Absolutely. Again, cyber insurance is something that I've spent, I don't even know the last how many years, focusing on. It's a product that I am very loyal to, but it doesn't cover everything. A risk advisor needs to look across the entire insurance portfolio to see where coverage might be triggered based on the nature of the allegations being raised, who the claimant is and in what capacity they are acting. So again here, what may have started out as a coverage cyber insurance matter has morphed into a very different type of proceeding based on what the SEC brought. Perhaps it could trigger directors and officers liability coverage. Perhaps it could trigger E&O coverage. Ryan, I know that's something we spoke about before beginning recording here, where E&O might come into play here for an insured like this.
Ryan Farnsworth (05:33):
Yes, and that's exactly our thought process here, because as specialists and advocates in the financial institutions marketplace, we understand this dynamic probably better than anyone. Because how we help financial institutions find that more rewarding way to manage risk is built into what we do. Our cyber specialists are on the same team as our D&O and E&O specialists. Our claims advocates and claims attorneys are on the same service team as our cyber brokers and as our D&O, E&O specialists. That comes to the forefront in a case like this, whereas you anticipate potential claims or potential issues with regulators, it's critical that companies and their insurance professionals seek out advice from their broker. Steve Shappell, who runs our legal and claims team, has the infamous tagline of early and often. We need to be contacting our brokers early and often if there are any issues whatsoever pertaining to insurance. Without knowing exactly the insurance implications in the Ashford case for example, it's very easy to look back and say that when they made that ultimate disclosure, that the E&O policy should have been put on notice, even if there wasn't a formal claim. That this could give rise to a claim under the E&O policy in their capacity as an alternative investment advisor with the REITs that they advised. The breach of the information that was exposed easily falls within the scope of the professional and investment advisory services that Ashford was offering. Ultimately, as you said, this is not a cyber hat that the SEC was wearing. This is a regulator hat that more applies to the coverage expected under an E&O policy and intended to protect the directors and officers and their personal assets under a D&O policy. Having that type of communication with your broker, with your risk advisor from the beginning is critical, especially as we deal with so many of these cyber-related issues that span across various different insurance programs and policies.
David Finz (07:44):
This is why it's so important to have your broker's claims team have line of sight into all of your insurance program placements. So when the claim comes in, somebody might look at this and say, oh, this is a cyber matter. But they have to be able to look across the entire portfolio and say, is there any other coverage that might be implicated here? We’ve had cyber claims that have triggered coverage under their property, the crime, the kidnap and ransom, the general liability. Obviously here you're looking at something where D&O and E&O might come into play. It's important for someone to have that relationship, particularly for financial institutions, because some of the unique products that are out there that are tailored to that industry, to be able to look at those and see whether any of them are implicated by a particular matter. This has become all the more critical now because the underwriters have made a conscious effort to try to wall off cyber risk into its own product. When in fact, despite those efforts, there are still instances, and you see one here, where other coverages might come into play. So it's important to have somebody that can take that holistic view of an insured’s program and to know what other coverages might be implicated by a given matter.
Ron Borys (09:05):
Yes, those are great points. I think that the takeaways here are don't make assumptions when something happens. Don't assume that just because it was a cyber breach, the only policy that will potentially be in play is the cyber policy. There are benefits to putting notice, as Ryan mentioned earlier, to your other policies. In this case, I would've thought that the E&O or investment management insurance policy would certainly be a good policy to be considerate of notice. The misnomer out there of, well, if we put in a notice of a circumstance, it's going to impact our relationship with our carriers. Premiums are going to go up, which we know is a debunked myth from our perspective with our clients. No clients should ever be penalized for exercising their rights or obligations under the policy to provide notice of a matter that it's a claim or even a potential claim. While the fine here, the civil penalty that was awarded, could be deemed material, immaterial, depending on your view of that amount. I think it was $115,000. If I had to guess, depending on the duration of this matter, legal expenses probably well exceeded that amount. That is absolutely something that our insureds, our clients, are expecting to be covered with regards to their professional liability, their E&O coverage. I really appreciate you guys taking the time. I think this is a really timely topic. Certainly one that continues to come up on multiple occasions with our clients. You two are the best in the business when it comes to this type of stuff. I think our listeners really appreciate the perspectives that you, David, in particular have and can share given your experience. For anyone who has any questions or anybody who wants to learn more about what we're doing here at Alliant from either a cyber liability perspective or financial institution's perspective, you can visit our website at www.Alliant.com. Otherwise, we'll wrap up this episode of the Financial R&R. We'll look forward to having you again on real soon, David.
David Finz (10:59):
Thanks for having me.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly