Specialty Podcast: Cybersecurity for Federal Contractors & ERISA Litigation
By Alliant Specialty
How does the ruling on ERISA excessive fee cases affect your business? Join Steve Shappell and David Finz, Alliant Claims & Legal, as they look at recent legal developments, including new rules proposed by federal agencies on federal contractors' cybersecurity requirements and excessive fee claims in ERISA litigation. The duo highlights the importance of a software bill of materials (SBOM) for businesses and the need for uniform cybersecurity requirements.
Intro(00:00):
You are listening to the Alliant Specialty Podcast dedicated to insurance and risk management solutions and trends shaping the market today.
Steve Shappell (00:08):
Good afternoon. Thank you for joining the Alliant Financial Lines Legal and Claims podcast. As always, we've got David Finz with me, and he'll talk a little bit about the never-ending cyber developments in our world. But real quick, a couple of different articles. I would really encourage people to go look at the monthly newsletter and some past ones. There's some really great stuff in there. Interesting decisions that came out on ERISA. Probably the most pressing is the excessive fee issue. We spend a lot of time talking with our clients and with underwriters about the excessive fee claims. They frankly keep the underwriters very nervous about ERISA and the rate they're getting for fiduciary insurance, which is the policy that covers excessive fees claims, and then some E&O coverage for asset managers and investment advisors who get dragged into these; really interesting.
Of the three cases we talk about on excessive fees, a couple really positive decisions dismissing excessive fees. One of the key takeaways is we have some excessive fee litigation that's being dismissed, and that's a real positive in our world. So, the really good news is we had two decisions come that said that the pleadings were inadequate. The Taylor Corporation case was a good one, where the court really held the plaintiffs to a very strict standard of pleading a meaningful benchmark in the complaints to articulate the excessive fees. The Denso international case, England vs. Denso, did a very similar analysis and dismissed those cases. So, two very positive cases. And we did have the McDonald case that came in, McDonald versus LabCorp, which was unfortunate. And it's very fact-driven where the court looked at it and concluded the pleadings were sufficient for the necessary benchmarking for excessive fees.
So that's ERISA. Then the other really positive ERISA case that came in, and we don't see much preemption litigation these days, but as we see more and more states passing more and more legislation, what we see is ERISA is an employee benefit law that fills that legal standard, and preemption is that if the federal law fully occupies the regulatory legal landscape for the law in question, it preempts state. We have some really great Supreme Court cases for years on this point, but it's eroded over the years and the Supreme Court has not taken it up lately, and we've seen more and more district and circuit courts split hairs and come to different decisions on preemption. The case in the newsletter is out of Oklahoma dealing with pharmacy, and the really good takeaway is the 10th circuits reinforced preemption, so that employers who are in 50 states for all these exposures don't have to worry about 51 various laws that they have to deal with when ERISA preemption kicks in.
So, an interesting month of ERISA litigation, and you know how much I love ERISA and list ERISA litigation. So, it's kind of a fun month. One more quick point out of the newsletter that I must always take 30 seconds or a minute to talk about is notice. In David and my world, in management liability, these policies are almost always claims-made policies, and they're almost always claims made and reported. So, the claims have to come in during the policy period and must be reported in that same policy period. And it is part of the insuring agreement. It's not a condition, it is part of the trigger for the insuring agreement. And as a result, failure to timely notice claims that are made within the policy period, within that policy period can be fatal. And so just a reminder, there's another case in the newsletter that talks about the harsh consequences in claims being reported of not timely reporting. And I would make the request again, and you've heard me say this before, early and often reach out to your broker, reach out to your claims team too, and have a discussion about whether its particular matter circumstance warrants notice. We'd rather err on the side of having good discussion, good debate and a notice than to wait and then have a carrier later say, you should have told us about it. That looks like a claim. So, let me hand it over to David who’s going to talk about cyber exposure with federal contracts.
David Finz (04:05):
Thanks, Steve. So, in the next issue of the Executive Liability Insights Newsletter, we're going to take a look at some important developments affecting federal contractors. The U.S. government is the biggest purchaser of goods and services in the nation. And for many businesses, the government is their biggest customer. So, when the federal government starts talking tough about cybersecurity, folks need to listen. Because this could impact their bottom line. So now we have the GSA, the General Services Administration. they're the agency who's responsible for the procurement of much of what Uncle Sam needs to keep the government running. And the GSA, along with the Department of Defense and NASA, these three agencies have proposed new rules for federal contractors. Now, these were published in the Federal Register a few weeks back. The goal is to develop a uniform approach to contract wording around what agencies are going to require out of businesses doing business with the federal government when it comes to cybersecurity.
Right now, as it stands, agencies are free to develop their own requirements, and this approach has proven really confusing and costly to businesses. So, this can actually serve as a disincentive to even putting in a bid. It's not good for businesses and frankly, it's not good for taxpayers because there's a lack of competition. So, streamlining this and having a uniform set of requirements brings some efficiency to the process. Now, one area of focus is going to be around information sharing. Contractors are going to be expected to work with the Cybersecurity and Infrastructure Security Agency, or CISA, around threat hunting incident response planning. And if they experienced a cyber incident, they'd be required to provide the FBI with full access to their information systems. Because again, the government's their biggest customer. Even more significant though, is a provision that is in this proposed rule relating to vulnerability management.
Now, under the rule, the contractor would be mandated to create and maintain what's known as a software bill of materials. This basically documents any software that's being used to deliver goods and services to the U.S. government. Having a software bill of materials is a best practice for businesses anyway. It's not a new concept. We actually touched on this in a client alert back in late 2021 when the whole log for J-vulnerability came to light. We've seen the role that software plays in these exploits by threat actors. We've even seen this more recently with respect to the MOVEeIt file transfer vulnerability that's resulted in so many claims. The bottom line is that if folks don't have a handle on what programs and applications they're running, they're not going to be able to patch that software when it's needed, and they might not even know to retire that software, to stop using it when it reaches its end of life and it's no longer being supported by the developer.
Now, as far as what companies should be doing about all of this, for starters, if you're a federal contractor, you probably want to get a hold of a copy of the announcement with the proposed rule. It's in the federal register, so you can download it from the web. If for some reason you have trouble finding it, then you can reach out to me at David.Finz@alliant.com, and I'll be happy to send you a copy. There's only a 60-day comment period for the public to weigh in on this proposed rule, and a couple of weeks have already passed at this point. So, you're going to want to get on top of that also. And this applies regardless of whether you are a federal contractor or not; you should consider developing an SBOM, a software bill of materials for your business. And if you're looking for a service provider that can help your internal IT department, or if you use a managed service provider, or you need help getting a vendor that can assist you in with this project, folks can contact me. We've got a team of risk consultants here at Alliant that are available to connect you with vendors that can help you get on that path to better management of these vulnerabilities. And you know, remember if the government's asking these questions, you can bet that your cyber insurance underwriters are going to be paying attention to this area of exposure as well.
Steve Shappell (08:19):
Thanks, David. We appreciate everyone taking the time to listen in to David and my podcast. We encourage you to log onto the Alliant website to access our newsletters and podcast. Thank you.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.
