Specialty Podcast: Impact of Recent Court Decisions on Insurance Policies and Cybersecurity Regulations
By Alliant Specialty
Steve Shappell and David Finz, Alliant Claims & Legal, examine three recent court decisions and their potential implications on insurance policies. These decisions include Groff v. DeJoy, which redefines religious accommodation standards and could result in increased employment practice litigation; the Harvard Affirmative Action decision, which could affect diversity and inclusion policies; and the unexpected alteration in cybersecurity regulations by the SEC, mandating swift disclosure of material incidents and cybersecurity approaches.
Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
Steve Shappell (00:09):
Good afternoon everybody, and welcome to the latest edition of the Alliant Specialty Legal and Claims Podcast. Today I'm joined once again by David Finz, who is going to address some of the SEC's ongoing activism with regard to cyber and disclosures, but I'm going to kick it off talking about U.S. Supreme Court. They have been very busy, as many people have seen in the news, and two decisions in particular that impact us. We don't often talk about some of the employment practice issues because it is often very state and regionally oriented impacts. But the Supreme Court had two decisions that we talked about in our most recent newsletter that I want to talk about. The first is Groff v. DeJoy, which deals with Title VII, religious accommodation case. And both of these cases I'm going to talk about are cases that we've got our finger on the pulse of because I and many others think that it is going to impact frequency. And I think as a result, also severity of some employment practice litigation and employment practice exposure is an exposure that really goes across our entire book, all industries and all jurisdictions. So, the first, being Groff, which was a religious accommodation case; the takeaway from it, while the Supreme Court wanted to minimize its decision and its impact, it really did deviate from along the line of decisions. And as we've seen with this court, it's not afraid to go a different path. And this decision in particular was very interesting because we had an entire court have a “clarification” of the standard for dealing with a request for religious accommodations. And the facts of this are important because as we always do, as lawyers and with exposures, is we try to analyze whether this case is distinguishable or are the facts here going to translate into my exposure?
And so this was a religious accommodation dealing with the postal service, right? And working on a Sunday. But here we had the court, like I said, deviate from maybe 50 years of precedent here to come out with a new standard. And what the court concluded here was that the standard that was going to be utilized here was going to be that the trivial cost of accommodating request for religious accommodation was no longer going to be the standard. The burden for the employer is that the employer must show now that the burden of granting an accommodation request would result in substantial increase in cost in relation to the conduct of its particular business. So, a new standard. And what we think we're going to see is we're going to see a lot more challenges, because this is going to be more challenging for an employer to come in and say that, you know, the request for religious accommodation is more than just trivial.
It's a substantial cost. And that burden is shifting to the employer. And we saw this issue come up a lot with COVID, and we predict that this new standard is going to create some serious implications for employers. Another Supreme Court case that people who think about this and try to read tea leaves about is going to be the Harvard Affirmative Action decision. This was a split court on striking down affirmative action in admissions. And the question is, how is this going to impact the employment? Because it doesn't translate perfectly. That's a Title VI versus employment. It's a Title VII. And employment arguably already has a prohibition against discrimination in Title VII and employment. But many of us think this decision is going to stand a little bit on its head; companies who have diversity and inclusion policies, and those will be under attack.
Where open discrimination based on race is already prohibited, now what is going to be the challenge based on this Harvard decision? And is it going to be used as precedent for employees and applicants charging and challenging their employment decisions, both hiring and then termination, where diversity and inclusion policies and practices are in place. So, we're going to keep our finger on the pulse of this issue because it's a hot topic and it's connecting some dots as to how this will impact employers day-to-day, and will it result in an increase in litigation and challenges for firms that are quite committed to diversity and inclusion, but not affirmative action, which are distinct standards. So, we'll keep reporting back on this and keep our finger on the pulse of any changes in the evolution on this. With that, David, let me kick it over to you on your cyber world and the SEC coming out with some new guidance and rules.
David Finz (04:58):
Thanks, Steve. And a pleasure as always to be here with you. We're keeping close tabs on what can only be described as an abrupt 180 on the part of the Securities and Exchange Commission with respect to its new cybersecurity regulations. You know, it wasn't more than a few weeks ago that the SEC had indicated that it was deferring enactment of these new rules until at least October. And pundits inside the beltway had been speculating that public comments from stakeholders, as well as pushback from other law enforcement agencies were giving the SEC some pause about the rollout of these new requirements. Well, you could pretty much flip the script on that. So on July 26th, the SEC announced it was kicking these new regs into high gear, and they issued a press release stating that they were adopting new rules requiring registrants to disclose in an 8-K any material incidents within four days of discovery.
Now, there is an exception if the disclosure could compromise national security or public safety, but even then, the registrant would still need to notify the commission of that in writing. They're going to also be required to furnish investors' information on the company's cyber risk management strategy and governance as part of their 10-K filing. And even foreign issuers are going to be subject to comparable disclosure rules. And these new rules are taking effect 30 days after their publication in the federal register. So, this is a pretty major turnaround on the part of the SEC. These new rules are going to raise some very interesting questions around how cyber and directors and officers or D&O liability coverage come into play. And if we're not careful, you could end up with a gap in coverage for these proceedings because security claims, or any claim of investor loss, not directly related to the breach of a shareholder's own data, is typically going to be excluded under a cyber policy.
And then conversely, coverage for regulatory investigations of a cybersecurity incident isn't part of a standard public company D&O policy. So the question is, where does this get covered? Where can we find a home for this new enforcement authority that the SEC has? And I think brokers and underwriters are going to need to work together to ensure that these actions under the SEC's new rules; find a home in one of these insurance products so that policy holders aren't left holding the bag for the costs of responding when the commission comes knocking on their door. And another thing to consider here is the defense of these actions can be very costly, and these inquiries could require a level of subject matter expertise around data privacy that isn't really necessarily at the fingertips of your typical securities litigator. So, they're going to need to bring in some expertise around the network security and data privacy aspect of the risk in addition to the ordinary securities defense work. So, there's a lot here that needs to get sorted. And I'm pleased to say that between our financial institutions practice and our claims and legal team I think we're uniquely positioned to offer clients the guidance they're going to need to get through these new challenges to the regulatory landscape.
Steve Shappell (08:12):
David, you raise a great point, and this is one of the things that I would say the more rewarding way to manage risk with Alliant because as people who have listened to this podcast and listened to you and me talk about before, we have this legal and claims operation that's embedded with brokerage, and we are constantly dealing with these kind of issues. And so when you talk about the gap, this is something that you and I are already talking with brokers about. We're not going to have a gap here. Worst case scenario, we're going to have overlap. You know, we're going to have two policies responding to this unique exposure rather than a gapping cover. This is something that David and I are all over with the broking team to make sure that we have overlapping coverage, not a gap in coverage. Well, thank you everybody for joining us today. David, appreciate you as always leading the charge on this unique fast moving cyber exposure.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.