Specialty Podcast: Navigating the SEC’s New Data Privacy Rules for Financial Entities
By Alliant Specialty
How will the SEC’s new data privacy rules under Regulation S-P impact financial entities? David Finz and Steve Levine unpack the regulations for enhanced client data protection, quick data breach notifications and incident response plans, effective July 15. They discuss the vital role of third-party risk management and explore the insurance implications, highlighting coverage areas in cyber and D&O policies. Alliant offers specialized services to help clients ensure their compliance with these regulations and strengthen their incident response strategies.
Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
David Finz (00:09):
Hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz. With me today, we have a special guest, Steve Levine, Senior Vice President in our claims and legal specialty practice. Steve, welcome to the program.
Steve Levine (00:26):
Thank you, David. It's wonderful to be here. Looking forward to talking with you and all of our listeners about the recent SEC final revision to their data privacy rules. The final revision to the data privacy rules governing many financial entities, and this is what we refer to as Reg S-P. These new requirements are going to apply to registered investment advisors, broker dealers, investment companies, funding portals and transfer agents. David, would you like to tell a little bit about what this Reg S-P will do for us?
David Finz (01:00):
Sure, thanks Steve. What’s really interesting about this topic is that it cuts across multiple lines of insurance coverage here in terms of where we can expect our clients to be able to transfer some of the risk associated with this. The final rule requires these entities to develop written protocols to protect clients’ confidential information. They also need to have mechanisms in place to identify unauthorized access to data and to create an incident response plan, which along with having the right containment and remediation measures in place also needs to include a procedure to notify the impact to customers of any breach. That has to take place within 30 days of the regulated entity discovering that they've had an incident. Additionally, the final rules mandate due diligence around a firm's monitoring of its service providers, who themselves may experience a breach and to deliver privacy notices to customers on an annual basis. Now, there is an exception if there's been no change in policies and procedures year over year, and they don't have to necessarily provide that annual notice. These new requirements will take effect on July 15th, which is 60 days from the issuance of that final rule.
So, this is something that the SEC has really been focused on. SEC chair, Gary Gensler had issued a statement praising these amendments. He said they were going to help protect the privacy of customers' financial data. He seems to be very focused on the fact that there's a notification requirement and says that is good for investors. One observation I have is that the service providers themselves don't have any requirement on them to notify impacted customers of a breach, that rests squarely with the regulated entity. Again, as I often say, you can outsource the responsibility for storing and processing data, but you cannot outsource the liability. Ultimately, as a regulated entity, it rests with you to give that notice. You may have recourse against the service provider. They may help you defray some of those costs depending on the nature of the vendor agreement that you have with them, but ultimately you're responsible for making sure that that notification takes place. But the data protection rules and the incident response planning provisions of Reg S-P do not extend to the service providers.
The lack of any mandate around that really heightens the importance of third party risk management, vendor management, on the part of financial institutions and their advisors. Let's talk a little bit about where the insurance coverage could come into play. Best in class policy wording for cyber policy includes within the definition of a regulatory proceeding, a proceeding brought under Regulation S-P. That’s great, right? The legal fees associated with responding to that inquiry and potentially fines and penalties if they are insurable by law, would be picked up by a cyber policy. But where that coverage ends is with respect to any type of private party litigation that might ensue as a result of a breach or investor loss around any hit to the value that shareholders experience as a result of this incident. Steve, that's where I think, because you and I talked about this running up to this call, that's where the D&O could potentially come into play.
Steve Levine (04:53):
Sure, Dave. I reached out to, shortly after a couple of the clients reached out to me asking, well, hey, how might this impact us? Of course, I was drawn to two specific questions and areas of potential risk. You have your regulatory risk, and then you have your consumer or customer risk. The first client that reached out to me was a public D&O company. They were asking about their public D&O. In that situation, their predominant concern was, can this lead to shareholder derivative actions? Can this lead to allegations of breach of fiduciary duty? Will our policy step in and cover that? I assured them, yes, to the extent that shareholders or activist shareholders or whomever are going to raise questions about board decisions or the way that these rules were implemented, then certainly we would expect the D&O policy to cover that. If any individuals are implicated, whether it be by a regulatory investigation or from some consumer or shareholder angle, we would expect it to kick in as well.
The broader coverage though, David, is on our private D&O side, where there is potentially coverage for regulatory activity. The private D&O has broader parameters on the public D&O. We're limited to securities claims generally for the entity. We do think the angle here is to review what type of coverage could be available for fines and penalties, make sure that we are as broad as possible on our cover for such fines and penalties. That might in essence be where the carrier would be expected to come in and pay. The defense piece, where there would be significant defense to actions, would be shareholder litigation, more likely derivative than stock drops. It's possible that an incident or breach can lead to disclosures that could lead to stock activity that could lead to shareholder class actions, but the more logical avenue for risk would be on the derivative side.
David Finz (06:59):
Right. To clarify, when I said where the cyber coverage stops, clearly privacy litigation is arising from this. So, if a shareholder's saying that their own data was compromised, that would rest with the cyber. Where the D&O comes in, is really around claims of investor loss, claims of any type of misfeasance or malfeasance or failure to exercise due diligence in protecting the value of those investments. The other point that I wanted to make is that the final rule makes specific reference to incident response planning, and this is something where Alliant can really help our clients. Our cyber risk consulting practice does offer a variety of services, including incident response planning, reviewing a company's internal information security policies, conducting tabletop exercises.
The best part about this is you don't even necessarily have to be an existing client of Alliant Insurance Services to avail yourself of these separate fee engagements. This is something that we can really assist our financial institution clients and other financial institutions with as they seek to ensure that they are in compliance with Regulation S-P and that they have a plan in place to deal with an incident when it arises. Steve, anything else you want to add here in closing?
Steve Levine (08:24):
No, Dave, just other than to extend the offer that anyone who has questions or would like to discuss this further, to reach out to myself or to David. We'd be happy to sit down and have a broader conversation or drill down into more of the specifics, so that people can get out ahead of this and make sure they're adequately protected and or making any adjustments to their policy at next renewal to account for potentially added risk.
David Finz (08:47):
Thanks, Steve. Here at Alliant, we are dedicated to helping you find the more rewarding way to manage risk. If you'd like to find out more about our service offerings, you can visit our website at www.Alliant.com. Thanks for joining us today, and until next time, take care.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.