Specialty Podcast: Regulatory Shift - What the SEC’s New Direction Means for the Insurance Industry

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Mike Radak (00:09):
Hi folks. Thanks for tuning in to the Alliant Claims and Legal podcast. I'm joined by my colleague and resident cyber guru, David Finz. David, you want to say hello?

David Finz (00:20):
Yes. Glad to be back on the podcast, Mike. Thanks for having me.

Mike Radak (00:23):
Absolutely. Just reminder before we jump in, you can find some of the topics that we're discussing today and others on the Alliant Executive Liability Insights newsletter that we publish monthly. If you don't get it, you can reach out to David or I, we'll be happy to forward it to you. On that note, we wanted to touch on the shifting regulatory priorities for the SEC and the other government agencies that we're seeing. It's no mystery to anybody that reads the news once a day or once a week that there's massive policy changes going on in Washington, and that's certainly affecting the financial services and consumer industries. We, on the insurance side, we see massive exposures in our daily jobs for clients that arise from regulatory investigations, enforcement actions, SEC actions, FTC, FINRA, all the agencies that investigate financial services clients. Those investigations often run into the millions of dollars. We've seen large towers of insurance get exhausted in both those investigations and enforcement actions. So, what we're seeing now is a sea change in the current administration's policy priorities when it comes to regulation in the consumer and financial services industries. For example, just today I saw a headline that the Financial Crimes Enforcement Network is now narrowing the Corporate Transparency Act to require reporting only by foreign companies and beneficial owners, which is a huge change as far as how they treat the CTA and its implications for our clients. The question that we want to discuss today is what this policy change is going to hold for the future from the regulatory standpoint, particularly with regards to the Securities and Exchange Commission. Another headline that jumped out, I think it was just this week, the SEC had somewhere around 700 staffers leave as part of a buyout for those employees. That was 12% of the entire SEC staff that left this week, and that's before the expected layoffs and budget cuts are implemented. We expect to see a much leaner SEC going forward.

The question is, what are they going to focus their resources on in the future? We expect to see definitely a pullback on some of the investigations and enforcement actions, but there's other areas where we think the SEC's going to direct its attention a little more. The focus in this administration is definitely going to be on individual liabilities versus corporate wide accountability. They're going to look at individual actions more so than punishing the company for actions of those individuals. The investigations that are currently pending will certainly at a minimum move slower than what we've seen in the past. Whether ongoing investigations are going to be withdrawn is yet to be seen, but we can expect that there's going to be long periods of inactivity in some of these investigations just because they don't have the manpower to press those forward. The unfortunate aspect with an SEC or regulatory investigation is that you don't always get the, okay, we've concluded our investigation, and we did not have any significant findings against you. Normally it just stays open-ended. We expect those investigations are going to move a lot slower than what they have in the past. We can certainly expect less focus on ESG and climate-related disclosures when it comes to corporate disclosures. As far as enforcement activity with this new regime, my expectation is that they're going to focus more on the bread and butter securities fraud matters such as insider trading, Ponzi schemes, accounting fraud cases, more than what we see is some of the historic regulation that took place. As far as crypto goes, my expectation, and David, if you have any thoughts here, feel free to chime in, but this current administration seems very pro-crypto. I expect that they're going to do what they can to deregulate it and focus any sort of enforcement action with respect to cryptocurrency only on those circumstances where it's evident fraud and abuse has taken place.

David Finz (04:34):
Yes, I would agree with that. If you take a look at the background of our new crypto czar, if you will, David Sacks, who was appointed by the White House to oversee artificial intelligence and crypto, he's been a big proponent of digital currency through the years. I would expect that any enforcement actions are going to be targeted at the most egregious incidents. This should be a relatively, I don't want to say lax, but a more relaxed regulatory environment for digital currency.

Mike Radak (05:03):
Absolutely. As far as cybersecurity goes, I expect the SEC is going to pull back their focus on punishing companies for cybersecurity events to a certain degree. They're certainly going to scale back efforts to bring cybersecurity controls within the scope of the company's internal accounting controls, and I don't see cybersecurity being a big priority for the SEC under this current regime. That's about the extent of what I had on the SEC changes, although this changes seemingly daily. Don’t be surprised if on our next podcast we're talking about this again. With that, I'll kick it over to you, David.

David Finz (05:39): 
Thanks, Mike, and while I would agree with you that the SEC is probably not going to be as aggressive in their enforcement around cybersecurity, that doesn't necessarily apply to the plaintiff's bar. I'm going to be talking about the intersection between cyber and directors and officers liability, or D&O coverage. As recently reported by Law360, a pair of pension funds have sued a leading social media platform in the Delaware Court of Chancery on grounds of investor loss on account of the company repeatedly violating data privacy laws. This includes the company having been fined 1.2 billion euros by European authorities for data privacy violations. These breaches are being considered the largest such fine ever levied for infringing on the European Union's general data protection regulation or as it's known, the GDPR. These two funds initially filed demands to look at the company's books and records in 2023, not long after the fine was initially levied. The company has apparently not complied with that because the complaint, which is filed under seal, we understand, includes a demand to compel the inspection of those books and records. The plaintiffs say that the company is a recidivist, their words, when it comes to data privacy violations.

This suit, by these two pension funds, follows a wave of securities class actions against large corporations for investor loss arising out of data privacy. In fact, there was an article released by Harvard Law School's forum on corporate governance last August citing some rather large settlements of securities class actions on similar grounds. We're talking about eight and even nine figure settlements here. Now that's not chump change, and I want to be clear about something. I'm a big proponent of cyber insurance, but it doesn't cover everything. Claims arising out of investor loss need to be covered under a D&O policy. You cannot, you should not expect a cyber insurance policy to pick up that type of exposure. You need to look at the full spectrum of insurance that is available to a publicly traded company. That includes making sure that you have adequate D&O coverage because an investor is going to look at how you handle the response to a regulatory proceeding or how you handle the underlying class actions that might be brought by individual consumers or employees whose data has been compromised. The mismanagement of that sort of crisis can result in a drop in share price. That's where your D&O policy comes in, to pick up the defense costs and any settlements or judgements associated with a claim for investor loss under the 33 or 34 Act. I want people to understand that a demand for books and records in and of itself can trigger coverage. Those are often resolved simply by producing those records and offering the prevailing party attorney's fees, but those can be significant as well. That could be a six, or in some cases, even a low seven figure settlement. You want to make sure that you have the complete suite of coverage that is necessary to guard against cyber risk, and that's not just a cyber insurance policy. You need to consider how your investors will respond to a crisis situation. Companies can be forgiven for being the victim of an attack, but if they mismanage the response to that incident, that can exacerbate the problem.

Mike Radak (9:19):
Yes, great stuff David. From the claims side, we are seeing massive exposures with both the cyber events, the ensuing privacy actions and then, you had some great points there about the interplay between the D&O coverage and the cyber coverage. One point that you led off with that I wanted to just touch on briefly was, I talked a lot about deregulation and this administration pulling back from being pro-regulation. Your point about plaintiff's attorneys fill in that gap as far as bringing these actions or bringing lawsuits where traditionally we would see a regulator be the one that leads that charge is something we fully expect to see. I think the plaintiff's bar is going to benefit from the deregulation that we're seeing in this current environment.

David Finz (10:05):
Absolutely. I think they're going to fill the gap.

Mike Radak (10:07):
Yes, as they always do. Plaintiff's attorneys love low hanging fruit. Alright, that's all we have for today. Thanks everybody for tuning in. Again, if you have any questions about what we discussed today, don't hesitate to reach out to David or I or another member of the Alliant team. Thank you.