Specialty Podcast: The SEC’s Crackdown on Informal Communications
By Alliant Specialty
The SEC is cracking down on text messages and emails sent between companies and their clients. Join Steve Shappell and David Finz, Alliant Claims & Legal, as they provide an update on critical legal issues. They examine the SEC’s increased focus on off-channel and informal communications and the current status of the climate reporting rule. As well as the increasing need to bolster your cybersecurity defenses with the growing threat of denial-of-service (DDOS) attacks on the financial sector.
Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
Steve Shappell (00:08):
Thank you everybody for joining today's podcast with David Finz and Steve Shappell talking about Alliant Claims and Legals Newsletter and topics of interest. David, as always, will have some very, very interesting topics in the fast-moving world of cyber. I want to chat real briefly about the fast moving world of SEC. The SEC continues to be very active. A common theme we're seeing with the SEC sweeping organizations, some of the routine investigations, contacts with clients evolving quickly into these off channel communication investigations. Companies subject to the SEC regulation do have routine examinations with the SEC, and the SEC has been poking around a lot on this off channel communication. And we continue to see the ongoing off channel communication charge by the SEC investigating these and finding companies for using text messaging, personal emails in order to communicate. This has obviously got a lot of attention, and the cost of some of these settlements continue to grow.
There's seven figures including some eight figures, so we'll continue to report on these in the newsletter. I encourage you to look at the newsletter and see the enforcement results that we try to track in the newsletter. The other interesting SEC development is the SEC has been working on this climate reporting standard requirement for some time for public companies. It's a big deal that the roles were finally formalized, and they came out, and they were going to be effective in 60 days. And the newsletter highlights for you some of the requirements from this new rule. This was met pretty quickly with a tremendous amount of litigation and numerous district courts and circuits around the country.
And what has happened in a lottery, the eighth circuit won the privilege of dealing with this litigation on whether the SEC has exceeded its authority in creating the climate reporting requirements that are in this new rule. And the SEC, as part of the litigation, voluntarily state enforcement of this rule and the application of this rule just to create some speed and efficiency in the litigation to focus on the underlying issues as opposed to bans and restrictions that would come from the litigation. So stay tuned, we will track this because a tremendous amount of effort has gone into these rules and corporations anticipating these rules and beginning to comply with these rules. And now we have the rules not into effect. That's on the SEC. And then the other thing, I again encourage you to read the newsletter, tremendous amount of coverage litigation once again. And you'll see in the coverage litigation issues like rescission, like excess policies, not truly follow form and not functioning and performing as anticipated where underlying carriers paid tens of millions of dollars in a settlement. And you have a high access carrier with very unique non-follow form exhaustion language able to avoid paying claims.
These are things that can be and should be addressed. It's attention to detail. It's things that we, Alliant, address and spend a tremendous amount of time on the terms and conditions because if you don't have true follow form, you can and will have issues as reflected in the pharmacy decision. The last coverage issue, been beating this drum for two decades: Rescission, rescission, rescission. This is a big deal, and again, it's something that can be and should be addressed. Rescission is a shockingly easy remedy for a carrier to utilize. I'd refer to it as a large loss exclusion over the years because carriers, when faced with an enormous loss, they look hard at how was this policy procured? What promises and representations were made to procure this insurance? If there's a material misrepresentation that they relied upon, they have a right to rescind absent policy language, which minimizes, reduces or eliminates their ability to rescind. So David, you're going to talk a little bit about surge in denial service claims that we're experiencing.
David Finz (04:24):
Thanks Steve. Yes. So what we're seeing is that an old weapon of cyber warfare is causing new headaches for the world of finance. As recently reported by the insurance industry media outlet, Zywave, financial services companies are becoming a leading target for distributed denial of service attacks, according to a study they cited by a nonprofit research group that's comprised of members of the financial services industry. So the financial services information sharing and analysis center reported that its members witnessed, are you ready for this? A 154% increase in DDOS attacks between '22 and '23.
The center notes that these attacks are hitting all areas of the financial sector, including private wealth management, investment banking, personal finance, digital payments and even the insurance sector. Now, for listeners who may not be familiar with the term, a DDOS attack essentially floods its victim’s network with extraneous internet traffic, and that causes systems to crash. It takes down websites. It halts e-commerce. And this method of attack was a favorite of hacktivists in years past. And unlike other types of cyber attacks, they're typically used not so much to steal data or extort funds from the victim, but to disrupt operations and score points to advance the attacker's cause or agenda. So this is a different type of attack. It's not necessarily used for monetary gain.
So why is there a resurgence in DDOS attacks right now? Well the center's chief intelligence officer believes that it's being fueled by geopolitics. We have nation states and other groups that are looking to make a statement and undermine confidence in the global financial system. And the researchers also note that it's pretty cheap to hire hackers to launch these sorts of attacks. And botnets have become a powerful way to orchestrate these attacks, and they have become more potent over the years. So these attacks enable threat actors to get more bang for their buck than some other methods. Now, what's even more insidious is the fact that although DDOS attacks themselves do cause some harm in terms of business interruption, they're sometimes also launched to divert the victim's attention from other threat factors such as data breaches or ransomware. So they will use this as a decoy of sorts.
Get IT's attention focused on the DDOS attack, while they essentially get in to the network to cause some other harm. And the thing is that these attacks can be pretty damaging in and of themselves. Taking down a company's website, even just momentarily, can lead to a loss of customers, and it can tarnish a firm's reputation over the long term. So the question is, what can financial service firms do about this threat? And the center stresses the importance of ensuring that business continuity and cyber resilience. We have a risk consulting team here at Alliant that can help companies develop or revise their incident response plan. And sure there's technical aspects to that in terms of building defense in depth, in building workarounds into your IT infrastructure.
But here I'm also talking about some of the non-technical aspects. Things like decision making, internal communications, messaging of stakeholders, and not incidentally, how to integrate cyber insurance into your incident response plan. There's also the question of vendor management. Clearly, third-party risk management needs to be a part of incident response planning. A lot of companies are using outside vendors for web hosting, trade execution for payment platforms, and there's contract provisions to consider that can help minimize their exposure. And here at Alliant Specialties Claims and Legal Group, we can help review those. Again, we're not dispensing legal advice. And what we're doing is we're saying, okay, if you engage in this agreement, here are the implications for your insurance that you want to think about. And this can help organizations make more informed decisions around their engagement of vendors.
Steve Shappell (08:23):
Thank you, David. Appreciate it. As always very insightful and proving that Alliant is a better way to manage risk. So thank you everybody for joining the podcast, and if you've got any additional questions, please always feel free to reach out to David or myself, and we encourage you to go to our website, Alliant.com. Thank you.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.