{"id":122692,"date":"2024-09-12T09:00:22","date_gmt":"2024-09-12T14:00:22","guid":{"rendered":"https:\/\/plusweb.org\/?p=122692"},"modified":"2024-09-12T09:00:22","modified_gmt":"2024-09-12T14:00:22","slug":"the-coverage-impacts-of-recent-developments-in-cyber-security-regulation-for-financial-services","status":"publish","type":"post","link":"https:\/\/plusweb.org\/news\/the-coverage-impacts-of-recent-developments-in-cyber-security-regulation-for-financial-services\/","title":{"rendered":"The Coverage Impacts of Recent Developments in Cyber Security Regulation for Financial Services"},"content":{"rendered":"<p>Insurers and their insureds continue to face a growing patchwork of laws and regulations regarding the components of their cybersecurity programs, as well as the necessary steps following an incident. \u00a0At the state level, NYDFS finalized revisions to its Part 500 Cybersecurity Regulation at the end of 2023. \u00a0The amendment to Part 500 created new and enhanced requirements for large companies. \u00a0Meanwhile, companies must also navigate state privacy laws, and variations on the NAIC Insurance Data Security Model Law 668 adopted by several states.<\/p>\n<p>At the federal level, the SEC has been busy with the rollout of its 2023 disclosure rules and amendments to Regulation S-P, which governs broker-dealers and other financial institutions. \u00a0The FTC also amended the GLBA\u2019s Safeguard Rule, adding breach reporting requirements to requirements for the safeguarding of customer financial information.<\/p>\n<p>The increased scrutiny on cybersecurity from lawmakers and regulators has practical implications and operational impacts. \u00a0In order to manage their various cybersecurity compliance obligations, companies may have an increased need for internal documentation of risk assessment, policies, and response plans. \u00a0Additionally, regulators want to see empowered CISOs, along with ownership of cybersecurity risks at the at the highest levels of company leadership, including the CEO and Board. \u00a0This emphasis on personal accountability is evident in the pre- and post-incident disclosure requirements now imposed on companies.<\/p>\n<p>These heightened legal standards carry increased litigation risks. \u00a0Class actions arising out of cyber incidents were already on the rise. \u00a0The NYDFS has staked out aggressive positions in its enforcement actions, seeking up to $1,000 per violation. \u00a0Now companies may also face an increased likelihood of enforcement actions, shareholder suits, whistleblower retaliation suits, and individual executive liability.<\/p>\n<p>Increased litigation risks and complexities have potential impacts on the insurance coverage available for such risks across policy lines. \u00a0With these new regulations, companies may face an increased likelihood of D&amp;O risks such as shareholder suits and individual executive liability arising out of inadequate or misleading disclosures. \u00a0The SEC\u2019s new requirements for annual 10-K filings setting forth cybersecurity processes and risk management oversight could lead to EPLI exposure in the form of whistleblower retaliation suits.<\/p>\n<p>Of course, cybersecurity risks implicate cyber coverages, and the fluid regulatory landscape may lead to coverage disputes. \u00a0As regulators mandate the implementation of specific cybersecurity safeguards, the maintenance of documentation, and periodic disclosures, insurers may have more information to review, in the course of a coverage investigation, that includes an analysis of any one of several exclusions. \u00a0Some cyber insurers exclude coverage for claims resulting from an insured\u2019s failure to maintain certain minimum processes, which regulators or litigants may also allege. \u00a0Misleading or inaccurate disclosures could implicate a dishonest acts exclusion. \u00a0The heightened focus on what the CISO or other high-level executives knew about a cybersecurity vulnerability and <em>when they knew it<\/em> could be highly relevant to coverage under a policy granting or excluding coverage based on circumstances at the policy\u2019s inception date.<\/p>\n<p>The new and amended rules discussed above encourage financial services companies, including insurers, to build a culture of cybersecurity compliance, starting at the Board and c-suite levels. \u00a0The evolving legal and regulatory landscape in the area of cybersecurity means that insurers face an evolving risk landscape and the potential for increased litigation. \u00a0Insurers covering cyber risks in the market should be especially mindful of the disclosure and certification requirements incorporated into recent rules in reviewing policy applications and claims.<\/p>\n<p><strong>Meet the Authors<\/strong><\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-122890 alignleft\" src=\"https:\/\/plusweb.org\/wp-content\/uploads\/2024\/09\/limber_natalie-1.jpg\" alt=\"Headshot of Natalie Limber.\" width=\"250\" height=\"300\" \/>Natalie Limber<\/strong><\/p>\n<p>Natalie Limber is counsel in Dentons\u2019 Los Angeles office. She has a broad range of combined law firm and in-house experience with a focus on serving the legal and regulatory needs of the insurance industry.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-122891 alignleft\" src=\"https:\/\/plusweb.org\/wp-content\/uploads\/2024\/09\/mccain_kathleen-3.jpg\" alt=\"Headshot of Kathleen McCain.\" width=\"250\" height=\"299\" \/>Kathleen McCain<\/strong><\/p>\n<p>Kathleen McCain is a partner in Dentons\u2019 Los Angeles office. She has more than 30 years of experience guiding clients through insurance transactions and regulatory issues.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-123090 alignleft\" src=\"https:\/\/plusweb.org\/wp-content\/uploads\/2024\/09\/daubert-todd-d.jpg\" alt=\"Headshot of Todd Daubert. \" width=\"250\" height=\"300\" \/>Todd Daubert<\/strong><\/p>\n<p>Todd Daubert is a partner in Dentons\u2019 Washington, DC office and is chair of the firm&#8217;s Communications and Technology sectors, and leader of the US Privacy and Cybersecurity team. He has two decades of experience helping companies develop, deploy, improve and protect their technology, telecom, and data products and services.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-123091 alignleft\" src=\"https:\/\/plusweb.org\/wp-content\/uploads\/2024\/09\/chow_sabrina.jpg\" alt=\"Headshot of Sabrina Chow.\" width=\"250\" height=\"300\" \/>Sabrina Chow\u00a0<\/strong><\/p>\n<p>Sabrina Chow is an associate in Dentons\u2019 Orange County office. She is a member of the Commercial Litigation practice, focusing on insurance dispute resolution and litigation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Insurers and their insureds continue to face a growing patchwork of laws&hellip;<\/p>\n","protected":false},"author":14,"featured_media":22094,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[97,1377,1374],"tags":[402,1375],"business-line":[41],"post-type":[49],"topic":[29],"class_list":{"0":"post-122692","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","6":"hentry","7":"category-plus","8":"category-cyber-liability","9":"category-professional-liability-insurance","10":"tag-cyber-liability-insurance","11":"tag-professional-liability-insurance","12":"business-line-cyber-liability","13":"post-type-plus-blog","14":"topic-professional-liability-pl-insurance","18":"post_tag-cyber-liability-insurance","19":"post_tag-professional-liability-insurance"},"acf":[],"_links":{"self":[{"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/posts\/122692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/comments?post=122692"}],"version-history":[{"count":3,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/posts\/122692\/revisions"}],"predecessor-version":[{"id":125038,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/posts\/122692\/revisions\/125038"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/media\/22094"}],"wp:attachment":[{"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/media?parent=122692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/categories?post=122692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/tags?post=122692"},{"taxonomy":"business-line","embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/business-line?post=122692"},{"taxonomy":"post-type","embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/post-type?post=122692"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/plusweb.org\/wp-json\/wp\/v2\/topic?post=122692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}