The SEC continued to flex their cybersecurity enforcement powers on May 16 when the commission announced the adoption of cybersecurity rules that will require investment advisors and broker-dealers to put procedures in place for detecting data breaches and notifying customers when their personal information may have been compromised. The new policies amend Regulation S-P, first adopted in 2000, which governs the way investment advisors and brokerage firms handle sensitive customer information. While the original rule merely outlined measures firms need to take when handling customer information, the latest amendments go further by requiring these firms to establish action plans for identifying and responding to data breaches.
Firms are also now tasked with providing written notice to customers within 30 days after becoming aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notice must include details about the incident, the breached data and how potentially affected individuals can respond to the breach to protect themselves.
These new regulations stem from the package of policies first announced by the SEC on March 15, 2023, designed to help harden the financial system against hacking, data theft and system failure. We discussed these proposals in April of last year.
Demonstrating they are prepared to act swiftly to protect markets and investors, the SEC announced on May 22, that the Intercontinental Exchange (ICE), the parent of the New York Stock Exchange, agreed to pay a $10 million penalty to settle allegations that they failed to timely report a data breach that impacted the New York Stock Exchange and eight other subsidiaries. In April 2021, ICE was notified by a third party about a potential system intrusion to its virtual private network. ICE discovered during its investigation that malicious code had been inserted into a VPN device used to access its corporate network, but failed to immediately inform its subsidiaries of the breach, a violation of its internal cyber incident reporting procedures.
These rule adoptions are just the latest in an ever-evolving patchwork of cybersecurity regulatory requirements. With these new rules, come new risks for organizations and their directors and officers.
Depending on the situation, a cybersecurity event may not only impact a cybersecurity insurance policy but may also trigger coverage under other lines of coverage as well, such as the fidelity bond (crime), the directors’ & officers’ (D&O) and the errors & omissions (E&O) liability policy. These increasing regulatory risks associated with cybersecurity continue to raise concerns amongst the underwriting community. In addition to cybersecurity underwriters, D&O, E&O and crime underwriters are assessing an organization’s cybersecurity risk framework with even greater scrutiny.
When it comes to D&O and E&O coverage, it is important to review the breadth and scope of coverage afforded under adviser and fund policies and be mindful of any existing or proposed cyber-related exclusions and narrow applicability, where possible.
With regard to fidelity bond coverage, the bolstering of policies, procedures and controls in response to new rules and regulations can only improve an organization’s risk profile and should be highlighted in the context of bond renewals.
While most cyber polices provide third party liability coverage for regulatory claims alleging a security or privacy wrongful act, it is common for these same policies to contain some form of a securities violation exclusion, which would preclude coverage for regulatory actions for actual or alleged violations of securities laws or regulations.
While some cyber policies do provide limited carvebacks to these securities law exclusions, they are often difficult to obtain for regulatory actions alleging a failure to provide notice to customers about their privacy policies and practices brought under SEC Regulation S-P, amended by the new cybersecurity rules referenced above. In the rare circumstances where there is coverage for these SEC regulatory actions, there would likely only be coverage for resulting civil fines and penalties based on the applicable law which most favors coverage for the fines and penalties.
It is worth noting that a number of carriers may provide sublimited coverage for SEC reporting costs, which may include costs charged by qualified vendors to determine whether a cyber incident is material as defined by the SEC, triggering the filing of a 6K or 8K, as well as the costs to actually prepare and file the 6K or 8K.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.
