2024 Regulatory Update for Investment Advisers

In 2023, the Securities and Exchange Commission issued various proposed rules on regulatory changes that will affect SEC-registered investment advisers (RIAs). Since these rules are likely to be put into effect, RIAs should consider taking preliminary steps to start integrating the new requirements into their compliance policies and procedures.

1. Updates to the Custody Rule

The purpose of the custody rule, rule 206(4)-2 of the Investment Advisers Act of 1940 (Advisers Act), is to protect client funds and securities from potential loss and misappropriation by custodians. The SEC’s recommended updates to the custody rule would:

  • Expand the scope of the rule to not only include client funds and securities but all of a client’s assets over which an RIA has custody
  • Expand the definition of custody to include discretionary authority
  • Require RIAs to enter into written agreements with qualified custodians, including certain reasonable assurances regarding protections of client assets

2. Internet Adviser Exemption

The SEC also proposed to modernize rule 203A-2(e) of the Advisers Act, whose purpose is to permit internet investment advisers to register with the SEC even if such advisers do not meet the other statutory requirements for SEC registration. Under the proposed rule:

  • Advisers relying on this exemption would at all times be required to have an operational interactive website through which the adviser provides investment advisory services
  • The de minimis exception would be eliminated, hence requiring advisers relying on rule 203A-2(e) to provide advice to all of their clients exclusively through an operational interactive website

3. Conflicts of Interest Related to Predictive Data Analytics and Similar Technologies

The SEC proposes new rules under the Adviser’s Act to regulate RIAs’ use of technologies that optimize for, predict, guide, forecast or direct investment-related behaviors or outcomes. Specifically, the new rules aim to minimize the risk that RIAs could prioritize their own interest over the interests of their clients when designing or using such technology. The new rules would require RIAs:

  • To evaluate their use of such technologies and identify and eliminate, or neutralize the effect of, any potential conflicts of interest
  • To adopt written policies and procedures to prevent violations of the rule and maintain books and records relating to their compliance with the new rules

4. Cybersecurity Risk Management and Outsourcing to Third Parties

The SEC has yet to issue a final rule on the 2022 proposed new rule 206(4)-9 to the Adviser’s Act which would require RIAs to adequately address cybersecurity risks and incidents. Similarly, the SEC still has to issue the final language for new rule 206(4)-11 that would establish oversight obligations for RIAs that outsource certain functions to third parties. A summary of the proposed rules can be found here: 2023 Regulatory Update for Investment Advisers: Miller Canfield

NAVEX Report Reveals Increase in Whistleblower Retaliation and Reporting of Misconduct

NAVEX’s 2022 Risk & Compliance Hotline & Incident Management Benchmark Report reveals an increase in internal reporting about misconduct and an increase in allegations of retaliation.  The analysis of data from 3,470 organizations that received more than 1.37 million individual reports identified the following trends (see the full report for a discussion of additional trends and analysis of the data):

  • “More actual allegations of misconduct, rather than inquiries about policies or possible misconduct. Ninety percent of all reports in 2021 were allegations of misconduct, up from 86 percent last year and hitting an all-time high since our first benchmark report more than ten years ago.”

  • “Reports about retaliation, harassment and discrimination jumped – especially retaliation. In 2021, reports of retaliation nearly doubled . . . Taken altogether, these findings suggest employees are more attuned to workplace civility issues. That would fit with external trends such as more talk about systemic racism, income inequality and political divisions; as well as increasing protection for whistleblowers and employees’ awareness of  those protections.”

  • “Substantiation rates continue to edge upward. Overall substantiation rates rose from 42 percent in 2020 to 43 percent in 2021, and up from 36 percent a decade ago. The reports substantiated most often were data privacy concerns (63 percent), environmental issues (59 percent), and confidential and proprietary information (54 percent). The reports substantiated least often were about retaliation (24 percent).”

  • “The substantiation rate for reports of retaliation also went up slightly, from 23 percent in 2020 to  24 percent in 2021 – the highest substantiation rate seen since 2016. While steady, this substantiation rate is significantly below the overall median case substantiation rate of 43 percent in 2021. These cases, though difficult to prove, warrant attention.”

  • “Reports of harassment exceeded levels from the height of the #MeToo movement.”

Corporate Whistleblower Protections

Whistleblower retaliation remains all too prevalent.  A September 14, 2022 Bloomberg article titled Whistleblower retaliation remains all too prevalent discusses how “choosing to be a whistle-blower can also be a lonely, risky road” and identifies many deterrents to speaking up – “[t]hey may be afraid of litigation, ruining their reputations, losing security clearances or facing jail time.”

Fortunately, federal and state laws afford corporate whistleblowers remedies to combat retaliation, and whistleblower reward laws incentivize whistleblowers to take the considerable risks entailed in reporting fraud and other wrongdoing to the government.  For example, the

SEC Whistleblower Program offers awards to eligible whistleblowers who provide original information that leads to successful SEC enforcement actions with total monetary sanctions exceeding $1 million. A whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected in actions brought by the SEC and in related actions brought by other regulatory or law enforcement authorities. The SEC Whistleblower Program allows whistleblowers to submit tips anonymously if represented by an attorney in connection with their tip.

What is Whistleblower Retaliation?

Whistleblower retaliation laws prohibit a broad range of retaliatory actions against whistleblowers, including any act that would dissuade a worker from engaging in protected whistleblowing.  Examples of actionable whistleblower retaliation include:

  • Terminating a whistleblower;

  • Constructively discharging a whistleblower;

  • Demoting a whistleblower;

  • Suspending a whistleblower;

  • Harassing a whistleblower or subjecting the whistleblower to a hostile work environment;

  • Reassigning a whistleblower to a position with significantly different responsibilities;

  • Issuing a performance evaluation or performance improvement plan that supplies the necessary foundation for the eventual termination of the whistleblower’s employment, or a written warning or counseling session that is considered discipline by policy or practice and is routinely used as the first step in a progressive discipline policy;

  • Placing the whistleblower on administrative leave;

  • Threatening to take an adverse action against a whistleblower;

  • Subjecting a whistleblower to a retaliatory investigation or retaliatory surveillance;

  • Suing a whistleblower for the purpose of retaliating against the whistleblower;

  • Outing a whistleblower;

  • Intimidating a whistleblower;

  • Initiating a law enforcement investigation or facilitating an employee’s detention by U.S. ICE after the employee reported a serious injury; or

  • Discriminating against a whistleblower in the terms and conditions of employment because of whistleblowing.

The DOL Administrative Review Board has emphasized that statutory language prohibiting discrimination “in any way” must be broadly construed and therefore a whistleblower need not prove that a retaliatory act had a tangible impact on an employee’s terms and conditions of employment.

What Damages Can a Whistleblower Recover in a Whistleblower Retaliation Case?

Whistleblower retaliation can exact a serious toll, including lost pay and benefits, reputational harm, and emotional distress.  Indeed, whistleblower retaliation can derail a career and deprive the whistleblower of millions of dollars in lost future earnings.

Whistleblowers should be rewarded for doing the right thing, but all too often they suffer retaliation and find themselves marginalized and ostracized.  Federal and state whistleblower laws provide several remedies to compensate whistleblowers that have suffered retaliation, including:

  • back pay (lost wages and benefits);

  • emotional distress damages;

  • damages for reputational harm;

  • reinstatement or front pay in lieu thereof;

  • lost future earnings; and

  • punitive damages.

Combating Whistleblower Retaliation: How to Maximize Your Recovery

Whistleblower protection laws can provide a potent remedy, but before bringing a retaliation claim, it is crucial to assess the options under federal and state law and develop a strategy to achieve the optimal recovery.  Key issues to consider include the scope of protected whistleblowing, the burden of proof, the damages that a prevailing whistleblower can recover, the forum where the claim would be litigated, and the impact of the retaliation claim on a whistleblower rewards claim.

Scope of Protected Whistleblowing

There is no federal statute that provides general protection to corporate whistleblowers.  Instead, federal whistleblower protection laws protect specific types of disclosures, such as disclosures of securities fraud, tax fraud, procurement fraud, or consumer financial protection fraud.  The main sources of federal protection for corporate whistleblowers include the whistleblower protection provisions of the following:

  • The False Claims Act (FCA) — protecting disclosures about fraud directed toward the government, including actions taken in furtherance of a qui tam action and efforts to stop a violation of the FCA;

  • The Defense Contractor Whistleblower Protection Act (DCWPA) — protecting whistleblowing about gross mismanagement of a federal contract or grant; a gross waste of federal funds; an abuse of authority relating to a federal contract or grant or a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a federal contract;

  • The Sarbanes-Oxley Act (SOX) — protecting disclosures about mail fraud, wire fraud, bank fraud, securities fraud, a violation of any SEC rule, or shareholder fraud;

  • The Dodd-Frank Act (DFA) — protecting whistleblowing to the SEC about potential violations of federal securities laws;

  • The Taxpayer First Act (TFA) — protecting disclosures about tax fraud or tax underpayment;

  • The Consumer Financial Protection Act (CFPA) — protecting disclosures concerning violations of Consumer Financial Protection Bureau rules or federal laws regulating unfair, deceptive, or abusive practices in the provision of consumer financial products or services; and

  • The Anti-Money Laundering Act (AMLA) — protecting disclosures about violations of the Bank Secrecy Act.

While most of these anti-retaliation laws protect internal disclosures (e.g., reporting to a supervisor), whistleblower protection under the DFA is predicated on a showing that the whistleblower disclosed a potential violation of federal securities law to the SEC prior to suffering an adverse action.

State law may also provide a remedy, including the anti-retaliation provisions in state FCAs.  And approximately 42 states recognize a common law wrongful discharge tort action (a public policy exception to at-will employment), which generally protects refusal to engage in illegal activity and the exercise of a statutory right.

Burden of Proof

To maximize the likelihood of winning a case (or at least getting the case before a jury), it is useful to select a remedy with a favorable causation standard (the level of proof required to link the protected whistleblowing to the adverse employment action).  SOX has a favorable “contributing factor” causation standard, i.e., the whistleblower prevails by proving that their protected whistleblowing affected in any way the employer’s decision to take an adverse action.  In contrast, the FCA and DFA require the whistleblower to prove “but for” causation, i.e., the adverse action would not have happened “but for” the protected whistleblowing (albeit there is no need to prove that it was the sole factor).

Damages and Remedies in Whistleblower Retaliation Cases

Variations in the remedies available to whistleblowers under federal anti-retaliation laws may warrant bringing more than one claim.  For example, the DCWPA authorizes an award of back pay (the value of lost pay and benefits), and the FCA authorizes an award of double back pay.  If the whistleblower’s disclosures are protected under both statutes, then the whistleblower should bring both claims.

While a prevailing whistleblower can recover back pay under both the DFA and SOX (double back pay under the former and single back pay under the latter), the DFA does not authorize special damages, i.e., damages for emotional distress and reputational harm.  In contrast, SOX authorizes uncapped compensatory damages.  Therefore, a whistleblower protected under both statutes should bring the SOX claim within the much shorter SOX statute of limitations (180 days) to recover both double back pay and special damages.

State law may also provide a remedy, and if the whistleblower can pursue both a statutory remedy and a wrongful discharge tort, the latter may offer the opportunity to seek punitive damages.

Forum Selection and Administrative Exhaustion

When selecting the optimal remedy to combat retaliation, a whistleblower should consider the forum where the claim would be tried and determine whether the claim must initially be investigated by a federal agency before the whistleblower can litigate the claim.  SOX provides an unequivocal exemption from mandatory arbitration, but Dodd-Frank claims are subject to arbitration.  Accordingly, a whistleblower protected both by SOX and Dodd-Frank should file a SOX claim within the 180-day statute of limitations to preserve the option to try the case before a jury.

Several of the corporate whistleblower protection laws require that the whistleblower file the claim initially at a federal agency and permit the agency to investigate the claim before the whistleblower can litigate the claim.  This is called administrative exhaustion, and failure to comply with that requirement can waive the claim.  In contrast, the FCA and DFA do not require administrative exhaustion.

Impact of Whistleblower Retaliation Claim on Whistleblower Rewards Claim

Another important consideration is the potential impact of a retaliation case on a qui tam or whistleblower rewards case.  Filing an FCA retaliation claim while a qui tam suit is under seal poses some risk of violating the seal, which could bar the whistleblower from recovering a relator share.  Therefore, counsel should consider filing the FCA retaliation claim under seal along with the qui tam suit.

Further, whistleblowers pursuing rewards claims at federal agencies (e.g., SEC or IRS whistleblower claims) while simultaneously pursuing related retaliation claims (e.g., a SOX or TFA claim) should assess the potential impact of the retaliation claim and the potential discoverability of submissions to the SEC or IRS on the rewards claim(s).

Although the patchwork of whistleblower protection laws fails to protect disclosures about certain forms of fraud, there are important pockets of protection.  To effectively combat retaliation, whistleblowers should avail themselves of all appropriate remedies.

© 2022 Zuckerman Law

Law Firms and Bar Associations Must Plan Now for Coronavirus Outbreak

Our sources in Washington are indeed very worried about the coronavirus emerging from China. 

Many of our sources believe that containment will not work.

In the event of a major pandemic, “social distancing” will be enforced.  Schools, restaurants, movie theaters – and even law firms – will be closed, perhaps for an indefinite time, presenting unprecedented challenges.

At the very least, bar associations and law firms should begin thinking about logistics now using “peace time” wisely.

Viruses that originate in an animal and jump to a human can and often do change or mutate, presenting challenges to doctors and researchers. Especially during rapidly developing situations, reporters will likely demand simple and definitive answers, even in situations where simple and definitive answers don’t exist. As well, bloggers with political agendas may accidentally or purposely report fact as fiction and vice versa.

On the internet, anyone can be a “reporter” with the ability to publish immediately and without the safety net of editors, fact-checkers and other traditional media gatekeepers. Consider also the pressure on traditional media of balancing the need to report immediately vs. reporting accurately. Given those factors, the emerging coronavirus provides another fertile field for confusion with consequences.

The Spanish flu killed some 50 million to 100 million people worldwide over about a year in 1918-19 — one of the deadliest pandemics in human history. The 2003 severe acute respiratory syndrome (SARS) outbreak turned out to be less than a pandemic, but caused 774 deaths in 17 countries, according to the World Health Organization (WHO). The 2009 swine flu (H1N1) outbreak featured high rates of human- to-human transmission, yet was thought to have been less lethal than originally feared, with a minimum of 18,449 confirmed deaths. In fact, though, the U.S. Centers for Disease Control (CDC) has since estimated the global death toll at 284,000 — 15 times those confirmed cases.

All of these examples should serve as cautionary tales for how we approach and talk about this latest potential pandemic.

I reached out to Peter Sandman, perhaps the United States’ pre-eminent risk communication speaker and consultant. Here’s what Sandman told me in his email reply:

The key lesson here: The word “pandemic” means an infectious disease has spread to lots of people in lots of places. To be a pandemic, an outbreak has to be widespread and intense. It doesn’t have to be severe; 1918 was, 2009 wasn’t — at least in comparison.

This coronavirus? The experts are pretty sure it’s going to go pandemic. They don’t know yet how severe it will be, though many are guessing it will be closer to 2009 than to 1918. Even a mild pandemic kills a lot of people, simply because a small percentage of a huge number is a lot of people. And a mild pandemic can certainly be disruptive: hospital overcrowding, absenteeism, supply-chain problems, etc.

If it’s mild and stays mild, it won’t be catastrophic.

Whether it’s mild or severe, though, a pandemic eventually makes containment efforts futile, and therefore a waste of effort. Patient isolation, contact tracing and monitoring, quarantines and travel restrictions are the four main containment tools. The first two are conventional. The last two are controversial, not because they’re less effective than the first two but because they have bigger downsides.

None of the four, separately or together, can stop a pandemic. They can slow it a little, which isn’t nothing: It buys time for preparedness (emotional as well as medical and logistical). But as soon as the virus is spreading widely in a place, that place has no further use for containment.

The risk communication lesson now: Stop telling people that containment will “work.” If the coronavirus goes pandemic, as noted immunologist Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, and nearly every other expert expects, eventually (and probably pretty soon) it will be spreading widely in the U.S., too, and containment won’t make sense.

One feature of the 2009 flu outbreak was the changing nature of advice. At first, pregnant women were to receive priority for inoculations. Then, it was anyone with a compromised immune system, followed by those over the age of 60. As I recall, during this era before social media exploded and become a main source for news, reporters, columnists and other pundits were quick to criticize the CDC, the World Health Organization and other federal, state and local health officials for the lack of definitive advice and prognostication.

As this is being written, there is no way to tell whether the coronavirus is going to be highly infectious but not lethal or highly infectious with a high degree of lethality. It might even burn itself out — or it may seem to go into hiatus but then come roaring back in the fall (as did the Spanish flu).

Government agencies are already placing visitors from China into quarantine. This may suddenly escalate, with the closure of airports and other ports of entry. Stock markets may dramatically tumble — but then recover just days later. Or they may not. And if things really escalate, offices, schools, malls, theaters and other venues may close — and grocery shelves may empty. In the face of this uncertainty and volatility, prudent bar association and law firm leaders should be using “peace time” to prepare for the worst.

Now is the time to:

  • Examine your sick-leave policies. Family-leave policies, too, should be looked at because many employees may unilaterally decide to hunker down at home, especially if they have small children or elderly relatives to care for.

  • Encourage and utilize good hygiene practices (e.g., hand-washing, coughing into the crook of the elbow instead of the hand).

  • Consider what a travel ban might do to your business.

  • Remind your employees — and yourself — to depend on only the most reliable sources for information about coronavirus. The WHO, the CDC and state and local health boards are reliable. Facebook isn’t — and the advice given by the pundits on cable television must be taken with more than the proverbial grain of salt.

  • Remember to remind all of your stakeholders that situations like this are fluid and the information given out now may be preliminary and subject to change. Even advice from the CDC and WHO can change, depending on the facts at hand.

Employees, customers and other stakeholders will cross-check what you tell them against other sources. If you mislead them, they’ll hold it against you. Be especially careful not to sound over-reassuring or overconfident, which Sandman says are the two most common crisis risk communication mistakes other than outright dishonesty (also common, sadly).


© 2020 Hennes Communications. All rights reserved.

For more on Coronavirus risk mitigation, see the National Law Review Health Law & Managed Care section.

Coronavirus Spreads from China, Increasing Risks

Originating in the Chinese city of Wuhan, a coronavirus known as 2019-nCoV has spread quickly this month, migrating to multiple other countries as international health officials rush to contain its spread and calm fears. But the spread of the virus—and China’s response—is already having major impacts on businesses both within the country and around the world.

A member of the same family as SARS and MERS, the virus presents similar symptoms as flu or pneumonia. So far, the coronavirus outbreak has killed 17 people and has sickened at least 600 people across China alone. This week, a man in Washington State returning from a visit to Wuhan became the first identified case in the United States. He is reportedly in stable condition and in isolation. Other cases have been reported in Hong Kong, Macao, Japan, South Korea, Thailand, Singapore and Vietnam.

On Tuesday, the Chinese government upgraded the classification of the virus to a Class B infectious disease, giving the government the power to take more serious steps to limit its spread. These include imposing travel restrictions in and out of Wuhan and several nearby cities, with more restrictions pending, which could effectively impose a quarantine over 25 million people. Wuhan’s railway stations, buses and subway were shut down this week, as were several highways out of the city, and hundreds of flights from the city’s international airport were reportedly cancelled.

Additionally, China has begun banning all large gatherings and cancelling public events in major cities, including Beijing. As the country prepares to celebrate the Lunar New Year—when millions travel home out of major cities and/or attend large public celebrations for the holiday—this will likely cause major disruptions for people and businesses. China’s largest investment bank, CITIC Securities, even told its employees in the Hubei province (of which Wuhan is the capital) not to travel home for the holiday, and if they did, that they would be forced to work remotely for two weeks before they could return to the office. Macao—which has one documented case of the coronavirus thus far—has cancelled a public New Year’s festival, and is considering shutting down its casinos (a huge part of the region’s economy) if more cases are discovered.

When outbreaks like the coronavirus occur, companies can protect their business and employees by reviewing existing policies and looking into additional coverage to fill gaps. As Risk Management previously wrote, even limited disease outbreaks can have major impacts on businesses, especially those in the health care industry or operating overseas. Companies may have particular cause for concern about the risks of business interruption and supply chain issues stemming from quarantines, travel disruptions and major event cancellations. For example, many U.S. pharmaceutical companies have moved their drug and medical supply manufacturing to China, and these operations can be affected by health crises.

As the disease has spread internationally, staff operating in areas with documented cases and traveling employees may also face risk of infection. In addition to the travel restrictions China has instituted in various regions, airports around the world have started instituting special screening for passengers from China, possibly further complicating travel. In fulfilling their duty of care to traveling employees, companies have a number of insurance options including foreign voluntary workers compensation or business travel accidental death and dismemberment coverage, and should take the opportunity to review existing coverage and assess any potential gaps moving forward. Pre-trip preparation and training can also help. Ensuring that employees have the resources and knowledge to find in-country medical care or a concrete evacuation plan prior to traveling can also help protect them in a crisis.


Risk Management Magazine and Risk Management Monitor. Copyright 2020 Risk and Insurance Management Society, Inc. All rights reserved.

For more global health issues, see the National Law Review Health Law & Managed Care section.

CBD Risk Management

Advising companies on CBD (cannabidiol) risk management is made challenging by the rapid pace of developments and frequent confusion caused by often false or misleading online information. This article attempts to provide a concise analysis of critical CBD legal and risk management issues.

Do Not Conflate “Legality” under the 2018 Farm Bill with U.S. Food and Drug Laws

The 2018 Farm Bill, which was signed in to law in December 2018, exempts hemp and hemp-derived products, including hemp-derived CBD, from the Controlled Substances Act (CSA). In the lead-up to passage of the Farm Bill, there was widespread confusion in the public as to the extent of the “legality” of hemp-derived CBD, with many commentators and even some legal experts conflating legality under the CSA with legality under the Food Drug and Cosmetics Act (FDCA) and state food and drug laws. This confusion prompted former FDA Commissioner Scott Gottlieb to issue a public statement clarifying that Congress had explicitly preserved the FDA’s authority to regulate products containing cannabis or cannabis-derived compounds under the FDCA, regardless of whether they are derived from cannabis or hemp. 

Identify How the CBD Product Will Be Defined under the FDCA

A product containing a cannabinoid could be considered a drug, food, food additive, dietary supplement or cosmetic depending on how the product is marketed and sold. How aggressively these products are policed by FDA and state agencies depends on the nature of the product and how it is defined under the FDCA and state law.

CBD as “Food” or “Dietary Supplement”

FDA’s position since at least 2015 is that certain cannabinoids, including CBD, are impermissible additives that adulterate food and dietary supplements for both humans and animals. Under the FDCA’s drug exclusion rule, once a substance that was never previously in the food supply is (1) an active ingredient of an approved drug product or (2) an active ingredient of a product in clinical trials that have been made public, a food or supplement containing that substance cannot be shipped in interstate commerce. FDA has cited Epidiolex® as an example of a clinical investigation regarding CBD that has been made public. Epidiolex was approved by FDA in June 2018 for treatment of childhood seizures associated with two rare forms of epilepsy. FDA has therefore concluded that CBD products are in fact drugs and require FDA approval under the FDCA. The new drug-approval process is exorbitantly expensive; in 2016, the Journal of Health Economics estimated the average cost per approved drug at well over $1 billion.

CBD as a “Cosmetic”

Cosmetics are generally less heavily regulated by FDA than food or drugs, and until recently the agency has remained silent on the use of CBD in cosmetic products. On April 2, 2019, FDA provided much-needed insight, stating that although certain cosmetic ingredients are prohibited or restricted by regulation, “currently that is not the case for any cannabis or cannabis-derived ingredients.” However, FDA warned that no ingredient − including cannabis-derived ingredients – can be used in a cosmetic if “it causes the product to be adulterated or misbranded.” A cosmetic may be considered adulterated “if it bears or contains any poisonous or deleterious substance which may render it injurious to users under the conditions of use prescribed in the labeling.” FDA cautions that a product may be considered both a cosmetic and a drug, even if it affects the appearance, if it is “intended to affect the structure or function of the body, or to diagnose, cure, mitigate, treat or prevent disease.”

Several large national retailers, including CVS, Walgreens and Rite-Aid, recently announced they will begin selling CBD-infused cosmetics in certain stores.

FDA Currently Uses “Enforcement Discretion”

Other than issuing letters to companies that sell CBD-infused oils and food products warning them to refrain from making impermissible health claims, FDA has to date taken no other visible enforcement action in that regard. Former FDA Commissioner Scott Gottlieb recently testified before a Senate appropriations subcommittee that “we are using enforcement discretion right now,” and that “I will take enforcement action against CBD products that are on the market if manufacturers are making what I consider over the line claims.” This would certainly include the egregious health claims at issue in the recent warning letters, such as that CBD can cure cancer or prevent Alzheimer’s disease. Gottlieb nevertheless acknowledged that FDA has not taken action against numerous products on the market given its enforcement priorities and limited resources. He cautioned, however, that FDA’s lack of enforcement is “not an invitation for people to continue marketing these products.”

State Enforcement of CBD

Authorities in several states have stepped up enforcement actions, including unannounced inspections and CBD product embargos ordered by authorities in California, New York, Texas and other states. Several states and cities, including California, Maine, North Carolina, Ohio and New York City, have banned CBD-infused food products under state and local laws.

Notwithstanding this state-led crackdown, certain states are working to provide greater legal access to CBD products under state law. Lawmakers in California and Texas, for example, are working on bipartisan legislation to allow sales of CBD products in those states, notwithstanding FDA’s prohibition.

CBD’s Pathway to Legality

As a result of significant pressure by industry groups and members of Congress, FDA has signaled a willingness to consider a potential easing of restrictions on CBD. On April 2, 2019, FDA issued a press release that announced new steps for advancing the potential regulatory pathways for CBD products. The press release explains that FDA primarily is concerned that permitting widespread commercial availability of CBD products negatively impacts research that may otherwise be performed to support regulatory approval through FDA’s drug review process. Similarly, FDA does not want to incentivize patients to forgo appropriate medical treatment by substituting unapproved products for FDA-approved medicines. Also of concern is the potential for liver injury and cumulative exposure to CBD if accessed by consumers across a range of products.

Notwithstanding the intense pressure on FDA to fast-track the CBD approval process, without congressional action that exempts CBD from FDA’s regular rulemaking process, it is likely that the approval process for use of CBD in foods or supplements will take years. In Gottlieb’s recent Senate testimony, he explained that “we don’t have a clear route to allow [CBD] to be lawfully marketed short of promulgating new regulations.” He noted, however, that there is precedent for Congress to issue legislation in the context of a single ingredient, similar to prior legislation for human growth hormone. Gottlieb also has appeared to embrace the idea of legislation that classifies CBD according to defined concentration levels, whereby CBD would be classified as a dietary supplement up to a defined concentration threshold, above which it would be considered a pharmaceutical drug. This is similar to the way fish oil has been regulated.

A public hearing scheduled to take place on May 31, 2019, will cover a range of CBD-related topics, including (1) health and safety, (2) manufacturing and product quality and (3) marketing/labeling/sales. FDA is encouraging public comments and participation at the hearing.

Acting FDA Commissioner Ned Sharpless is now leading the agency. Some have expressed concern over how Sharpless will approach CBD because he is a former cancer drug researcher who has less experience with the dietary supplement and food regulation side of FDA’s mandate. According to a recent interview with former associate FDA Commissioner Peter Pitts, Sharpless is expected to manage the process already in place with respect to CBD for the time being.  How much attention Sharpless will give to CBD issues in the future “depends on the priorities and the new commissioner’s stomach for battle.”

CBD Risk Management … in the Meantime

Until the legal pathway for CBD is clear, companies that market most CBD products must tread carefully. Some, such as the large national retailers that recently announced the sale of CBD products, are focused on safer cosmetic products. Others choose to market and sell CBD-infused foods and supplements based on a higher appetite for risk and a “safety in numbers” assessment in the face of no visible FDA enforcement.

No matter how a company chooses to participate in the CBD industry, it must be counseled on FDA regulatory risk based on the product type in addition to the risks of marketing and selling CBD products on a state-by-state basis. Because the legality of CBD products varies widely by state and is changing so rapidly, providing accurate counsel can be a challenge. In addition, CBD product labels must be carefully reviewed for compliance under both federal and state law. Some states have specific and onerous labeling requirements for CBD products.

Although many companies tend to downplay the risk and potential financial severity of regulatory enforcement by federal or state agencies when it comes to CBD, they ignore at their own peril the risk presented by potential civil tort exposure. CBD products may be considered adulterated, contaminated or mislabeled under federal and state law. This may give rise to financially ruinous lawsuits, including consumer class actions or competitor suits that allege false advertising or unfair competition under state consumer protection statutes. It is essential for every CBD company to have a solid grasp of both the CBD regulatory risks and the unfair competition laws to fairly compete in the new CBD marketplace, and to avoid unwittingly being named as a defendant in an expensive and potentially company-ending lawsuit.

To this end, it also is important for any company that markets and sells CBD products to conduct an insurance coverage review with an attorney and broker that understand the nuances of the CBD insurance market. With passage of the 2018 Farm Bill, insurance coverage for hemp-derived products, including CBD, is expanding rapidly. Problematic endorsements and exclusions remain, however, with respect to limitations on coverage as a result of regulatory penalties, product seizures, resulting business interruption and tort damages premised on violations of law.

Most importantly, CBD risk management requires constant education and vigilance to stay abreast of an area of the law changing more rapidly than any other in recent history.

 

© 2019 Wilson Elser
This post was written by Ian A. Stewart of Wilson Elser. 
Read more on marijuana and CBD policy on the National Law Review’s Biotech page.

White House Will Unveil Cyber Executive Actions At A Summit This Week

Squire Patton Boggs (US) LLP law firm

Legislative Activity

This Week’s Hearings:

  • Wednesday, February 11: The Senate Commerce, Science and Transportation Committee will hold a hearing titled “The Connected World: Examining the Internet of Things.”

  • Thursday, February 12: The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies will host a hearing titled “Emerging Threats and Technologies to Protect the Homeland.”

  • Thursday, February 12: The House Education and the Workforce Subcommittee on Early Childhood, Elementary and Secondary Education will hold a hearing titled “How Emerging Technology Affects Student Privacy.”

  • Thursday, February 12: The House Science, Space and Technology Subcommittee on Research and Technology and Subcommittee on Oversight will hold a joint hearing titled “Can Americans Trust the Privacy and Security of their Information on HealthCare.gov?”

Regulatory Activity

White House Will Unveil Cyber Executive Actions at a Summit this Week

On Friday, February 13, the White House will hold its Summit on Cybersecurity and Consumer Protection at Stanford University. President Obama will be speaking at the Summit and plans to issue a new Executive Order focusing on ways to increase cybersecurity information sharing between the private sector and the U.S. Department of Homeland Security (DHS).

The executive action will likely expand the current work that DHS’s National Cybersecurity and Communications Integration Center (NCCIC) does to include a new concept of Information Sharing and Analysis Organizations (ISAO), which was briefly previewed by the President last month. As currently discussed, ISAOs would be designed to share information across multiple industry sectors to supplement the work of the current network of Information Sharing and Analysis Centers (ISACs).  According to press reports from government officials, the executive action is expected to create a network of ISAOs that would be managed by DHS in the beginning and eventually would become a privately-run entity. Several government officials and industry representatives have said that the President’s action will represent a step forward to improving the current information sharing platforms but they also recognize that information sharing legislation is still needed.

In addition to the Summit on Friday, the National Institute of Standards and Technology (NIST) will hold a half-day workshop on Thursday focused on the technical aspects of consumer security. The Office of Science and Technology Policy will also host a meeting leading up to the Summit on Thursday focused on cybersecurity workforce development.

White House Blog Highlights Future Action on Cyber Risk Management

Last week, White House Cybersecurity Coordinator Michael Daniel wrote a blog post on how companies can strengthen their cyber risk management and the role of the federal government in incentivizing stronger cybersecurity practices in the private sector. He notes in the post that the White House believes “the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices,” but also stated that the Obama Administration will continue to work in a variety of areas to support these efforts by streamlining regulations, investing in cybersecurity research and development, and updating federal procurement policies and practice. Daniel wrote that the White House is working with federal agencies and critical infrastructure to identify regulations that are excessively burdensome, conflicting, or ineffective and will release a report on the findings no later than February 2016. Additionally, the White House plans to release a report this spring on the key priorities for cybersecurity research and development over the next three to five years.

The blog post also noted that the White House will not pursue public recognition as a means of incentivizing the private sector to adopt cybersecurity best practices or the NIST Cybersecurity Framework given that this could take away from the voluntary nature of the Framework. While Daniel did not mention liability protection as an incentive for greater information sharing in the blog post, it is still a possible incentive that the White House would support given that it was also included in the information sharing legislative proposal that the President released last month.

ARTICLE BY

OF

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

vonBriesen

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

OF

Data Analytics as a Risk Management Strategy

Risk-Management-Monitor-Com

In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.

OF

A Proactive Approach to Travel Risk Management

Risk-Management-Monitor-Com

An improving economy and updated business practices have contributed to companies sending more employees than ever on international business trips and expatriate assignments. Rising travel risks, however, require employers to take proactive measures to ensure the health and safety of their traveling employees. Many organizations, however, fail to implement a company-wide travel risk management plan until it is too late – causing serious consequences that could easily have been avoided.

travel risk management

The most effective crisis planning requires company-wide education before employees take off for their destinations. Designing a well-executed response plan and holding mandatory training for both administrators and traveling employees will ensure that everyone understands both company protocol and their specific roles during an emergency situation.

Additionally, businesses must be aware that Duty of Care legislation has become an integral consideration for travel risk management plans, holding companies liable for the health and safety of their employees, extending to mobile and field employees as well. To fulfill their Duty of Care obligations, organizations should incorporate the following policies within their travel risk management plan:

  • A customized policy specific to the organization and the specific needs of traveling employees.
  • Clearly communicated protocols that are enforced to help educate and protect the safety and health of traveling employees.
  • Response plans and procedures for handling medical/health emergencies.

Proactive Resources for Your Traveling Employees

A travel risk management strategy can only be successful if your workforce is given the necessary resources well before travel occurs. An important part of any travel risk management strategy involves answering common questions employees may have regarding their upcoming travels. It’s also a good idea to provide them with follow-up information so they can be up-to-date.

Not only will a company-wide pro-active travel risk management plan empower employees with the information they need, but implementing such a plan can also help keep your company’s reputation and financial standing in check and prevent any liabilities against your business. The following resources can be useful as part of your overall travel risk management strategy:

  • Travel logistics such as hotel/meeting site location and reservations details, nearby pharmacies and medical clinics, and passport and/or visa arrangements. It is also crucial to share contact information in the event employees need help during an emergency – such as that of your travel assistance partner or internal emergency resources – and encourage them to add this information to their mobile phone contacts.

  • A medical overview is essential, especially if the host country requires visitors have documentation of specific vaccinations. Employees should understand and be up-to-date on all routine vaccinations (such as influenza, measles, and mumps). The CDC’s Travelers’ Health website has valuable information, such as worldwide health alerts, although a travel assistance partner can provide this information directly to your employees prior to travel. Additional insight your company can provide to traveling employees is information about health risks in their destination countries. This ensures employees are well aware of the quality of local food and drinking water as well as where to find quality medical care.

Also, since most health insurance plans do not cover members when they are traveling outside the U.S., businesses should purchase additional coverage. Even if their plans provide coverage outside the U.S., many health insurance policies aren’t able to mitigate all of the risks associated with business travel. It would only take one international medical evacuation (which can cost more than $100,000 from business hubs in Dubai, UAE to New York, or China to Texas) to make a serious impact, not just on your traveling employee but on your company as a whole.

  • A detailed synopsis of the destination’s political standing is crucial to keep your employees safe while traveling, as many regions of the world are experiencing political unrest and living under the very real threat of terrorism. It is important to ensure that your employee benefits package includes security coverage for employees traveling to high-risk areas.

Advance knowledge of the political status of a country will prepare employees should they face an unexpected issue abroad, as would these resources:

  • American embassies and consulates at the destination country, as well as the State Department’s emergency contact numbers.

  • Travel alerts, which provide information on risks to the security of U.S. citizens. Though usually short-term, these alerts must be taken seriously.

  • The State Department’s Smart Traveler Enrollment Program (STEP) is an extremely reliable resource that provides up-to-date location-specific security updates to any employee enrolled for the destination as well as information on the nearest U.S. Embassy. The enrollment will help U.S. Embassy or nearest U.S. Consulate to be in contact with your traveler in the event of an emergency.

Keep in mind that it is not just traveling employees – but also the employers – who need to be prepared for a travel-related emergency. Planning ahead and implementing company-wide crisis management education allows your workforce to be fully aware of the guidelines and protocols. Successfully mitigating a crisis without any communication missteps can prevent a crisis from spiraling into disaster.

 
OF

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Proskauer Law firm

Cyber risks are an increasingly common risk facing businesses of all kinds.  In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Commissioner Aguilar, in the speech delivered as part of the Cyber Risks and the Boardroom Conference hosted by the New York Stock Exchange’s Governance Services department on June 10, 2014, emphasized the responsibility of corporate directors to consider and address the risk of cyber-attacks.  The commissioner focused heavily on the obligation of companies to implement cybersecurity measures to prevent attacks.  He lauded companies for establishing board committees dedicated to risk management, noting that since 2008, the number of corporations with board-level risk committees responsible for security and privacy risks had increased from 8% to 48%.  Commissioner Aguilar nevertheless lamented what he referred to as the “gap” between the magnitude of cyber-risk exposure faced by companies today and the steps companies are currently taking to address those risks.  The commissioner referred companies to a federal framework for improving cybersecurity published earlier this year by the National Institute of Standards and Technology, which he noted may become a “baseline of best practices” to be used for legal, regulatory, or insurance purposes in assessing a company’s approach to cybersecurity.

Cyber-attack prevention is only half the battle, however.  Commissioner Aguilar cautioned that, despite their efforts to prevent a cyber-attack, companies must prepare “for the inevitable cyber-attack and the resulting fallout.”  An important part of any company’s cyber-risk management strategy is ensuring the company has adequate insurance coverage to respond to the costs of such an attack, including litigation and business disruption costs.

The insurance industry has responded to the increasing threat of cyber-attacks, such as data breaches, by issuing specific cyber insurance policies, while attempting to exclude coverage of these risks from their standard CGL policies.  Commissioner Aguilar observed that the U.S. Department of Commerce has suggested that companies include cyber insurance as part of their cyber-risk management plan, but that many companies still choose to forego this coverage.  While businesses without cyber insurance may have coverage under existing policies, insurers have relentlessly fought to cabin their responsibility for claims arising out of cyber-attacks.  Additionally, Commissioner Aguilar’s speech emphasizes that cyber-risk management is a board-level obligation, which may subject directors and officers of companies to the threat of litigation after a cyber-attack, underscoring the importance of adequate D&O coverage.

The Commissioner’s speech offers yet another reminder that companies should seek professional advice in determining whether they are adequately covered for losses and D&O liability arising out of a cyber-attack, both in prospectively evaluating insurance needs and in reacting to a cyber-attack when the risk materializes.

Read Commissioner Aguilar’s full speech here.

ARTICLE BY

OF