Tag: Insurance


Insurers: Retirement Plans Look Less Golden

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Mike Alix, Adam Gilbert, Armen Meyer, and Chris Joline.

Earlier this year, the Department of Labor (“DOL”) released a proposed regulatory package impacting the way investment advisors and brokers are compensated. [1] Under the proposal, recommendations to an employee retirement benefit plan or an individual retirement account (“IRA”) investor will be considered “fiduciary” investment advice, thus requiring the advice to be in the “best interest” of the client rather than being merely “suitable.” As a result, insurance brokers and agents who provide investment advice will face limits on receiving commission-based (as opposed to flat fee) compensation. [2]

READ MORE »

Navigating the Cybersecurity Storm in 2016

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a summary of a Weil publication; the complete publication is available here.

“Our nation is being challenged as never before to defend its interests and values in cyberspace. Adversaries increasingly seek to magnify their impact and extend their reach through cyber exploitation, disruption and destruction.”

—Admiral Mike Rogers, Head of US Cyber Command September 9, 2015

A very recent article in the UK publication The Guardian, entitled “Stuxnet-style code signing of malware becomes darknet cottage industry,” [1] raises the specter of bad actors purchasing digital code signatures, enabling their malicious code to be viewed as “trusted” by most operating systems and computers. Two recent high profile hacks utilized false or stolen signatures: Stuxnet, the code used to sabotage the Iranian nuclear program, allegedly jointly developed by America and Israel, and the Sony hack which was allegedly perpetrated by the government of North Korea. Both of these instances involve sovereign states, with effectively unlimited resources.

READ MORE »

Cybersecurity: Enter Insurance Regulators

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Chris Joline, Adam Gilbert, Joseph Nocera, and Armen Meyer.

Since issuing its Principles of Effective Cybersecurity last July, [1] the National Association of Insurance Commissioners (“NAIC”) has been making progress in the development of cybersecurity examination manuals. NAIC’s regulatory guidance is intended to help state insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to insurers, insurance producers, and related regulated entities (collectively, “Insurance Companies”).

Given the priority regulators are placing on cybersecurity (including NAIC’s Cybersecurity Task Force) and the continued occurrence of high profile data breaches, we expect that cybersecurity examinations will commence as early as 2016 and will be performed by insurance regulators as part of their standard three-year exam cycle. While NAIC’s examination manuals will act as guidelines for state regulators, actual regulation will vary by state. Thus, Insurance Companies should be tracking state regulatory developments to ensure that their cybersecurity programs are rigorous and all-encompassing.

READ MORE »

Boardroom Perspectives: Oversight of Material Litigation in Four Practical Steps

Jeff G. Hammel is a partner and member of the Litigation Department at Latham & Watkins LLP. This post is based on a Latham publication by Mr. Hammel, Steven B. Stokdyk, Joel H. Trotter, and Jenna B. Cooper.

Public companies in the United States are subject to litigation in various areas, including: shareholder litigation; government investigations and enforcement actions; environmental litigation and intellectual property disputes. While certain litigation may be frivolous or merely routine, other claims may be costly and potentially damaging to the company’s bottom line, reputation, or both. It is important that boards be equipped to manage and mitigate risks associated with litigation deemed material to the company. The following tips are designed to give boards a framework from which to approach litigation oversight.

READ MORE »

D&O Liability: A Downside of Being a Corporate Director

Alex R. Lajoux is chief knowledge officer at the National Association of Corporate Directors (NACD). This post is based on a NACD publication authored by Ms. Lajoux. This post is part of the Delaware law series, which is cosponsored by the Forum and Corporation Service Company; links to other posts in the series are available here.

One of the few downsides to board service is the exposure to liability that directors of all corporations potentially face, day in and day out, as they perform their fiduciary duties. The chance of being sued for a major merger decision is now 90 percent; but that well known statistic is just the tip of an even larger iceberg. The Court of Chancery for the state of Delaware, where some one million corporations are incorporated (among them most major public companies), hears more than 200 cases per year, most of them involving director and officer liability. And given the high esteem in which Delaware courts are held, these influential D&O liability decisions impact the entire nation.

This ongoing story, covered in the May-June issue of NACD Directorship magazine, recently prompted the National Association of Corporate Directors (NACD) to take action. Represented by the law firm Gibson Dunn & Crutcher LLP, NACD filed an amicus curiae (“friend-of-the-court”) brief in the matter of In re Rural/Metro, a complex case likely to continue throughout the summer. Essentially, the Court of Chancery ruled against directors and their advisors, questioning their conduct in the sale of Rural/Metro to a private equity firm.

READ MORE »

What’s New in 2015: Cybersecurity, Financial Reporting and Disclosure Challenges

The following publication comes to us from Weil, Gotshal & Manges LLP and is based on a Weil alert; the complete publication, including footnotes, is available here.

As calendar-year reporting companies close the books on fiscal 2014, begin to tackle their annual reports on Form 10-K and think ahead to reporting for the first quarter of 2015, a number of issues warrant particularly close board and management attention. In highlighting these key issues, we include guidance gleaned from the late Fall 2014 programs during which members of the staff of the Securities and Exchange Commission (SEC) and other regulators delivered important messages for companies and their outside auditors to consider. Throughout this post, we offer practical suggestions on “what to do now.”

While there are no major changes in the financial reporting and disclosure rules and standards applicable to the 2014 Form 10-K, companies can expect heightened scrutiny from regulators, and heightened professional skepticism from outside auditors, regarding compliance with existing rules and standards. Companies can also expect shareholders to have heightened expectations of transparency fostered by notable 2014 events such as major corporate cyber-attacks. Looking forward into 2015, companies will need to prepare for a number of significant changes, including a new auditing standard for related party transactions, a new revenue recognition standard and, for the many companies that have deferred its adoption, a new framework for evaluating internal control over financial reporting (ICFR). The role of the audit committee in helping the company meet these challenges is undiminished—and perhaps, in regulators’ eyes, more important than ever.

READ MORE »

Changing the Cyber Security Playing Field in 2015

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo; the complete publication, including footnotes, is available here.

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working—and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

— Author Brian Krebs, Dec. 20, 2014.

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

— Professor Bruce Schneier, Dec. 19, 2014.

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

READ MORE »

The Importance of a Battle-Tested Cyber Incident Response Plan

The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

READ MORE »

Cyber Security, Cyber Governance, and Cyber Insurance

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

JP Morgan Chase. Community Health Systems. The Home Depot. Kmart. There has been no shortage of data breaches in recent weeks—with new developments on an almost daily basis. The age of cyber hactivisim, cyber extortion, and cyber terrorism is here, and it is not going away any time soon.

Data security issues are no longer just an IT Department concern. Indeed, they have become a matter of corporate survival, and therefore companies should incorporate them into enterprise risk management and insurance risk transfer mechanisms, just as they regularly insure other hazards of doing business. As the number of data breaches has increased, the demand for cyber insurance has likewise dramatically increased more than that for any other insurance product in recent years. Every board of directors should be questioning its officers and management as to “whether or not its company should be purchasing cyber insurance to mitigate its cyber risk.” If management answers, “Oh, it costs too much,” or “Oh, it will never pay off,” second opinions should be obtained. Rapidly. Because neither answer is correct.

READ MORE »

Update on Directors’ and Officers’ Insurance in Bankruptcy

The following post comes to us from Douglas K. Mayer, Of Counsel in the Restructuring and Finance Department at Wachtell, Lipton, Rosen & Katz, and is based on a Wachtell Lipton memorandum by Mr. Mayer, Martin J.E. Arms, and Emil A. Kleinhaus.

Directors’ and officers’ (“D&O”) insurance coverage continues to represent a key element of corporate risk management. See memo of July 28 2009. A decision in the bankruptcy of commodities brokerage MF Global, In re MF Global Holdings Ltd., No. 11-15059 (S.D.N.Y. Sept. 4, 2014), provides a recent illustration of how D&O insurance may be treated upon the bankruptcy of the insured company, depending on the specific structure and terms of the insurance at issue.

READ MORE »