management liability, cyber liability and data security

willistowerswatson.com

Church Benefits Association

Management Liability, Cyber Liability and Data Security Discussion

December 3, 2019


Session Agenda

• Introductions and Purpose

• WTW and our Background

• FINEX Practice Introduction

• Network Security an Data Privacy

• Insurance and Related Topics

• Cyber Quantified – Limit Benchmarking

• Third Party Vendor Concerns

• Fiduciary, Directors & Officers and Asset Management Liability

• Claims Drivers and Market Conditions and Industry Trends

• Questions & Answers

2


Who We Are

3© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.


Who We Are

4

What we do:

Our Corporate Risk & Broking (CRB) segment provides a broad range of risk advice, insurance brokerage and consulting services to clients worldwide. The segment delivers integrated global solutions tailored to our clients’ needs and supported by data and analytics.

Why we’re different:Under the umbrella of Willis Towers Watson, we bring:

An integrated team of subject matter experts from across our

business segments that delivers a holistic view of risk, risk mitigation

and management

Interconnected business segments across all geographies that ensure

ready access to the vast array of our solutions and our expertise.

Innovation and insight through the active engagement of our colleagues across

disciplines, geographies and lines of business. We encourage our teams to ask the unanswered questions that can make new connections and

uncover valuable solutions for our clients.

33% of Willis Towers Watson

total revenues, with segment revenues

of $2.7BN in 2017.

CRB globally generated approximately

The WTW CRB international network is

comprised of 400 offices in over 140 countries and services over 4,000multinational clients.

CRB North America is fully supported by the

backing of the full bandwidth of

Willis Towers Watson, as one company,

bringing over 45,000 global colleagues

and $23BN in annual premium placed.

We have approximately

3,400 colleagues

located in 113 offices across 34 states.

NA Employees:

Thousands of clients

in 29 diverse

industries.


FINEX Practice

5

$1B+

Assisted clients in claims recoveries of over

in 2017

10,000+Number of clients that use WTW to secure D&O, E&O, Cyber, EPL, Crime or Fiduciary insurance

Expertise

Product Leaders in all key FINEX products:D&O E&O CrimeCyber EPL Fiduciary

D&O Quantified

New D&O and Cyber proprietary analytical tools

Global FINEX insurance premium placed annually in the market

$3B+ 60%Annual growth in Cyber Insurance

Combining global, industry expertisewith a wealth of FINEX brokingexperience

Average tenure of our Claims & Legal Advocacy team.18+

years100% are

attorneys

145+ Professionals

Dedicated FINEX associates in N. America500 Globally

120+ Number

of Countries where WTW has offices

Peer Review Process

At least five team members review every policy for our clients

CyberQuantified


Cyber Security & Vendor Review Protocols



Cyber Threat Environment

Cloud or 3rd Party Compromise

Malicious Insider

Hacktivists Criminal Hackers

Negligent Insider

Access controls and behavior monitoring insufficient to detect insider threats

Unwary insiders susceptible to attacks that exploit traditional security controls (e.g. spear phishing)

Users who fail to embrace “culture of security” will find ways to circumvent ‘inconvenient’ security controls

Patience is a virtue. Tactics have evolved from “hit and run” to “infiltrate and stay.”

Industrialization - Black markets exist for all types of personal information

Proliferation of mobile platforms and BYOD policies creates new vectors

Growing incentive for insiders to abuse access to sensitive data for financial gain

Disgruntled current and former employees exploit back-doors

Intent is to disrupt and/or embarrass a target

Motivations are fickle and unpredictable

Massive DDoS attack

Theft of Intellectual Property

Security compromise – loss of sensitive client data

Infrastructure downtime may lead to Dependent Business Interruption claim

7


CLG Proprietary Cyber Claims Data

2017-2018 Reported claims index

Type of Loss

Willis Towers Watson 2017-18 Reported Cyber Claims Index

Accidental disclosure

Social engineering

Rogue employee

Stolen/lost device

Ransomware

Physical theft of data

Hack

Business interruption

Website cloning/damage/malicious

Computer/CPU

Cyber extortion (not ransomware)

Virus transmission

Theft of monies (electronically)

Other

Attributableto the humanelement

1%1%1%

2%

2%

3%

23%

4%

4%5%

7%

17%

24%

7%

8


The human element: People are #1 source of cyber incidents

Source: 2017 Willis Towers Watson claims data

58%23%

10%

7%2%

Percentage of claims by breach type

Employee negligence or malfeasance - e.g., accidentaldisclosures, lost or stolen device, rogue employeeRansomware / Hack

Social engineering resulting in data theft or funds transfer

Denial of service

Unknown

Employee negligence or malicious behaviors are the most common source of cyber incidents The workplace is thus a major influence in mitigating cyber risk – using all the tools at an

organization’s disposal, such as: Strong employee experience & engagement Effective recruitment, onboarding, and induction Targeted training, compliance, and incentive policies

9


Costs and Retentions

As ransomware incidents across all industries increased dramatically in terms of frequency and magnitude in 2019, coupled with potential losses from high profile breaches, we are starting to see an uptick in premiums across the globe.

This premium increase has largely been driven by the explosion of ransomware losses during the second half of 2019, which went from $500,000 or less per loss to well over $1,000,000 per loss.

As losses and potential losses rack up from several large breaches over the past year, carriers have been reevaluating their positions in large towers and looking more closely at rates in perceived “burn layers.”

Carrier focus for excess layers revolves around obtaining adequate premium for perceived risk. There is no longer competition to get on excess towers, especially if pricing is considered “too thin.”

Carriers continue to focus on better management of limits deployed on programs, with many offering no more than $10 million on a given placement. Some carriers will consider deploying additional limits but may require significant retentions or ventilation to do so.

Capacity Cyber capacity is starting to tighten, as insurance claims and losses continue to rise, especially with regard to ransomware as discussed above.

According to the 2018 Cost of a Data Breach Study from the Ponemon Institute, the cost of data breaches continues to increase year-by year, with reputational and regulatory costs identified as main drivers of the increase for 2018. In 2018, the average cost of a data breach globally was US$3.86 million – a 6.4% increase from 2017. This was due to so-called “megabreaches” where 1–50 million records are compromised, resulting in losses between US$40 to US$350 million.

According to the 2019 Cyber Risk Outlook, prepared by the University of Cambridge, incident response costs are also driving the increase in the cost of data breaches. As the cyber threat landscape becomes more complex and demand for cyber security resources increases, the costs in remediating data breaches, particularly for large-scale events, has increased.

The human element continues to be the leading cause of cyber loss, representing 61% of the claims included in our 2017-18 Reported Claims Index.

Certain carriers are adjusting their ransomware coverage appetites and considering sub-limits and co-insurance alternatives.

Coverage Coverage continues to evolve and expand to cover regulatory risk, reputational damage, forensic accounting and gap exposures.

The E.U. General Data Protection Regulation (GDPR) went into effect in May 2018, and the California Consumer Privacy Act will go into effect in 2020. We have seen cyber markets more affirmatively address coverage for claims stemming from the GDPR and for claims anticipated under the California Consumer Privacy Act. Markets are also offering expanded wrongful collection and “compliance” coverage largely in response to these regulations.

Business interruption/system failure continues to be an area of concern for underwriters. Very exposed industry classes, such as aviation, manufacturing and transportation, have seen increased underwriting scrutiny. While the coverage remains available, certain industries will experience significant premium increases to obtain or retain the coverage.

Cyber underwriters are working more closely than ever with their counterparts in other lines. Cyber and property underwriters in particular are combining forces as carriers continue to expand their coverage offerings in business interruption. Given the experience and understanding of how business interruption losses play out, it is a natural pairing that should help cyber underwriters understand what they face in claim scenarios. Notwithstanding this cooperation, we are seeing carriers withdraw or limit cyber coverage in non-cyber insurance lines due to concern over aggregation.

Markets Carriers are exploring data analytics partnerships with InsurTech and FinTech firms in an effort to gather and optimize exposure data, allowing underwriters to assess how organizations and their employees handle sensitive data. Underwriters want to understand an organization’s cyber culture; this can offer opportunities for buyers to differentiate themselves if they are developing holistic approaches to cyber risk across people, capital and technology.

Carriers continue to accept manuscript applications and conference calls in lieu of standard applications. This has led to more market interest due to the increased amount of information provided.

State of the Cyber Insurance Market

© 2019 Willis Towers Watson Plc. All rights reserved. Proprietary and Confidential.

10


Cyber insurance - core coverage

Liability coverage

Privacy liability

Liability associated with your inability to protect personally identifiable information or corporate confidential information of third parties. The information can be in any format and breached intentionally or negligently by any person, including third party service providers to which you have outsourced information. Third party service providers include, but are not limited to, IT service providers.

Network security liability

Liability costs associated with your inability to prevent a computer attack against your computer network.

Media liabilityTort liability associated with content you create, distribute or is created and distributed on your behalf , including social media content.

Regulatory fines Fines assessed by a regulatory body due to your data breach.

Direct (Loss mitigation coverage)

Breach response costs

Direct costs expended to mitigate a privacy breach. Costs typically include public relations expenses, notification, identity theft restoration, credit monitoring services and forensic/remediation expenses.

Direct (First party coverage)

Income loss/extra expense

Income loss/extra expense associated with your inability to prevent a disruption to your computer network caused by a computer attack or programming or software failure either:

1. on your network, or

2. at your IT service provider hosting your application.

Data reconstruction

Your costs to recreate, recollect data lost, stolen or corrupted due to your inability to prevent a computer attack against your computer network.

Extortion costs Your costs expended to comply with a cyber extortion demand.

11


Cyber Risk Gaps in Traditional InsuranceWhat are the gaps to consider when dovetailing cyber/privacy insurance with traditional insurance?

No Coverage

12


Cyber Liability Insurance Pays

Partnership

Most Cyber Liability insurers offer their policyholders a choice of breach response services, typically from a list of pre-approved vendors. Many allow the policyholders own choice of vendor.

Most insurers also grant policyholders access to a complimentary cyber risk management portal that includes the most updated information on emerging cyber threats and the latest reports on risk mitigation measures and practices.

13


What is Cyber Quantified?

Cyber Quantified is a global cyber risk quantification tool, using predictive modeling techniques based on various Industry data sources such as Risk Based Securities and Standard & Poor’s, integrated with our industry leading Cyber expertise.

Cyber Quantified provides estimates of frequency and severity for both privacy breach and network outage incidents.

This proprietary tool provides concrete decision support to clarify your insurance choices and guide you to your client’s optimal risk mitigation strategy.

Key Benefits to Clients

The most comprehensive quantification of Cyber Risk: Frequency and Severity of both privacy breach and network outage.

Provides decision support to drive risk financing strategy and evaluation of specific options.

Sensitivity testing promotes a better understanding of risk and how the exposure profile should be presented to the insurance marketplace.

Concise and impactful output for communication with internal stakeholders.

FINEX analytical tools

Cyber Quantified – http://willis.com/coreanalytics/cyber.html

14


Cyber Quantified Breach Risk Detail

15

Inputs



16

Breach Costs: 25,000 PII Records



17

Breach Costs (per record): 25,000 PII Records


Cyber Quantified Network Outage

18

Industry Frequency & Costs Calculator


Vendor Management and Protocols



© 2019 Willis Towers Watson. All rights reserved.

Is your company equipped to face the threat of third-party data breaches?Is your company equipped to face the threat of third-party data breaches?

57%

75%

22%

American companies experienced a data

breach caused by a third party or vendor

Say third-party data breach incidents are

on the rise

Didn’t know if they had been impacted by a

third-party data breach over the past year



What is Third-Party Risk Management?What is Third-Party Risk Management?

The management of risk presented to your organization, your data, your operations and your finances by parties OTHER than your own company.

The management of risk presented to your organization, your data, your operations and your finances by parties OTHER than your own company.

Telecommunications Cloud Services Food & Beverage Utilities

Shredder Services Data Management Web/UI Designer App Development

Landscaper Cleaning Service External Legal Counsel CRM

Risk Management Insurance Provider Payment Processor Compliance Audit

Example Vendors/Suppliers



What potential risks might arise from third-party relationships?What potential risks might arise from third-party relationships?

• Strategic • Reputational• Operational• Transactional• Credit• Compliance

Cyber risk impacts all of these broad risk categoriesCyber risk impacts all of these broad risk categories



What are my responsibilities around Third-Party Risk Management?What are my responsibilities around Third-Party Risk Management?

“The key to the effective use of a third party in any capacity is for the organization to appropriately assess, measure, monitor, and control the risks associated with the relationship.”

FDIC GUIDANCE FOR MANAGING THIRD-PARTY RISK

A breach of your third-party is a breach of your enterprise. How is your level of trust?A breach of your third-party is a breach of your enterprise. How is your level of trust?


Third-Party Cyber Risk Assessment

24© 2019 Willis Towers Watson. All rights reserved.

Provides visibility into the cybersecurity posture of your third-party vendors or vendor candidates and the risk each relationship presents to your business operations

Strengthens the RFP process by prioritizing vendor candidates in order of cybersecurity maturity, effectively supporting the procurement and selection process

Supports the insurance placement/renewal process by evaluating key risks of your chosen vendors and their willingness to take recommended cybersecurity actions

Available in three delivery tiers that can be scoped, tailored, and priced to meet individual client requirements

Time to completion: 1-2 weeks (Tier 1), 3-4 weeks (Tier 2), 4-6 weeks (Tier 3)

1 2

Online SurveySurvey-based assessment of an organization’s vendors or vendor candidates’ current cybersecurity maturity mapped to the NIST CSF or ISO 27001.

Cross-FunctionalSurvey completed by up to six key stakeholders at each vendor or vendor candidate, providing array of perspectives on mission critical functions (e.g., CISO, CIO, CRO, CFO, HR, Legal).

3 4

Research & AnalysisResearch on each vendor or vendor candidate’s public profile, business functions, and cyber risk exposures. One-to-one interviews with vendor/vendor candidate’s key stakeholders.* *Tier 3 option only.

Document ReviewReview of key cyber risk management documents (e.g., information security policies, incident response plans, and business continuity plans).

5 6

Workshop Four-hour client workshop* to develop (1) action plan to address vendor cyber issues; or (2) consensus and security posture-based shortlisting of three vendor candidates. *Tier 2 virtual or Tier 3 onsite consultation options only.

Final ReportIncludes Board-level ready executive summary, consolidation and reporting of project findings, and prioritized recommendations.

Engagement Can Be Customized to Include Any or All of the Following:


Fiduciary, D&O and Asset Management Discussion



Capacity

Ample

Coverage

Broad

Claims & losses

Concerning trends

Premiums & retentions

Stable to increasing

Markets

Stable

State of the Fiduciary Insurance Market 2019


Excessive fee litigation continues to dominate the exposure, driving severity and client views of appropriate program size.

Trouble spots:

Asset managers: Asset managers with proprietary funds within their plans face challenging renewals.

Universities: Spike in 403(b) fee cases have carriers concerned.

ESOPs: No presumption of prudence when investing in employer securities.

Regulatory uncertainty

Will SEC’s proposed Regulation Best Interest replace the DOL’s now vacated Fiduciary Rule?

Increased IRS compliance exposure w/o validating periodic Determination Letters

Federal deregulation could mean more not less as states fill perceived gaps

Broad/Stable

ESOP exposures continue to give carriers pause, but as a loss driver, ESOPs have been relatively quiet. (Note: Janderv. Retirement Plans Committee of IBM could bring them back).

Broad range of sublimited coverage for fines and penalties.

No significant restrictions or material changes in the scope of coverage offered outside of the “Trouble spots” (See next column).

Regulatory dynamics —including those around privacy--like GDPR—may drive innovation, but we have seen less carrier innovation in fiduciary liability than elsewhere in financial lines.

Notwithstanding recent insurer M&A activity, the fiduciary market largely remains competitive

Over $500M in advertised capacity

AIG, Chubb and Travelers continue to lead most programs – private and public; collectively--40% market share

AXIS, Hartford, Berkshire, CNA and AXA XL also have a significant presence

For private companies, Fiduciary is often bought in a package format with D&O and/or EPL and it may not be the product that drives carrier choice.

For larger, or public, companies, fiduciary limits occasionally blended with EPL and/or crime coverage

Competitive and largely aligned behind leaders on primary pricing and terms.

Could see competitive market play out on sublimits for fines and penalties.

Willingness to write or to offer innovative solutions for ESOPs and Trouble Spots could differentiate a carrier.

Premiums and retentions are generally flat.

Excess rates remain very competitive.

Material changes in plan assets, specifically employer stock, may result in potential increases in premiums and retentions for securities claims (for public companies with such exposure).

For Trouble Spots, expect any of the following: upward rate pressure excluded risks increased retentions, and sublimits.

Church, university and public entity plans may see upward rate pressure.

Some carriers warned they will not consider fiduciary liability for larger universities or asset managers with proprietary funds—unless a fee claim is already in.


Fee CasesObservation: Excessive fee litigation continues to dominate the

exposure, driving severity and client views of appropriate program size. Spawned a cottage industry in the plaintiff bar.

Concern: Dominant driver of losses. Concern that this litigation wave will spread to smaller plans and broader activities.

Firming MarketsObservation: Markets have continued to firm and may do so furtherConcern: 2019 may be a challenging renewal year. While

Fiduciary Liability insurance is likely to feel less pressure than other lines, the firming has impacted carriers willingness to take on more challenging fiduciary risks.

Regulatory UncertaintyObservation: On deck, a new SEC set of rules and multiemployer plan

expansion and the Retirement Enhancement and Savings Act may have bipartisan support. Will states act to fill perceived federal gaps (as Massachusetts and New Jersey have)?

Concern: New rules, change and Balkanization of regulation all increases risks.

Jury TrialsObservation: Cornell’s request for certification of an interlocutory

appeal from a motion granting in part and denying in part Cornell’s motion to strike a jury demand was denied (by the same judge that effectively granted plaintiffs a right to trial by jury).

Concern: Jury trials could undermine recent defense successes and substantially increase the litigation severity.

PrivacyObservation: General Data Protection Regulation going into effect

was monumental. California passed a similar law thatwill go into effect next year.

Concern: Uncharted territory that could extend to fiduciaries. Hardto comply with uncertainty. How does GDPR impact fiduciary liability? This could also be a cyber issue, too.

ESOPsObservation: Fifth Third Bancorp v. Dudenhoeffer tempered ESOP

litigation, but a recent denial of a motion to dismiss inJander v. Retirement Plans Committee of IBM, (2nd

Cir. 2018) may have given ESOP suits new life.Concern: Before fee cases, ESOP suits drove fiduciary liability

losses. This could be impactful.

Proprietary FundsObservation: Asset managers with proprietary funds within their plans

face challenging renewals.Concern: Some carriers warned they will not consider fiduciary

liability for asset managers with proprietary funds—unless a fee claim is already in.

University Fee/403(b)Observation: Cornell’s motion to strike a jury demand was partially

denied. Concern: Carriers are focused on this risk and many have limited

to no appetite for it unless a fee claim is already in.

Fiduciary Liability In 2019

Top issues to watch

© 2019 Willis Towers Watson. All rights reserved.27


Key Loss Drivers

Fee cases continue Settlements now total $505 million, over half a billion dollars!

Tibble, the case that established critical Supreme Court precedent, settled for $5.6 million in addition to a judgment of $7.5 million and payment of legal fees of $5.8 million ($18.9 million total)

Fujitsu reached a settlement for a claim of imprudent design of its target date funds for $14 million

Allianz reached a settlement for claims of conflicted funds for $12 million

Over 50 suits are pending (at least 35 against corporate employers and 17 against universities and other not-for-profits), with several suits surviving recent motions for dismissal

4 suits against GE with other suits being filed against a teamster plan and very small plans

Important First Circuit dismissal of suit against Fidelity challenging stable value fund

Six suits challenging managed account fee sharing have been dismissed, while one remains pending


2018 Top 10 ERISA class action settlements

1. $63.0mMercy Health--Did plan qualify for church-plan exemption?

2. $62.5mHospital Sisters Health System--Alleged underfunding due to church-plan status.

3. $30.0mLiberty Mutual Retirement Benefit Plan-Class arising ore-acquisition pension credit claims.

4. $29.5mWheaton Franciscan--Challenged church-plan status.

5. $25.0m Wawa Inc.—Lost ESOP benefits

6. $25.0mContinental Casualty Co.—Cancelled an annuity contract in the plan’s investment menu.

7. $24.0mBB&T Corp.--Alleged self-dealing associated fees earned on poorly performing proprietary funds.

8. $21.9mDeutsche Bank—Alleged high costs associated with proprietary funds within their plans.

9. $17.0mPhillips North America—Alleged breach of fiduciary duty relating to 401(k) investment options.

10. $15.4mCalifornia Field Ironworkers Pension Trust—Alleged a secret amendment to plan to prevent benefits from accruing after age 65.

“ERISA itself represents a highly dense regulation, and claims arising from it are equally complex. That a plaintiff might not fully understand the facts and legal theories of this complex ERISA action is understandable.”

U.S. District Judge Charles A. Pannell Jr. in granting class certification in a notable 403(b) case


5th Circuit

fully invalidated

the DOL’s Fiduciary Rule

Why should clients care?

Fiduciary Liability Claims, legal and emerging trends summary


Tibblefallout ⎼⎼⎼⎼continuous duty to monitor

Fee case settlements

exceed

$505m

IRSPhase out of safe harbor process

Regulatory Uncertainty

Extends to privacy

Sexual orientationTitle VII protection.

New employee

benefits liability?

Balkanizationof enforcement as others fill in

for less federal

regulation

Over

50fee suitspending

Add $28per day/employee

in § 209(a)(1) penalties

Wage & Hour ERISA violations


Fiduciary Liability

Noteworthy losses / decisions / disruption

Duty to Defend-Insurance-Negligence: Scottsdale Insurance Company v. Timothy L. Byrne, et al., (1st Cir. 2019). A business and management indemnity insurance policy’s professional services (construed “professional services” narrowly) and ERISA exclusions (did not apply to action for common law negligence) do not relieve the insurer of its duty to defend.

SEC takes on fees, too: In December, the SEC issued letters as part of its new investigations into advisory firms that did not self-report that they failed to disclose conflicts of interest associated with the receipt of 12b-1 fees when a lower-cost share class of the same mutual fund was available for the advisory clients. The December letters reflected the requests extended beyond 12b-1 fees to revenue sharing.

SEC Proposed Best Interest Package: (i) Regulation Best Interest; (ii) Proposed Commission Interpretation Regarding Standard of

Conduct for Investment Advisers; Request for Comment on Enhancing Investment Adviser Regulation (“Investment Adviser Standard”), and (iii) “Form CRS Relationship Summary; Amendments to Form ADV; Required Disclosures in Retail Communications and Restrictions on the

use of Certain Names or Titles” (“Form CRS”)—encompasses the SEC’s alternative to the DOL’s vacated Fiduciary Rule.

DOL Proposed Multiemployer Plan Expansion: The DOL proposed a rule that would expand the use of open multiple employer plans. Benefits small business and professional employer organizations.

New Basis for claims: Based on allegations of unreasonable actuarial equivalent factors, including “outdated” mortality tables, when calculating plan benefits payable in various annuity forms of distribution or at early retirement. Masten, et al. v. Metropolitan Life Insurance

Company, et al., (S.D.N.Y Dec. 3, 2018), Martinez Torres, et al. v. American Airlines, Inc., et al., (N.D. Tex. Dec. 11, 2018), DuBuske, et al.

v. PepsiCo, Inc., et al., (S.D.N.Y. Dec. 12, 2018), and Smith, et al. v. U.S. Bancorp, et al., (C.D. Minn. Dec. 14, 2018).

Chamber of Commerce of the USA, et al v. U.S. Department of Labor, et al.,(5th Cir. 2018). Vacated the “Fiduciary Rule” promulgated by the Department of Labor (DOL) in April 2016. Decided on March 15, 2018. Mandate issued June 21, 2018.

Janus v. Am. Fed’n of State, Cty., & Mun. Emps..(SCOTUS, decided June 27, 2018). States and public-sector unions may no longer extract agency fees from nonconsenting employees.

White, et al. v. Chevron, el al., (9th Cir. 2018). Allegations showed only that Chevron could have chosen different vehicles for investment that performed better during the relevant period, or sought lower fees for administration of the fund, and that was not enough to make it more plausible than not that any breach of a fiduciary duty had occurred. Also, dismissed the failure to monitor claim arising from the Vanguard in 2002 as time barred since the action was not commenced until 2016.

GDPR and privacy regulation?: Plans hold a significant amount of private data on participants and beneficiaries. Some participants may be located in the European Union. That begs the question how will the EU’s General Data Privacy Regulation (“GDPR”) apply to US benefit plans?

Trial by jury? Cunningham v. Cornell University, September 6, 2018 decision in Cornell 403(b) case denying (in part) defendants’ motion to strike jury demand. Plaintiffs definitely won this battle.


© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 31

FINEX Insurance Market Conditions

D&O/E&O

Capacity

Abundant

Coverage

Evolving

Claims & losses

Concerning trends

Premiums & retentions

Stable to increasing

Markets

Transitioning

Increasingly regulated global environment creating greater risk of regulatory and follow-on civil claims against asset managers.

Regulatory actions, violations of section 36(b) and Cost of Corrections continue to dominate claims activity.

401(k) excessive fees/suitability cases resulting in significant losses, negatively impacting renewals of Fiduciary Liability programs, including blended programs that include Fiduciary Liability coverage.

Insurers continue to try and differentiate themselves via broader coverage offerings, including:

• Pre-Claim coverage and, increasingly, informal investigations.

• Cyber extensions are available from some insurers.

• “Mock Audit” coverage is available from some insurers, which reimburses the Insured a percentage of its premium to cover the costs of conducting a mock regulatory audit.

A general abundance of capacity in the US is keeping rates more competitive for asset managers than other financial institution sub-industries.

The London market is slightly more challenged, with insurers reducing capacity for distressed insureds and/or where there is claims activity.

Asset management is still the area that most carriers are looking to grow with many offering new policy forms and/or coverage enhancements.

Old Republic is currently an excess asset management market and is expected to release their primary asset management policy form in Q1 20.

Key primary markets (AIG, Chubb, HCC, AXA XL, Berkshire Hathaway) continue to aggressively push rate increases.

Other primary and excess markets have largely aligned behind those key markets on pricing and terms.

Some insurers are voluntarily exiting programs they deem too thinly priced, possibly creating a more challenging renewal process.

Breaking relationships with long-term insurance partners on a primary and/or excess basis may be required in order to mitigate any applicable premium increases.

Nevertheless, competitive coverage is still available and there remain opportunities for enhancement.

Primary programs generally renewing flat for middle market asset managers, while larger asset managers are generally experiencing increases up to +7.5% depending on AUM change, investment strategy, performance and/or claims.

The London market is generally applying increases across the board, ranging from 2-5% for middle market and 5-15% for larger asset managers.

Most excess insurers acting in lock-step and following any underlying premium increases.

Retentions generally remaining flat unless risk profile warrants an adjustment; some insurers may offer a flat premium renewal in exchange for an increase in retention.


Directors & Officers Liability leading loss driver

Federal securities class actions


175 181

111 122155 173 186

215 218

7

4043

13 35

85

197 185

175188

151165 168

208

271

412 403

0

50

100

150

200

250

300

350

400

2010 2011 2012 2013 2014 2015 2016 2017 2018

No

. o

f S

CA

Fil

ing

s

Filings(as of January 2019)

Non-M&A M&A

Total SCA Fillings Linear (Total SCA Fillings)

Additional Insights

• 2018 securities class action filings involved approximately 7.5% of 5,350 publicly listed companies.

• M&A Filings had a much higher rate of dismissal (86%) vs.

non-M&A filings (47%).

• Severity indicators point way up.

• The Cornerstone Disclosure Dollar Loss measure ranks 2018 asthe highest ever.

• $939 billion in “Nera-defined” Investor Losses-more than double any prior year, and nearly 4X the five-year Avg. of $245 billion

$0

$20

$40

$60

$80

$100

$120

2010 2011 2012 2013 2014 2015 2016 2017 2018

Settle

ment

Settlements(as of January 2019, in million US$s)

Avg. Settlement (Annual) Median Settlement (Annual)

Linear (Avg. Settlement (Annual))

Notes: (i) The 5147 10YR average reflects a modest increase in filings. (ii) This commonly-cited, simplistic measure should not be taken as a meaningful indicator of any specific company’s risk and (iii) Filings is based on Cornerstone’s Securities Class Action Filings: 2018 Year in Review and Settlements is based on Nera’s Recent Trends in Securities Class Action Litigation: 2018 Full-Year Review.


Securities Class Actions Observation: 403 filings in 2018 is 210 above the 1996-2016 average.

Merger objection claims were nearly half of all filings, but 2018’s non-M&A claims (214) are still near all-time highs

Concern: SCAs, the classic D&O severity claim, have long been a litmus test for overall D&O market loss expectations.

PrivacyObservation: General Data Protection Regulation going into effect

was monumental. California passed a similar law thatwill go into effect next year. High profile (Facebook, Nielsen) SCAs filed alleging poor disclosure

Concern: Uncharted territory. Hard to comply with uncertainty.

Cyber Insecurity and Data BreachesObservation: 2018 brought cyber to the SCA world. Altaba (f/k/a

Yahoo!) settled data breach-related suit for $80M, and settled related SEC enforcement action for $35M. Marriott, Chegg, Huazhu, Alphabet (Google) also sued

Concern: Likely to only get worse with the SEC spending more on cyber and rating agencies now considering cyber insecurity. Meanwhile the risks keep morphing.

Revelations of Sexual MisconductObservation: 2018 saw high-profile sexual misconduct scandals with

material financial implications that resulted in D&O claims: SCA and derivative. Also, saw social media campaigns result in employee movements over failures to address harassment allegations.

Concern: Tip of the iceberg? Hard to see these coming. Some involved decades of alleged behavior.

Social MediaObservation: Social media has connected the disenfranchised. That

collective voice can turn seemingly manageable issues into a material financial concern

Concern: A viral campaign can have devastating consequences for targets. Impact may be much faster than litigation, and a social media movement has no protection for the innocent. Where legacy issues recently became public, claims-made coverage can fall short if not fixed.

Event Driven FilingsObservation: Broad category of claims not driven by financial

reporting or accounting. Could arise from wildfires, airline crashes, cyber breaches, emissions disclosures and #MeToo scandals. Potential new sources: privacy compliance and ESG (environmental, social & governance).

Concern: Uncertainty and unpredictability. Harder to underwrite. Also, ESG is getting more attention.

SEC Enforcement Action ReboundsObservation: 821 SEC enforcement actions in FY2018 vs 754 in

FY2017 (+9%). 71 involved new actions against public companies

Concern: The drumbeat to hold individuals accountable will likely get louder as we get closer to the next presidential election. (Note: Today’s policies cover 2020 risks)

Firming MarketsObservation: Markets have continued to firm and may do so furtherConcern: 2019 may be a challenging renewal year.

Directors & Officers Liability in 2019

Top issues to watch

© 2019 Willis Towers Watson. All rights reserved.33

© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.


Directors & Officers Liability

Claims, legal and emerging trends summary


403Near Record

number of SCA filings

190 cos.

went public in 2018

up 19%proceeds up 32%

$47 billion

Privacy compliance,

already drawing SCAs

M&A volume

Up 8%YoY

SCA Severity

UP 152%Cornerstone’s

Disclosure Dollar Index®

hits highest point ever!

Firming Market

Pressure on rate and terms

Cyan fears stoke challenging D&O for IPOs market

ESGNew priority for investors

Event driven Lawsuits surge

Cyber, wildfires, privacy, #MeeToofallout, emissions

Note: “Disclosure Dollar Index” is the property of Cornerstone Research.


Directors and Officers liability

Noteworthy losses / decisions / disruption

California Consumer Privacy Act of 2018: Signed into law on June 28, 2018. Effective on January 1, 2020. GDPR-like protections with private rights of action. Also, potential for suits against Ds & Os for failing to protect the company, comply or disclose .

Cyan, Inc. v. Beaver County Employees Retirement Fund: SCOTUS held that securities plaintiffs could bring class actions under the Securities Act of 1933 (“1933 Act”) in state courts. Faced with the prospect of having to defend state court filings nationwide, along with the continued prospect of concurrent federal litigation, companies contemplating an IPO face more risk and uncertainty. With D&O insurer appetites for IPO risks already tightening, what will this mean for D&O insurance buyers? Will quality coverage continue to be available? If so, at what price?

Lucia v. Securities and Exchange Commission Justice Elena Kagan for a 6-3 majority, the Court held that the SEC’s ALJs are “officers” whose must be appointed to their office by “Heads of Departments,” and that because the administrative law judge (ALJ) who presided over Lucia’s administrative hearing was not appointed by the SEC’s Commissioners, the ALJ’s holding against Lucia must be set aside and the enforcement action against him must be re-tried. The Commission did “ratify” its ALJs prior appointments in its November 2017 order, the Supreme Court declined to rule whether or not the agency ratification is sufficientto resolve the constitutional insufficiency of the appointments. The results, uncertainty over what to do next.

The Tax Cuts and Jobs Act/Tariffs: On December 22, 2017, Donald Trump signed into law the biggest tax overhaul since the Tax Reform Act of 1986. The new tax law makes substantial changes to the rates and bases of both the individual and corporateincome taxes. Meanwhile, concern over tariffs and trade further fuel uncertainty around growth and supply chain. With suchdramatic change inevitably comes unexpected consequences and, potentially, investor litigation over alleged failures to protect the company and/or disclose the exposure.

U.S. V. AT&T: AT&T Wins Approval for $85.4 Billion Time Warner Deal. Not sure this means the floodgates are open, but it gives us one more reason to look forward to a robust M&A year along with the litigation that largely follows.


In its Annual Report, the SEC announced that it filed a total of 821 enforcement actions during FY 2018, broken down as follows:

490 “standalone” actions brought in federal court or as administrative proceedings

210 “follow-on” proceedings seeking bars based on outcomes of SEC actions /actions by criminal authorities/other regulators

121 proceedings to deregister public companies, usually microcap companies, delinquent in their SEC filings

Standalone enforcement actions represent an increase when compared to FY 2017. As noted in the FY 2017 Annual Report, cases brought in connection with certain initiatives—such as the Commission’s Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, which ran from FY 2015 to FY 2016—can skew the results for a particular year. Accordingly, the tables below present the results over the past four fiscal years, both with and without the stand alone actions attributable to the MCDC Initiative:

Considerations: Regulatory matters continue to be a significant source of D&O/E&O claims, with potential follow-on civil litigation exacerbating this exposure. Particular attention should be given to the adequacy of limits, as well as the breadth of coverage afforded for both formal and informal investigations. Underwriters will inquire about the framework, policies and procedures in place to comply with the ever evolving regulatory landscape, as well as any recent interactions with the SEC and other regulators.


Asset Management Industry Trends

FY 2018 SEC Enforcement Actions

Enforcement Actions FiledFiscal Years 2015 to 2018

(Including MCDC)

Type of FilingFY

2018

FY

2017

FY

2016

FY

2015

Standalone EnforcementActions 490 446 548 508

Follow-on Admin.Proceedings 210 196 195 167

DelinquentFilings 121 112 125 132

Total Actions 821 754 868 807

Enforcement Actions FiledFiscal Years 2015 to 2018

(Excluding MCDC)

Type of FilingFY

2018

FY

2017

FY

2016

FY

2015

Standalone EnforcementActions 490 446 464 449

Follow-on Admin.Proceedings 210 196 195 167

DelinquentFilings 121 112 125 132

Total Actions 821 754 784 748

Source: https://www.sec.gov/files/enforcement-annual-report-2018.pdf

Of the 490 standalone enforcement actions brought by the SEC in FY 2018, approximately 22% involved investment advisers and/or investment companies, up from 18% in FY 2017.

Only actions involving securities offerings (approximately 25%) accounted for a higher percentage of enforcement actions.

Considerations: Underwriters may ask about when the last routine exam was carried about by the SEC, if there have been recent interactions with regulators and if the insured has conducted any mock regulatory exams. Note that some insurers will offer a premium credit to cover a percentage of the costs associated with such mock exams.


Asset Management Industry Trends

FY 2018 SEC Enforcement Actions: Types of Cases

Source: https://www.sec.gov/files/enforcement-annual-report-2018.pdf

management liability, cyber liability and data security

Documents