management liability, cyber liability and data security
TRANSCRIPT
willistowerswatson.com
Church Benefits Association
Management Liability, Cyber Liability and Data Security Discussion
December 3, 2019
willistowerswatson.com
Session Agenda
• Introductions and Purpose
• WTW and our Background
• FINEX Practice Introduction
• Network Security an Data Privacy
• Insurance and Related Topics
• Cyber Quantified – Limit Benchmarking
• Third Party Vendor Concerns
• Fiduciary, Directors & Officers and Asset Management Liability
• Claims Drivers and Market Conditions and Industry Trends
• Questions & Answers
2
willistowerswatson.com
Who We Are
3© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com
Who We Are
4
What we do:
Our Corporate Risk & Broking (CRB) segment provides a broad range of risk advice, insurance brokerage and consulting services to clients worldwide. The segment delivers integrated global solutions tailored to our clients’ needs and supported by data and analytics.
Why we’re different:Under the umbrella of Willis Towers Watson, we bring:
An integrated team of subject matter experts from across our
business segments that delivers a holistic view of risk, risk mitigation
and management
Interconnected business segments across all geographies that ensure
ready access to the vast array of our solutions and our expertise.
Innovation and insight through the active engagement of our colleagues across
disciplines, geographies and lines of business. We encourage our teams to ask the unanswered questions that can make new connections and
uncover valuable solutions for our clients.
33% of Willis Towers Watson
total revenues, with segment revenues
of $2.7BN in 2017.
CRB globally generated approximately
The WTW CRB international network is
comprised of 400 offices in over 140 countries and services over 4,000multinational clients.
CRB North America is fully supported by the
backing of the full bandwidth of
Willis Towers Watson, as one company,
bringing over 45,000 global colleagues
and $23BN in annual premium placed.
We have approximately
3,400 colleagues
located in 113 offices across 34 states.
NA Employees:
Thousands of clients
in 29 diverse
industries.
willistowerswatson.com
FINEX Practice
5
$1B+
Assisted clients in claims recoveries of over
in 2017
10,000+Number of clients that use WTW to secure D&O, E&O, Cyber, EPL, Crime or Fiduciary insurance
Expertise
Product Leaders in all key FINEX products:D&O E&O CrimeCyber EPL Fiduciary
D&O Quantified
New D&O and Cyber proprietary analytical tools
Global FINEX insurance premium placed annually in the market
$3B+ 60%Annual growth in Cyber Insurance
Combining global, industry expertisewith a wealth of FINEX brokingexperience
Average tenure of our Claims & Legal Advocacy team.18+
years100% are
attorneys
145+ Professionals
Dedicated FINEX associates in N. America500 Globally
120+ Number
of Countries where WTW has offices
Peer Review Process
At least five team members review every policy for our clients
CyberQuantified
willistowerswatson.com
Cyber Security & Vendor Review Protocols
6© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com
Cyber Threat Environment
Cloud or 3rd Party Compromise
Malicious Insider
Hacktivists Criminal Hackers
Negligent Insider
Access controls and behavior monitoring insufficient to detect insider threats
Unwary insiders susceptible to attacks that exploit traditional security controls (e.g. spear phishing)
Users who fail to embrace “culture of security” will find ways to circumvent ‘inconvenient’ security controls
Patience is a virtue. Tactics have evolved from “hit and run” to “infiltrate and stay.”
Industrialization - Black markets exist for all types of personal information
Proliferation of mobile platforms and BYOD policies creates new vectors
Growing incentive for insiders to abuse access to sensitive data for financial gain
Disgruntled current and former employees exploit back-doors
Intent is to disrupt and/or embarrass a target
Motivations are fickle and unpredictable
Massive DDoS attack
Theft of Intellectual Property
Security compromise – loss of sensitive client data
Infrastructure downtime may lead to Dependent Business Interruption claim
7
willistowerswatson.com
CLG Proprietary Cyber Claims Data
2017-2018 Reported claims index
Type of Loss
Willis Towers Watson 2017-18 Reported Cyber Claims Index
Accidental disclosure
Social engineering
Rogue employee
Stolen/lost device
Ransomware
Physical theft of data
Hack
Business interruption
Website cloning/damage/malicious
Computer/CPU
Cyber extortion (not ransomware)
Virus transmission
Theft of monies (electronically)
Other
Attributableto the humanelement
1%1%1%
2%
2%
3%
23%
4%
4%5%
7%
17%
24%
7%
8
willistowerswatson.com
The human element: People are #1 source of cyber incidents
Source: 2017 Willis Towers Watson claims data
58%23%
10%
7%2%
Percentage of claims by breach type
Employee negligence or malfeasance - e.g., accidentaldisclosures, lost or stolen device, rogue employeeRansomware / Hack
Social engineering resulting in data theft or funds transfer
Denial of service
Unknown
Employee negligence or malicious behaviors are the most common source of cyber incidents The workplace is thus a major influence in mitigating cyber risk – using all the tools at an
organization’s disposal, such as: Strong employee experience & engagement Effective recruitment, onboarding, and induction Targeted training, compliance, and incentive policies
9
willistowerswatson.com
Costs and Retentions
As ransomware incidents across all industries increased dramatically in terms of frequency and magnitude in 2019, coupled with potential losses from high profile breaches, we are starting to see an uptick in premiums across the globe.
This premium increase has largely been driven by the explosion of ransomware losses during the second half of 2019, which went from $500,000 or less per loss to well over $1,000,000 per loss.
As losses and potential losses rack up from several large breaches over the past year, carriers have been reevaluating their positions in large towers and looking more closely at rates in perceived “burn layers.”
Carrier focus for excess layers revolves around obtaining adequate premium for perceived risk. There is no longer competition to get on excess towers, especially if pricing is considered “too thin.”
Carriers continue to focus on better management of limits deployed on programs, with many offering no more than $10 million on a given placement. Some carriers will consider deploying additional limits but may require significant retentions or ventilation to do so.
Capacity Cyber capacity is starting to tighten, as insurance claims and losses continue to rise, especially with regard to ransomware as discussed above.
According to the 2018 Cost of a Data Breach Study from the Ponemon Institute, the cost of data breaches continues to increase year-by year, with reputational and regulatory costs identified as main drivers of the increase for 2018. In 2018, the average cost of a data breach globally was US$3.86 million – a 6.4% increase from 2017. This was due to so-called “megabreaches” where 1–50 million records are compromised, resulting in losses between US$40 to US$350 million.
According to the 2019 Cyber Risk Outlook, prepared by the University of Cambridge, incident response costs are also driving the increase in the cost of data breaches. As the cyber threat landscape becomes more complex and demand for cyber security resources increases, the costs in remediating data breaches, particularly for large-scale events, has increased.
The human element continues to be the leading cause of cyber loss, representing 61% of the claims included in our 2017-18 Reported Claims Index.
Certain carriers are adjusting their ransomware coverage appetites and considering sub-limits and co-insurance alternatives.
Coverage Coverage continues to evolve and expand to cover regulatory risk, reputational damage, forensic accounting and gap exposures.
The E.U. General Data Protection Regulation (GDPR) went into effect in May 2018, and the California Consumer Privacy Act will go into effect in 2020. We have seen cyber markets more affirmatively address coverage for claims stemming from the GDPR and for claims anticipated under the California Consumer Privacy Act. Markets are also offering expanded wrongful collection and “compliance” coverage largely in response to these regulations.
Business interruption/system failure continues to be an area of concern for underwriters. Very exposed industry classes, such as aviation, manufacturing and transportation, have seen increased underwriting scrutiny. While the coverage remains available, certain industries will experience significant premium increases to obtain or retain the coverage.
Cyber underwriters are working more closely than ever with their counterparts in other lines. Cyber and property underwriters in particular are combining forces as carriers continue to expand their coverage offerings in business interruption. Given the experience and understanding of how business interruption losses play out, it is a natural pairing that should help cyber underwriters understand what they face in claim scenarios. Notwithstanding this cooperation, we are seeing carriers withdraw or limit cyber coverage in non-cyber insurance lines due to concern over aggregation.
Markets Carriers are exploring data analytics partnerships with InsurTech and FinTech firms in an effort to gather and optimize exposure data, allowing underwriters to assess how organizations and their employees handle sensitive data. Underwriters want to understand an organization’s cyber culture; this can offer opportunities for buyers to differentiate themselves if they are developing holistic approaches to cyber risk across people, capital and technology.
Carriers continue to accept manuscript applications and conference calls in lieu of standard applications. This has led to more market interest due to the increased amount of information provided.
State of the Cyber Insurance Market
© 2019 Willis Towers Watson Plc. All rights reserved. Proprietary and Confidential.
10
willistowerswatson.com
Cyber insurance - core coverage
Liability coverage
Privacy liability
Liability associated with your inability to protect personally identifiable information or corporate confidential information of third parties. The information can be in any format and breached intentionally or negligently by any person, including third party service providers to which you have outsourced information. Third party service providers include, but are not limited to, IT service providers.
Network security liability
Liability costs associated with your inability to prevent a computer attack against your computer network.
Media liabilityTort liability associated with content you create, distribute or is created and distributed on your behalf , including social media content.
Regulatory fines Fines assessed by a regulatory body due to your data breach.
Direct (Loss mitigation coverage)
Breach response costs
Direct costs expended to mitigate a privacy breach. Costs typically include public relations expenses, notification, identity theft restoration, credit monitoring services and forensic/remediation expenses.
Direct (First party coverage)
Income loss/extra expense
Income loss/extra expense associated with your inability to prevent a disruption to your computer network caused by a computer attack or programming or software failure either:
1. on your network, or
2. at your IT service provider hosting your application.
Data reconstruction
Your costs to recreate, recollect data lost, stolen or corrupted due to your inability to prevent a computer attack against your computer network.
Extortion costs Your costs expended to comply with a cyber extortion demand.
11
willistowerswatson.com
Cyber Risk Gaps in Traditional InsuranceWhat are the gaps to consider when dovetailing cyber/privacy insurance with traditional insurance?
No Coverage
12
willistowerswatson.com
Cyber Liability Insurance Pays
Partnership
Most Cyber Liability insurers offer their policyholders a choice of breach response services, typically from a list of pre-approved vendors. Many allow the policyholders own choice of vendor.
Most insurers also grant policyholders access to a complimentary cyber risk management portal that includes the most updated information on emerging cyber threats and the latest reports on risk mitigation measures and practices.
13
willistowerswatson.com
What is Cyber Quantified?
Cyber Quantified is a global cyber risk quantification tool, using predictive modeling techniques based on various Industry data sources such as Risk Based Securities and Standard & Poor’s, integrated with our industry leading Cyber expertise.
Cyber Quantified provides estimates of frequency and severity for both privacy breach and network outage incidents.
This proprietary tool provides concrete decision support to clarify your insurance choices and guide you to your client’s optimal risk mitigation strategy.
Key Benefits to Clients
The most comprehensive quantification of Cyber Risk: Frequency and Severity of both privacy breach and network outage.
Provides decision support to drive risk financing strategy and evaluation of specific options.
Sensitivity testing promotes a better understanding of risk and how the exposure profile should be presented to the insurance marketplace.
Concise and impactful output for communication with internal stakeholders.
FINEX analytical tools
Cyber Quantified – http://willis.com/coreanalytics/cyber.html
14
willistowerswatson.com
Cyber Quantified Breach Risk Detail
15
Inputs
willistowerswatson.com
Cyber Quantified Breach Risk Detail
16
Breach Costs: 25,000 PII Records
willistowerswatson.com
Cyber Quantified Breach Risk Detail
17
Breach Costs (per record): 25,000 PII Records
willistowerswatson.com
Cyber Quantified Network Outage
18
Industry Frequency & Costs Calculator
willistowerswatson.com
Vendor Management and Protocols
19© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com
© 2019 Willis Towers Watson. All rights reserved.
Is your company equipped to face the threat of third-party data breaches?Is your company equipped to face the threat of third-party data breaches?
57%
75%
22%
American companies experienced a data
breach caused by a third party or vendor
Say third-party data breach incidents are
on the rise
Didn’t know if they had been impacted by a
third-party data breach over the past year
willistowerswatson.com
© 2019 Willis Towers Watson. All rights reserved.
What is Third-Party Risk Management?What is Third-Party Risk Management?
The management of risk presented to your organization, your data, your operations and your finances by parties OTHER than your own company.
The management of risk presented to your organization, your data, your operations and your finances by parties OTHER than your own company.
Telecommunications Cloud Services Food & Beverage Utilities
Shredder Services Data Management Web/UI Designer App Development
Landscaper Cleaning Service External Legal Counsel CRM
Risk Management Insurance Provider Payment Processor Compliance Audit
Example Vendors/Suppliers
willistowerswatson.com
© 2019 Willis Towers Watson. All rights reserved.
What potential risks might arise from third-party relationships?What potential risks might arise from third-party relationships?
• Strategic • Reputational• Operational• Transactional• Credit• Compliance
Cyber risk impacts all of these broad risk categoriesCyber risk impacts all of these broad risk categories
willistowerswatson.com
© 2019 Willis Towers Watson. All rights reserved.
What are my responsibilities around Third-Party Risk Management?What are my responsibilities around Third-Party Risk Management?
“The key to the effective use of a third party in any capacity is for the organization to appropriately assess, measure, monitor, and control the risks associated with the relationship.”
FDIC GUIDANCE FOR MANAGING THIRD-PARTY RISK
A breach of your third-party is a breach of your enterprise. How is your level of trust?A breach of your third-party is a breach of your enterprise. How is your level of trust?
willistowerswatson.com
Third-Party Cyber Risk Assessment
24© 2019 Willis Towers Watson. All rights reserved.
Provides visibility into the cybersecurity posture of your third-party vendors or vendor candidates and the risk each relationship presents to your business operations
Strengthens the RFP process by prioritizing vendor candidates in order of cybersecurity maturity, effectively supporting the procurement and selection process
Supports the insurance placement/renewal process by evaluating key risks of your chosen vendors and their willingness to take recommended cybersecurity actions
Available in three delivery tiers that can be scoped, tailored, and priced to meet individual client requirements
Time to completion: 1-2 weeks (Tier 1), 3-4 weeks (Tier 2), 4-6 weeks (Tier 3)
1 2
Online SurveySurvey-based assessment of an organization’s vendors or vendor candidates’ current cybersecurity maturity mapped to the NIST CSF or ISO 27001.
Cross-FunctionalSurvey completed by up to six key stakeholders at each vendor or vendor candidate, providing array of perspectives on mission critical functions (e.g., CISO, CIO, CRO, CFO, HR, Legal).
3 4
Research & AnalysisResearch on each vendor or vendor candidate’s public profile, business functions, and cyber risk exposures. One-to-one interviews with vendor/vendor candidate’s key stakeholders.* *Tier 3 option only.
Document ReviewReview of key cyber risk management documents (e.g., information security policies, incident response plans, and business continuity plans).
5 6
Workshop Four-hour client workshop* to develop (1) action plan to address vendor cyber issues; or (2) consensus and security posture-based shortlisting of three vendor candidates. *Tier 2 virtual or Tier 3 onsite consultation options only.
Final ReportIncludes Board-level ready executive summary, consolidation and reporting of project findings, and prioritized recommendations.
Engagement Can Be Customized to Include Any or All of the Following:
willistowerswatson.com
Fiduciary, D&O and Asset Management Discussion
25© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com
Capacity
Ample
Coverage
Broad
Claims & losses
Concerning trends
Premiums & retentions
Stable to increasing
Markets
Stable
State of the Fiduciary Insurance Market 2019
© 2019 Willis Towers Watson. All rights reserved.
Excessive fee litigation continues to dominate the exposure, driving severity and client views of appropriate program size.
Trouble spots:
Asset managers: Asset managers with proprietary funds within their plans face challenging renewals.
Universities: Spike in 403(b) fee cases have carriers concerned.
ESOPs: No presumption of prudence when investing in employer securities.
Regulatory uncertainty
Will SEC’s proposed Regulation Best Interest replace the DOL’s now vacated Fiduciary Rule?
Increased IRS compliance exposure w/o validating periodic Determination Letters
Federal deregulation could mean more not less as states fill perceived gaps
Broad/Stable
ESOP exposures continue to give carriers pause, but as a loss driver, ESOPs have been relatively quiet. (Note: Janderv. Retirement Plans Committee of IBM could bring them back).
Broad range of sublimited coverage for fines and penalties.
No significant restrictions or material changes in the scope of coverage offered outside of the “Trouble spots” (See next column).
Regulatory dynamics —including those around privacy--like GDPR—may drive innovation, but we have seen less carrier innovation in fiduciary liability than elsewhere in financial lines.
Notwithstanding recent insurer M&A activity, the fiduciary market largely remains competitive
Over $500M in advertised capacity
AIG, Chubb and Travelers continue to lead most programs – private and public; collectively--40% market share
AXIS, Hartford, Berkshire, CNA and AXA XL also have a significant presence
For private companies, Fiduciary is often bought in a package format with D&O and/or EPL and it may not be the product that drives carrier choice.
For larger, or public, companies, fiduciary limits occasionally blended with EPL and/or crime coverage
Competitive and largely aligned behind leaders on primary pricing and terms.
Could see competitive market play out on sublimits for fines and penalties.
Willingness to write or to offer innovative solutions for ESOPs and Trouble Spots could differentiate a carrier.
Premiums and retentions are generally flat.
Excess rates remain very competitive.
Material changes in plan assets, specifically employer stock, may result in potential increases in premiums and retentions for securities claims (for public companies with such exposure).
For Trouble Spots, expect any of the following: upward rate pressure excluded risks increased retentions, and sublimits.
Church, university and public entity plans may see upward rate pressure.
Some carriers warned they will not consider fiduciary liability for larger universities or asset managers with proprietary funds—unless a fee claim is already in.
willistowerswatson.com
Fee CasesObservation: Excessive fee litigation continues to dominate the
exposure, driving severity and client views of appropriate program size. Spawned a cottage industry in the plaintiff bar.
Concern: Dominant driver of losses. Concern that this litigation wave will spread to smaller plans and broader activities.
Firming MarketsObservation: Markets have continued to firm and may do so furtherConcern: 2019 may be a challenging renewal year. While
Fiduciary Liability insurance is likely to feel less pressure than other lines, the firming has impacted carriers willingness to take on more challenging fiduciary risks.
Regulatory UncertaintyObservation: On deck, a new SEC set of rules and multiemployer plan
expansion and the Retirement Enhancement and Savings Act may have bipartisan support. Will states act to fill perceived federal gaps (as Massachusetts and New Jersey have)?
Concern: New rules, change and Balkanization of regulation all increases risks.
Jury TrialsObservation: Cornell’s request for certification of an interlocutory
appeal from a motion granting in part and denying in part Cornell’s motion to strike a jury demand was denied (by the same judge that effectively granted plaintiffs a right to trial by jury).
Concern: Jury trials could undermine recent defense successes and substantially increase the litigation severity.
PrivacyObservation: General Data Protection Regulation going into effect
was monumental. California passed a similar law thatwill go into effect next year.
Concern: Uncharted territory that could extend to fiduciaries. Hardto comply with uncertainty. How does GDPR impact fiduciary liability? This could also be a cyber issue, too.
ESOPsObservation: Fifth Third Bancorp v. Dudenhoeffer tempered ESOP
litigation, but a recent denial of a motion to dismiss inJander v. Retirement Plans Committee of IBM, (2nd
Cir. 2018) may have given ESOP suits new life.Concern: Before fee cases, ESOP suits drove fiduciary liability
losses. This could be impactful.
Proprietary FundsObservation: Asset managers with proprietary funds within their plans
face challenging renewals.Concern: Some carriers warned they will not consider fiduciary
liability for asset managers with proprietary funds—unless a fee claim is already in.
University Fee/403(b)Observation: Cornell’s motion to strike a jury demand was partially
denied. Concern: Carriers are focused on this risk and many have limited
to no appetite for it unless a fee claim is already in.
Fiduciary Liability In 2019
Top issues to watch
© 2019 Willis Towers Watson. All rights reserved.27
willistowerswatson.com
Key Loss Drivers
Fee cases continue Settlements now total $505 million, over half a billion dollars!
Tibble, the case that established critical Supreme Court precedent, settled for $5.6 million in addition to a judgment of $7.5 million and payment of legal fees of $5.8 million ($18.9 million total)
Fujitsu reached a settlement for a claim of imprudent design of its target date funds for $14 million
Allianz reached a settlement for claims of conflicted funds for $12 million
Over 50 suits are pending (at least 35 against corporate employers and 17 against universities and other not-for-profits), with several suits surviving recent motions for dismissal
4 suits against GE with other suits being filed against a teamster plan and very small plans
Important First Circuit dismissal of suit against Fidelity challenging stable value fund
Six suits challenging managed account fee sharing have been dismissed, while one remains pending
© 2019 Willis Towers Watson. All rights reserved.
2018 Top 10 ERISA class action settlements
1. $63.0mMercy Health--Did plan qualify for church-plan exemption?
2. $62.5mHospital Sisters Health System--Alleged underfunding due to church-plan status.
3. $30.0mLiberty Mutual Retirement Benefit Plan-Class arising ore-acquisition pension credit claims.
4. $29.5mWheaton Franciscan--Challenged church-plan status.
5. $25.0m Wawa Inc.—Lost ESOP benefits
6. $25.0mContinental Casualty Co.—Cancelled an annuity contract in the plan’s investment menu.
7. $24.0mBB&T Corp.--Alleged self-dealing associated fees earned on poorly performing proprietary funds.
8. $21.9mDeutsche Bank—Alleged high costs associated with proprietary funds within their plans.
9. $17.0mPhillips North America—Alleged breach of fiduciary duty relating to 401(k) investment options.
10. $15.4mCalifornia Field Ironworkers Pension Trust—Alleged a secret amendment to plan to prevent benefits from accruing after age 65.
“ERISA itself represents a highly dense regulation, and claims arising from it are equally complex. That a plaintiff might not fully understand the facts and legal theories of this complex ERISA action is understandable.”
U.S. District Judge Charles A. Pannell Jr. in granting class certification in a notable 403(b) case
willistowerswatson.com
5th Circuit
fully invalidated
the DOL’s Fiduciary Rule
Why should clients care?
Fiduciary Liability Claims, legal and emerging trends summary
29© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Tibblefallout ⎼⎼⎼⎼continuous duty to monitor
Fee case settlements
exceed
$505m
IRSPhase out of safe harbor process
Regulatory Uncertainty
Extends to privacy
Sexual orientationTitle VII protection.
New employee
benefits liability?
Balkanizationof enforcement as others fill in
for less federal
regulation
Over
50fee suitspending
Add $28per day/employee
in § 209(a)(1) penalties
Wage & Hour ERISA violations
willistowerswatson.com
Fiduciary Liability
Noteworthy losses / decisions / disruption
Duty to Defend-Insurance-Negligence: Scottsdale Insurance Company v. Timothy L. Byrne, et al., (1st Cir. 2019). A business and management indemnity insurance policy’s professional services (construed “professional services” narrowly) and ERISA exclusions (did not apply to action for common law negligence) do not relieve the insurer of its duty to defend.
SEC takes on fees, too: In December, the SEC issued letters as part of its new investigations into advisory firms that did not self-report that they failed to disclose conflicts of interest associated with the receipt of 12b-1 fees when a lower-cost share class of the same mutual fund was available for the advisory clients. The December letters reflected the requests extended beyond 12b-1 fees to revenue sharing.
SEC Proposed Best Interest Package: (i) Regulation Best Interest; (ii) Proposed Commission Interpretation Regarding Standard of
Conduct for Investment Advisers; Request for Comment on Enhancing Investment Adviser Regulation (“Investment Adviser Standard”), and (iii) “Form CRS Relationship Summary; Amendments to Form ADV; Required Disclosures in Retail Communications and Restrictions on the
use of Certain Names or Titles” (“Form CRS”)—encompasses the SEC’s alternative to the DOL’s vacated Fiduciary Rule.
DOL Proposed Multiemployer Plan Expansion: The DOL proposed a rule that would expand the use of open multiple employer plans. Benefits small business and professional employer organizations.
New Basis for claims: Based on allegations of unreasonable actuarial equivalent factors, including “outdated” mortality tables, when calculating plan benefits payable in various annuity forms of distribution or at early retirement. Masten, et al. v. Metropolitan Life Insurance
Company, et al., (S.D.N.Y Dec. 3, 2018), Martinez Torres, et al. v. American Airlines, Inc., et al., (N.D. Tex. Dec. 11, 2018), DuBuske, et al.
v. PepsiCo, Inc., et al., (S.D.N.Y. Dec. 12, 2018), and Smith, et al. v. U.S. Bancorp, et al., (C.D. Minn. Dec. 14, 2018).
Chamber of Commerce of the USA, et al v. U.S. Department of Labor, et al.,(5th Cir. 2018). Vacated the “Fiduciary Rule” promulgated by the Department of Labor (DOL) in April 2016. Decided on March 15, 2018. Mandate issued June 21, 2018.
Janus v. Am. Fed’n of State, Cty., & Mun. Emps..(SCOTUS, decided June 27, 2018). States and public-sector unions may no longer extract agency fees from nonconsenting employees.
White, et al. v. Chevron, el al., (9th Cir. 2018). Allegations showed only that Chevron could have chosen different vehicles for investment that performed better during the relevant period, or sought lower fees for administration of the fund, and that was not enough to make it more plausible than not that any breach of a fiduciary duty had occurred. Also, dismissed the failure to monitor claim arising from the Vanguard in 2002 as time barred since the action was not commenced until 2016.
GDPR and privacy regulation?: Plans hold a significant amount of private data on participants and beneficiaries. Some participants may be located in the European Union. That begs the question how will the EU’s General Data Privacy Regulation (“GDPR”) apply to US benefit plans?
Trial by jury? Cunningham v. Cornell University, September 6, 2018 decision in Cornell 403(b) case denying (in part) defendants’ motion to strike jury demand. Plaintiffs definitely won this battle.
30© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 31
FINEX Insurance Market Conditions
D&O/E&O
Capacity
Abundant
Coverage
Evolving
Claims & losses
Concerning trends
Premiums & retentions
Stable to increasing
Markets
Transitioning
Increasingly regulated global environment creating greater risk of regulatory and follow-on civil claims against asset managers.
Regulatory actions, violations of section 36(b) and Cost of Corrections continue to dominate claims activity.
401(k) excessive fees/suitability cases resulting in significant losses, negatively impacting renewals of Fiduciary Liability programs, including blended programs that include Fiduciary Liability coverage.
Insurers continue to try and differentiate themselves via broader coverage offerings, including:
• Pre-Claim coverage and, increasingly, informal investigations.
• Cyber extensions are available from some insurers.
• “Mock Audit” coverage is available from some insurers, which reimburses the Insured a percentage of its premium to cover the costs of conducting a mock regulatory audit.
A general abundance of capacity in the US is keeping rates more competitive for asset managers than other financial institution sub-industries.
The London market is slightly more challenged, with insurers reducing capacity for distressed insureds and/or where there is claims activity.
Asset management is still the area that most carriers are looking to grow with many offering new policy forms and/or coverage enhancements.
Old Republic is currently an excess asset management market and is expected to release their primary asset management policy form in Q1 20.
Key primary markets (AIG, Chubb, HCC, AXA XL, Berkshire Hathaway) continue to aggressively push rate increases.
Other primary and excess markets have largely aligned behind those key markets on pricing and terms.
Some insurers are voluntarily exiting programs they deem too thinly priced, possibly creating a more challenging renewal process.
Breaking relationships with long-term insurance partners on a primary and/or excess basis may be required in order to mitigate any applicable premium increases.
Nevertheless, competitive coverage is still available and there remain opportunities for enhancement.
Primary programs generally renewing flat for middle market asset managers, while larger asset managers are generally experiencing increases up to +7.5% depending on AUM change, investment strategy, performance and/or claims.
The London market is generally applying increases across the board, ranging from 2-5% for middle market and 5-15% for larger asset managers.
Most excess insurers acting in lock-step and following any underlying premium increases.
Retentions generally remaining flat unless risk profile warrants an adjustment; some insurers may offer a flat premium renewal in exchange for an increase in retention.
willistowerswatson.com
Directors & Officers Liability leading loss driver
Federal securities class actions
32© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
175 181
111 122155 173 186
215 218
7
4043
13 35
85
197 185
175188
151165 168
208
271
412 403
0
50
100
150
200
250
300
350
400
2010 2011 2012 2013 2014 2015 2016 2017 2018
No
. o
f S
CA
Fil
ing
s
Filings(as of January 2019)
Non-M&A M&A
Total SCA Fillings Linear (Total SCA Fillings)
Additional Insights
• 2018 securities class action filings involved approximately 7.5% of 5,350 publicly listed companies.
• M&A Filings had a much higher rate of dismissal (86%) vs.
non-M&A filings (47%).
• Severity indicators point way up.
• The Cornerstone Disclosure Dollar Loss measure ranks 2018 asthe highest ever.
• $939 billion in “Nera-defined” Investor Losses-more than double any prior year, and nearly 4X the five-year Avg. of $245 billion
$0
$20
$40
$60
$80
$100
$120
2010 2011 2012 2013 2014 2015 2016 2017 2018
Settle
ment
Settlements(as of January 2019, in million US$s)
Avg. Settlement (Annual) Median Settlement (Annual)
Linear (Avg. Settlement (Annual))
Notes: (i) The 5147 10YR average reflects a modest increase in filings. (ii) This commonly-cited, simplistic measure should not be taken as a meaningful indicator of any specific company’s risk and (iii) Filings is based on Cornerstone’s Securities Class Action Filings: 2018 Year in Review and Settlements is based on Nera’s Recent Trends in Securities Class Action Litigation: 2018 Full-Year Review.
willistowerswatson.com
Securities Class Actions Observation: 403 filings in 2018 is 210 above the 1996-2016 average.
Merger objection claims were nearly half of all filings, but 2018’s non-M&A claims (214) are still near all-time highs
Concern: SCAs, the classic D&O severity claim, have long been a litmus test for overall D&O market loss expectations.
PrivacyObservation: General Data Protection Regulation going into effect
was monumental. California passed a similar law thatwill go into effect next year. High profile (Facebook, Nielsen) SCAs filed alleging poor disclosure
Concern: Uncharted territory. Hard to comply with uncertainty.
Cyber Insecurity and Data BreachesObservation: 2018 brought cyber to the SCA world. Altaba (f/k/a
Yahoo!) settled data breach-related suit for $80M, and settled related SEC enforcement action for $35M. Marriott, Chegg, Huazhu, Alphabet (Google) also sued
Concern: Likely to only get worse with the SEC spending more on cyber and rating agencies now considering cyber insecurity. Meanwhile the risks keep morphing.
Revelations of Sexual MisconductObservation: 2018 saw high-profile sexual misconduct scandals with
material financial implications that resulted in D&O claims: SCA and derivative. Also, saw social media campaigns result in employee movements over failures to address harassment allegations.
Concern: Tip of the iceberg? Hard to see these coming. Some involved decades of alleged behavior.
Social MediaObservation: Social media has connected the disenfranchised. That
collective voice can turn seemingly manageable issues into a material financial concern
Concern: A viral campaign can have devastating consequences for targets. Impact may be much faster than litigation, and a social media movement has no protection for the innocent. Where legacy issues recently became public, claims-made coverage can fall short if not fixed.
Event Driven FilingsObservation: Broad category of claims not driven by financial
reporting or accounting. Could arise from wildfires, airline crashes, cyber breaches, emissions disclosures and #MeToo scandals. Potential new sources: privacy compliance and ESG (environmental, social & governance).
Concern: Uncertainty and unpredictability. Harder to underwrite. Also, ESG is getting more attention.
SEC Enforcement Action ReboundsObservation: 821 SEC enforcement actions in FY2018 vs 754 in
FY2017 (+9%). 71 involved new actions against public companies
Concern: The drumbeat to hold individuals accountable will likely get louder as we get closer to the next presidential election. (Note: Today’s policies cover 2020 risks)
Firming MarketsObservation: Markets have continued to firm and may do so furtherConcern: 2019 may be a challenging renewal year.
Directors & Officers Liability in 2019
Top issues to watch
© 2019 Willis Towers Watson. All rights reserved.33
© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
willistowerswatson.com
Directors & Officers Liability
Claims, legal and emerging trends summary
34© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
403Near Record
number of SCA filings
190 cos.
went public in 2018
up 19%proceeds up 32%
$47 billion
Privacy compliance,
already drawing SCAs
M&A volume
Up 8%YoY
SCA Severity
UP 152%Cornerstone’s
Disclosure Dollar Index®
hits highest point ever!
Firming Market
Pressure on rate and terms
Cyan fears stoke challenging D&O for IPOs market
ESGNew priority for investors
Event driven Lawsuits surge
Cyber, wildfires, privacy, #MeeToofallout, emissions
Note: “Disclosure Dollar Index” is the property of Cornerstone Research.
willistowerswatson.com
Directors and Officers liability
Noteworthy losses / decisions / disruption
California Consumer Privacy Act of 2018: Signed into law on June 28, 2018. Effective on January 1, 2020. GDPR-like protections with private rights of action. Also, potential for suits against Ds & Os for failing to protect the company, comply or disclose .
Cyan, Inc. v. Beaver County Employees Retirement Fund: SCOTUS held that securities plaintiffs could bring class actions under the Securities Act of 1933 (“1933 Act”) in state courts. Faced with the prospect of having to defend state court filings nationwide, along with the continued prospect of concurrent federal litigation, companies contemplating an IPO face more risk and uncertainty. With D&O insurer appetites for IPO risks already tightening, what will this mean for D&O insurance buyers? Will quality coverage continue to be available? If so, at what price?
Lucia v. Securities and Exchange Commission Justice Elena Kagan for a 6-3 majority, the Court held that the SEC’s ALJs are “officers” whose must be appointed to their office by “Heads of Departments,” and that because the administrative law judge (ALJ) who presided over Lucia’s administrative hearing was not appointed by the SEC’s Commissioners, the ALJ’s holding against Lucia must be set aside and the enforcement action against him must be re-tried. The Commission did “ratify” its ALJs prior appointments in its November 2017 order, the Supreme Court declined to rule whether or not the agency ratification is sufficientto resolve the constitutional insufficiency of the appointments. The results, uncertainty over what to do next.
The Tax Cuts and Jobs Act/Tariffs: On December 22, 2017, Donald Trump signed into law the biggest tax overhaul since the Tax Reform Act of 1986. The new tax law makes substantial changes to the rates and bases of both the individual and corporateincome taxes. Meanwhile, concern over tariffs and trade further fuel uncertainty around growth and supply chain. With suchdramatic change inevitably comes unexpected consequences and, potentially, investor litigation over alleged failures to protect the company and/or disclose the exposure.
U.S. V. AT&T: AT&T Wins Approval for $85.4 Billion Time Warner Deal. Not sure this means the floodgates are open, but it gives us one more reason to look forward to a robust M&A year along with the litigation that largely follows.
35© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
In its Annual Report, the SEC announced that it filed a total of 821 enforcement actions during FY 2018, broken down as follows:
490 “standalone” actions brought in federal court or as administrative proceedings
210 “follow-on” proceedings seeking bars based on outcomes of SEC actions /actions by criminal authorities/other regulators
121 proceedings to deregister public companies, usually microcap companies, delinquent in their SEC filings
Standalone enforcement actions represent an increase when compared to FY 2017. As noted in the FY 2017 Annual Report, cases brought in connection with certain initiatives—such as the Commission’s Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, which ran from FY 2015 to FY 2016—can skew the results for a particular year. Accordingly, the tables below present the results over the past four fiscal years, both with and without the stand alone actions attributable to the MCDC Initiative:
Considerations: Regulatory matters continue to be a significant source of D&O/E&O claims, with potential follow-on civil litigation exacerbating this exposure. Particular attention should be given to the adequacy of limits, as well as the breadth of coverage afforded for both formal and informal investigations. Underwriters will inquire about the framework, policies and procedures in place to comply with the ever evolving regulatory landscape, as well as any recent interactions with the SEC and other regulators.
© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 36
Asset Management Industry Trends
FY 2018 SEC Enforcement Actions
Enforcement Actions FiledFiscal Years 2015 to 2018
(Including MCDC)
Type of FilingFY
2018
FY
2017
FY
2016
FY
2015
Standalone EnforcementActions 490 446 548 508
Follow-on Admin.Proceedings 210 196 195 167
DelinquentFilings 121 112 125 132
Total Actions 821 754 868 807
Enforcement Actions FiledFiscal Years 2015 to 2018
(Excluding MCDC)
Type of FilingFY
2018
FY
2017
FY
2016
FY
2015
Standalone EnforcementActions 490 446 464 449
Follow-on Admin.Proceedings 210 196 195 167
DelinquentFilings 121 112 125 132
Total Actions 821 754 784 748
Source: https://www.sec.gov/files/enforcement-annual-report-2018.pdf
Of the 490 standalone enforcement actions brought by the SEC in FY 2018, approximately 22% involved investment advisers and/or investment companies, up from 18% in FY 2017.
Only actions involving securities offerings (approximately 25%) accounted for a higher percentage of enforcement actions.
Considerations: Underwriters may ask about when the last routine exam was carried about by the SEC, if there have been recent interactions with regulators and if the insured has conducted any mock regulatory exams. Note that some insurers will offer a premium credit to cover a percentage of the costs associated with such mock exams.
© 2019 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 37
Asset Management Industry Trends
FY 2018 SEC Enforcement Actions: Types of Cases
Source: https://www.sec.gov/files/enforcement-annual-report-2018.pdf