Financial Services Insurance in an Era of Regulatory Risk

These folks often go through some version of the Kubler-Ross stages of grief, including denial (“The SEC must be confused!”), anger (“This is an abuse of power!”), bargaining (“With this one weird trick, we can convince the SEC to shut down the investigation!”), and, finally, acceptance. 

The sooner you can get to acceptance, the better. As I have explained before, when it comes to SEC investigations, the only way out is through. 

Once you have accepted that the government can generally ask for whatever it wants and take as long as it wants, you can focus less on raging against the machine and more on formulating the strongest possible defense strategy.

SEC investigations are both emotionally and financially taxing. Investigative defense costs can be very significant. In many matters involving investment managers, defense costs are higher than any penalties ultimately imposed.

Most sophisticated investment managers purchase general partnership liability (GPL) insurance coverage. Your GPL policy should cover your defense costs—after you have exceeded your retention (i.e., deductible)—for SEC investigations regarding your investment advisory practices. 

The devil, however, is in the details. As the government continues to issue new rules and guidance and bring enforcement actions in new areas, it’s important to work with insurance advisors who are laser-focused on ensuring that your coverage contains best-in-class protections to respond to emerging risks and who understand the regulatory environment so that your coverage performs if claims arise. 

Let’s look at some recent regulatory risk areas and insurance implications. 

Reg S-P Amendments: Where Are Cyber + Securities Investigations Covered?

For almost 25 years, Regulation S-P has required broker-dealers, registered investment advisers (RIAs), and other SEC registrants to adopt written policies and procedures designed to safeguard customer information. 

Historically, the SEC has not brought many Reg S-P enforcement actions, although there has been an uptick in recent years. Take a look at this article for more details on recent enforcement trends in this space. 

In May 2024, the SEC adopted significant amendments to Reg S-P. Under the new rules, covered entities (including RIAs) must:

• Develop and implement a written incident response program “reasonably designed to detect, respond to, and recover from unauthorized access to customer information.” Notably, registrants are also required to develop and maintain policies and procedures “reasonably designed to require oversight, including through due diligence on and monitoring, of service providers.”
• Notify affected customers of a data breach involving their information "as soon as practicable" but no later than 30 days after becoming aware of the incident. The notification must provide details about the breach and steps customers can take to protect themselves. 

Compliance dates are staggered. Larger entities (including RIAs equal to or greater than $1.5 billion in AUM) have 18 months and smaller firms have 24 months after the effective date to implement the new requirements.

Side note: While Reg S-P does not apply directly to private funds, RIAs to private funds are nevertheless “covered institutions” under the amendments. This Debevoise article helpfully unpacks some of the considerations at play in this space.  

Through the amendments and other recent activity, the SEC is increasingly styling itself as a cyber + securities regulator. The new Reg S-P requirements will create many new openings for the Division of Enforcement to take issue with registrants’ incident response policies and procedures and notification practices. 

It will be challenging for registrants to figure out what, specifically, the SEC would consider to be a “reasonably designed” incident response program. If a registrant experiences a significant incident but does not immediately identify and/or remediate the issue, the government will want to understand why. 

Many financial services companies maintain both cyber insurance policies (designed to respond to data privacy related claims) and D&O/GPL insurance policies (designed to respond to securities claims). Reg S-P investigations involve both data privacy and securities law issues. 

So where should you look for insurance coverage if you are facing a Reg S-P investigation? 

It depends on the sequence of events, the specific language in your GPL/D&O and cyber policies, and how your broker and carriers respond. Make sure that you trust your insurance advisor to help you navigate this evolving landscape. 

How Are You Paying for Your Defense Costs? The SEC Wants to Know.

Recent developments underscore the importance of a coordinated strategy to insurance and regulatory compliance and defense.

First, as I have reminded readers in the past, under the SEC’s 2023 Private Fund Adviser Rules , before charging legal fees and other investigative expenses to a fund, investment advisers need advance written consent from a majority in interest of fund investors. 

Even if the Rules are modified or struck down by the courts, it’s a safe bet that the SEC will remain focused on what it views as problematic legal fee arrangements between advisers and funds.  

My advice from earlier this year is worth repeating here: 

"Ensure you have appropriate insurance coverage for investigations. SEC exams and investigations can be very costly (in an extensive investigation that follows a lengthy exam, think eight figures). Routine exam costs are typically excluded from insurance coverage, but entity-level costs from regulatory investigations are increasingly covered under general partnership liability and/or errors and omissions policies. As discussed above, directly charging investigative expenses to a fund in the future will require a messy disclosure and consent process—and reimbursement to the fund if you settle with the SEC. It may be preferable to maintain broad entity investigation coverage that will kick in if SEC Enforcement comes calling. Remember, though, this coverage is just for defense costs. If you end up settling with the SEC, penalties will be excluded from coverage.

With this in mind, how much coverage do you have for investigations? What’s the basis for that number? Can your insurance broker explain what kinds of situations would likely be covered under your policy and what situations may not be covered? For example, how does your policy define an informal investigation and a formal investigation, and what exactly triggers coverage under each type of claim? The SEC may use different investigative tools depending on whether an entity is registered. As a result, key coverage triggers for RIAs may be different from coverage triggers for ERAs. Be sure that you are working with an insurance broker who understands these nuances and can help you map these risks onto your insurance policies."

A recent case confirms the SEC’s focus on penalizing advisers who charge legal expenses to funds in ways the staff believes to be improper. 

In May 2024, the SEC sued an RIA for improperly charging legal fees to the mutual fund it advised. The facts of the case are quite interesting to anyone who is a passionate observer of both the securities enforcement world and the insurance world—so, maybe just to me?

In 2017, the investment adviser and the mutual fund (actually an open-ended investment company composed of numerous funds, but I’m going for simplicity here) were served with regulatory inquiries and shareholder litigation related to trading losses. 

The fund and the adviser retained the same legal counsel to jointly represent them in the litigation and investigations, which involved overlapping facts and legal issues impacting both the fund and the adviser. 

In their hourly bills, the lawyers did not distinguish between work done on behalf of the fund and work done on behalf of the adviser. 

The fund had insurance coverage for the litigation and investigations; the adviser did not. To maximize coverage, the adviser arranged to have all of the legal bills paid by the fund and subsequently submitted to the fund’s insurer. 

The adviser claimed that it intended to reimburse the fund for any amounts that the insurer determined were not properly allocable to the fund and would not be covered. However, this arrangement was set up without the knowledge of the independent board. 

Setting aside some arcane charges under the Investment Companies Act, the SEC found fault with the adviser’s conduct because: 

• The SEC investigated and sued the adviser for conduct related to the trading losses (which is why it was focused on the matter in the first place).
• The SEC began asking the fund questions about the payment of its legal fees (it is unclear how the staff was made aware of the issue).
• After the SEC made the requests, the fund determined that it was due an additional ~$500,000 for legal fees that should have been borne by the adviser. The adviser paid this amount back to the fund.
• Later, the fund’s insurer determined that an additional ~$180,000 of the fees allocated to the fund were not actually covered by the policy, leaving the fund on the hook. In connection with its ultimate settlement with the SEC, the adviser agreed to cover these expenses, too.

What are the lessons here? I can think of a few:

1. If you are an investment manager, carry adequate insurance coverage for investigative defense costs.
2. Regardless of the ultimate fate of the Private Fund Adviser Rules, be very careful about charging investigative expenses to the fund. If the Rules remain in effect, follow them. Even if they are struck down or altered, tread with caution. 
3. The SEC has long been focused on how various costs are allocated between advisers and funds and on ensuring that advisers discharge their fiduciary duties by bearing adviser-level expenses appropriately. With this in mind, think carefully about how you allocate your insurance premium costs. What is your rationale for why the fund is bearing certain premium expenses? Do you have adequate information from your insurance carrier to make reasoned decisions about the allocation of your premium? Does your legal counsel agree with your analysis?

What’s Your Insurance ROI?

Last year, I had a roof leak. I went through many circles of administrative hell with my homeowner's insurance company, only to find that the damage was not covered under my policy.

Few experiences are more annoying than paying for a product for many years, only to find that it doesn’t perform in the way that you expected. 

If you are a sophisticated investment manager or another type of regulated financial services company, you are probably paying for commercial insurance coverage. Regulatory investigations are one of the key risks that this coverage is meant to mitigate. 

Regulatory risks are continuously evolving. Your advisors need to keep a close eye on both the regulatory landscape and your insurance policy and program to make sure that your coverage will do what you have been paying for it to do.