​

Reading Time: 5 Minutes

Welcome to the Pride,

Every week, we review 200+ insurance articles to highlight what matters most.

Three major reports this week reveal a concerning trend: regulators are increasing scrutiny.

Could this lead to greater individual liability for directors and officers in 2025?

Here's what's driving it:

• State insurance AI rules increase legal exposure
• SEC cyber mandates now burden CFOs with personal liability
• EY warns: Board vendor oversight failures ignite personal D&O risk

The common thread? Personal liability is increasing, even as market conditions improve.

Let's dive in...

While Rates Drop, 21 States Tighten AI Oversight

Recent Locke Lord analysis reveals a significant shift in how regulators view artificial intelligence in insurance (source). While market conditions remain favorable for buyers, this regulatory attention matters more than you might think. Here's what caught our attention…

Quick Facts:

• 21 states have adopted the NAIC model bulletin on AI use
• Colorado and New York created their own specific guidelines
• Regulators are focusing heavily on third-party vendor selection

Why This Matters Now:

Even with today's favorable market conditions (lower rates, more capacity), underwriters are paying close attention to how companies handle AI regulation.

Here's what we're seeing:

1. Third-Party Vendor Scrutiny: Regulators are examining not just your AI use, but your vendors' practices too. You're responsible for their compliance.
2. State-by-State Complexity: While most states follow NAIC guidelines, Colorado and New York have stricter requirements. This creates a complex compliance landscape.
3. Rising Class Action Risk: Locke Lord predicts more lawsuits related to:
   • AI-driven unfair discrimination
   • Biased claims handling
   • Bad faith liability from automated settlements

So What?

Here's the key insight many miss: The soft market doesn't mean you can relax about regulatory compliance.

Smart companies are:

• Meeting regularly with underwriters
• Discussing AI governance proactively
• Demonstrating strong vendor oversight
• Preparing for increased regulatory scrutiny

The companies that secure the most favorable terms aren't just those who respond to underwriter concerns during hard markets - they're the ones who maintain consistent communication and transparency throughout all market cycles.

Our Take:

Underwriters have long memories. They remember which companies maintain high standards regardless of market conditions.

Here's what we're advising our clients:

1. Keep meeting with underwriters. Yes, the market is soft. No, you don't technically "have to" spend as much time on underwriter relationships. But the institutions that maintain these connections now will benefit when the market hardens.
2. Review your vendor selection process. Document how you evaluate and monitor third-party technology providers. Underwriters want to see this.
3. Prepare for increased scrutiny. Have clear answers about:
   • How you oversee AI vendors
   • Your process for preventing discriminatory outcomes
   • Your approach to claims handling when AI is involved

The soft market won't last forever. The institutions that maintain strong underwriter relationships and robust compliance programs now will be better positioned when conditions change.

Want to discuss how these regulatory trends might affect your program? Contact LION Specialty for a strategic review.

SEC Expands CFO Cyber Duties: Five New Threats to Watch

New SEC rules are transforming CFOs' role in cybersecurity oversight, especially at financial institutions (source). CFOs must now understand and guide their organization's entire cyber defense strategy.

Here's your 3-bullet summary:

1. Expanded SEC Requirements: Public companies must promptly disclose material cybersecurity incidents and detail their risk management approaches.
2. Front-End Involvement: CFOs need direct participation in vendor selection, crisis planning, and incident response protocols.
3. Private Company Impact: While SEC rules target public companies, regulators increasingly expect similar approaches from private financial institutions.

Five Critical Threats CFOs Must Monitor:

1. Supply Chain Attacks

• Hackers target less secure vendors to access your systems
• Third-party breaches can cascade through interconnected networks
• Requires comprehensive vendor security assessment protocols

2. Business Email Compromise (BEC)

• Social engineering schemes becoming more sophisticated with AI
• Direct financial impact falls under CFO oversight
• Requires enhanced payment verification protocols

3. Ransomware

• System lockdowns causing business interruption
• Financial impact extends beyond ransom payments
• Requires strategic decisions about cyber insurance coverage

4. Insider Threats

• Our experience shows insider involvement in most financial institution cyber incidents
• Current or former employees exploiting system access
• Requires enhanced access controls and monitoring

5. Deepfakes

• AI-generated content used for fraudulent transactions
• Growing threat to financial operations
• Requires new authentication protocols

So what?

For financial institutions, this shift means CFOs must:

1. Lead from the front: Participate in cybersecurity planning before incidents occur
2. Understand technical aspects: Know enough about cyber threats to make informed decisions
3. Prepare for disclosure: Develop protocols for communicating cyber incidents to regulators

Even private institutions face mounting pressure to mirror public company cyber disclosure practices. The regulatory landscape keeps evolving, and staying ahead of requirements positions you better for what's coming.

Our Take

From hundreds of cyber incidents we've handled, insider involvement appears in nearly every financial institution case. While all threats require attention, insider risk deserves special focus from CFOs.

Three Actions for CFOs:

1. Document your governance: Create clear protocols showing how cyber risks are identified, monitored, and managed.
2. Build incident response plans: Develop and regularly test procedures for:
   • Initial breach response
   • Regulatory notifications
   • Stakeholder communications
3. Review coverage stack: Understand how different policies respond to:
   • Direct cyber losses
   • Regulatory investigations
   • Third-party claims

Want to discuss how these changes affect your institution? Contact LION Specialty for a review of your cyber risk management approach.

Board Oversight in 2025: EY Warns of Rising D&O Exposure

Think of board oversight like flying a plane: You need to know your instruments, trust your co-pilot, and constantly scan for turbulence.

EY's 2025 Global Financial Services Regulatory Outlook suggests boards need to upgrade their flight instruments (source).

Here's your 3-bullet summary:

• Board Understanding: Regulators expect deeper knowledge of risk management frameworks
• Third-Party Focus: The CrowdStrike incident highlighted vulnerabilities in vendor relationships
• Non-Bank Services: Financial institutions offering bank-like services face heightened scrutiny

What's Actually Happening?

Regulators are zeroing in on three key areas:

1. Risk Framework Oversight:
   • How well boards understand their institution's risk landscape
   • Response plans for known weaknesses
   • Documentation of oversight procedures
2. Vendor Management:
   • Third-party technology dependencies
   • Contingency plans for vendor disruptions
   • Ongoing monitoring processes
3. Non-Traditional Services:
   • Lending activities by non-bank institutions
   • M&A advisory services
   • Other bank-like products

So What?

This matters more than you might think. Here's why…

The CrowdStrike incident showed how quickly third-party issues can ripple through the financial system. When a major cybersecurity provider faces disruption, it affects countless institutions simultaneously.

For boards, this creates a double bind:

• You need third-party vendors to operate effectively
• Those same vendors could expose you to significant risks

Meanwhile, regulators are watching how boards handle:

• Known weaknesses in risk management
• Responses to emerging threats
• Oversight of non-traditional services

This combination creates perfect conditions for D&O claims:

• Shareholders questioning board oversight
• Regulators examining decision-making processes
• Third parties seeking to shift liability

What Should You Do?

Three immediate actions:

1. Map Your Risk Framework:
   • Document your current oversight structure
   • Identify gaps in board reporting
   • Create clear escalation procedures
2. Review Vendor Relationships:
   • List critical technology dependencies
   • Update contingency plans
   • Document oversight procedures
3. Assess Non-Traditional Services:
   • Catalog all bank-like services
   • Review regulatory requirements
   • Update compliance procedures

Our Take:

The regulatory landscape is shifting toward greater board accountability. Even if your operations haven't changed, your D&O exposure might increase.

The time to review your D&O coverage is now, before regulators identify weaknesses in your oversight framework.

Want to discuss how these regulatory shifts might affect your D&O coverage? Contact LION Specialty for a review of your current program.

The Bottom Line:

If you're a director or officer at an FI - Your personal assets are on the line if your company faces a major claim.

That's why we created the D&O Contract Vigilance Blueprint, a free 5-day email course to help you:

• Secure better D&O insurance: Learn how to avoid common policy mistakes and identify overlooked coverage gaps.
• Protect your personal assets: Understand your potential liability and take steps to mitigate your risks.

​>>> Get the D&O Contract Vigilance Blueprint​

Don't wait until a claim hits to find out you're under-protected.

​
​

Thank you for reading today's edition!

Want to share this edition via text, email or social media?

Simply copy-and-paste the link below:

​https://lionspecialty.ck.page/posts/21-states-changed-ai-rules-your-board-s-blind-spot-in-2025​

And if you got this newsletter forwarded, you can subscribe here.

Stay Covered,

Natasha & Mark

Co-Founders and Managing Partners

Lion Specialty

​
​