​
​

​

Reading time: 5 minutes

Your Friday Five

Every Friday we distill 200+ insurance, legal, and market-risk articles into three signals your board may need for its Monday briefing.

Three developments caught our attention this week:

• OpenAI terminated its analytics vendor after a breach exposed customer data - a reminder that your third-party risk is your first-party problem.
  ​
• President Trump announced and signed a "One Rule" Executive Order seeking to preempt state AI regulations. We break down what this means for compliance programs built around the NAIC Model Bulletin.
  ​
• In case you missed it Wednesday: Why we built a 40-page Lloyd's manuscript when standard FI policies run 150-200 pages of deliberate ambiguity.

OpenAI's third-party vendor breach shows why your vendor risk is your risk

Summary

Analytics provider Mixpanel disclosed a breach on November 26 - the Wednesday before Thanksgiving, at the quietest possible moment for news.

The disclosure said almost nothing. Mixpanel acknowledged detecting "unauthorized access" on November 8 and taking actions to "eradicate" it - but omitted what was taken, how many customers were affected, and how hackers got in.

Two days later, OpenAI published its own disclosure confirming what Mixpanel hadn't: customer data was actually stolen. Names, email addresses, approximate locations based on IP, device information. OpenAI terminated Mixpanel immediately.

Mixpanel has 8,000 corporate customers.

Each of those customers may have millions of end users. The breach scope remains unknown because Mixpanel isn't talking - their CEO hasn't responded to press inquiries about whether hackers made ransom demands or whether employee accounts had multi-factor authentication.

​(source: techcrunch.com, OpenAI)

So what?

Analytics vendors collect significant behavioral data - often more than organizations track in their vendor inventories.

Companies like Mixpanel embed code in apps and websites that tracks every tap, click, swipe, and page view.

That data gets attached to device identifiers, timestamps, network information, and user IDs. Mixpanel even offers "session replays" - visual reconstructions of how users interact with your product. By Mixpanel's own documentation, these recordings can inadvertently capture sensitive information that should have been excluded.

For financial institutions, the question is: which of your vendors collect behavioral data on your customers, and what would you have to disclose if they got breached?

This connects directly to the NY DFS third-party guidance we covered in October.

Regulators already expect boards to understand which vendors have "privileged access" to customer data. A breach at your analytics provider, your CRM platform, or your marketing automation tool creates the same notification obligations as a breach of your own systems.

Monday morning action: Ask your technology team which vendors have tracking code embedded in your customer-facing applications. Map what data flows to each. If you don't know, that's your answer.

President Trump's "One Rule" and State AI Regulations

Summary

The discussion on federal versus state AI oversight has intensified.

President Trump announced on Truth Social and signed a "One Rule" Executive Order. The order seeks to establish a unified federal framework by preempting state-level AI regulations.

Leaked drafts outline two key enforcement approaches. First, a Department of Justice task force to challenge state laws in court, based on federal authority over interstate commerce. Second, provisions to withhold federal funding from states enforcing what the administration views as "burdensome" AI rules.

This follows the July legislative effort, where the Senate removed an AI moratorium provision from the budget reconciliation bill. With congressional action unsuccessful, the administration is now advancing the initiative through executive measures.

(source: The White House)

The LION Lens

What happened: President Trump signed an Executive Order seeking to preempt state AI regulations, using DOJ litigation and potential funding adjustments, after a legislative attempt in July did not succeed.

Why it matters: Financial institutions have invested in compliance programs aligned with state requirements and the NAIC Model Bulletin over the past six months. (source: NAIC)

Practical implications: The insurance sector now navigates a potential overlap between active state AI rules and this federal proposal. States continue enforcement without pausing for legal outcomes.

So what?

Current legal frameworks support state authority, at least initially.

Executive orders face challenges in preempting state insurance regulations due to the McCarran-Ferguson Act, which reserves such oversight to states. Courts have historically upheld this structure, and any federal override could prompt constitutional questions. (source: NatLawReview)

State regulators remain committed to their timelines.

Colorado's AI governance rules took effect on October 15, 2025, with ongoing enforcement. New York's Department of Financial Services, under Superintendent Adrienne Harris, continues to implement AI guidelines for insurance. The NAIC issued commentary in September affirming state roles and opposing federal moratoriums.

No states have signaled a halt to enforcement while legal proceedings unfold.

The issue draws bipartisan perspectives. Florida Governor Ron DeSantis described the proposal as potential federal overreach, emphasizing protections for state interests. This aligns with concerns from California's Democratic Attorney General on regulatory authority, highlighting cross-party agreement. (source: CBS)

For compliance strategies, timing is key. Litigation could extend for months or years, during which state rules apply. Institutions pausing efforts in anticipation of federal changes may face regulatory penalties.

The LION POV

Our guidance for clients:

Proceed with state-level compliance. President Trump's "One Rule" initiative faces legal hurdles, so rules like Colorado's AI bias testing and New York's oversight remain in effect until resolved by courts.

Build and document your governance systems. These will meet or exceed potential federal standards if preemption occurs, or ensure compliance if states prevail—providing value in either scenario.

Focus on judicial developments over initial announcements. Monitor DOJ filings and state responses for binding requirements.

Organizations that establish AI governance in 2025 will be well-prepared for 2026 outcomes. Delaying for clarity could prolong uncertainty.

Want to discuss how the federal-state conflict affects your AI compliance program? Contact LION Specialty for a confidential review.

In case you missed it: How we built a 40-page policy when standard forms run 200

Summary

We published a deep dive Wednesday on the Lloyd's manuscript program we've developed for U.S. insurance operations.

The core problem: standard FI policies run 150-200 pages of deliberate ambiguity. Master policy says one thing. Endorsement A modifies it. Exclusion B contradicts both. Amendment C changes everything again. This complexity isn't accidental - it creates flexibility for carriers and arguments for lawyers.

We went the opposite direction. Our manuscript consolidates D&O and E&O into 40 pages. One lead carrier writes all lines. General terms in one section. Coverage grants in another. You read it linearly, beginning to end, and know exactly what you have.

The form reflects four generations of refinement, analysis of twenty-plus carrier forms from London and the U.S., and backing from eight Lloyd's syndicates.

So what?

When external chaos reigns - vendor breaches, regulatory whiplash, market uncertainty - what you control matters more.

Whether your analytics vendor gets hacked, federal courts uphold state AI laws, or carrier appetite shifts, those forces sit outside your control.

But you can control what your policy actually says.

Whether coverage responds clearly when you need it. Whether provisions coordinate with your reinsurance instead of conflicting with it. Whether the form protects the business you're actually running or the business generic language assumes you run.

We built this program because clarity becomes the premium asset when everything else is in flux. (The Lloyd's manuscript authority took twenty years of trading relationships to earn - but the real value is coverage that responds when you need it.)

​Read the full breakdown here - or book a live policy comparison to see how your current program stacks up.

The Bottom Line

Your exposure increasingly lives outside your walls. A vendor's breach triggers your notification obligations. A federal-state regulatory conflict determines your compliance requirements. External forces create the chaos; your contracts determine how you survive it.

That's why we created the D&O Contract Vigilance Blueprint. It's a 5-day email course to help you:

• Secure better D&O insurance: Learn how to avoid common policy mistakes

• Protect your personal assets: Understand your potential liability

​>>> Get the D&O Contract Vigilance Blueprint​

Don't wait until a claim hits to find out your institution is under-protected.

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​http://lionspecialty.ck.page/posts/8-000-companies-user-data-at-risk-and-trump-just-threw-ai-compliance-into-chaos​

And if this briefing was forwarded to you, subscribe directly here.

​
​

Stay Covered,

Natasha & Mark

Co-Founders and Managing Partners

LION Specialty

​
​