profile

LION Specialty

The Governance Standard Changed for Financial Institutions, It's Noisy, and Nobody Sent a Memo

Published about 2 months ago • 6 min read

Reading scan time: 5 minutes
Listening time: 7 minutes

Your Friday Five:

Every week our team rips through 200+ insurance, legal, regulatory, and market-risk articles so you don't have to!

  • We're opening this edition with our own analysis. The governance standard has shifted, and most FI boards are operating on a definition that no longer matches what regulators, courts, and carriers are measuring.
  • Liberty Mutual's CIO is rewiring a $50 billion insurer around AI with governance first, technology second. The discipline behind it is what most financial institutions are still missing.
  • Travelers is placing "fewer, bigger bets" on AI with budget-embedded accountability. And 50% of policyholders already prefer filing claims through AI.

First if you'd rather listen, check out the audio here.

The Governance Standard Changed for Financial Institutions, It's Noisy, and Nobody Sent a Memo

Summary

Everyone is talking about governance. Almost nobody is explaining what it actually requires now.

Boards aren't failing at governance. They're operating on a definition that no longer matches what regulators, courts, and carriers are measuring. The Caremark "duty to monitor" used to cover financial and compliance risk. Courts have expanded it into AI deployment, cybersecurity oversight, and geopolitical exposure. The question plaintiffs ask now is whether the board had a documented system to govern it. And a Caremark failure is a breach of the duty of loyalty, not the duty of care. That is significantly harder to exculpate through indemnification or insurance.

The NYDFS reinforced this in October 2025. Its guidance requires Senior Governing Bodies to exercise "credible challenge" to management's cybersecurity decisions, including third-party oversight and incident response planning. Credible challenge means the board engages substantively with what management presents. Not just receives it.

So what?

We wrote the full analysis this week because the numbers demanded it.

88% of organizations are deploying AI. Only 25% have a board-approved governance policy. That 63-point spread is where the next generation of D&O claims lives, and average settlement values have climbed 27% to approximately $56 million. But AI oversight is only one of three exposure categories we break down.

The full essay covers:

  • cybersecurity board literacy: where organizational investment and board competency are moving in opposite directions
  • insolvency documentation: where recent case law is holding directors personally liable for failures to document
  • the pricing / severity asymmetry that gives every FI board a closing window to act

Carriers offering favorable D&O terms today are simultaneously tightening the governance signals they evaluate at renewal. The parallel to cybersecurity governance five years ago is exact. Boards that built the infrastructure early locked in favorable terms for years.

Read FLIP's full analysis here: FI Board Governance: State of Play

What follows are two of the most respected carriers in our industry already building best-in-class AI governance infrastructure. Many of our financial institution clients and their boards could take a page from these play-books.

Liberty Mutual's $50 Billion AI Strategy Starts with Governance, Not Technology!

Summary

Liberty Mutual CIO Monica Caldas is executing an enterprise AI transformation across 40,000 employees at the sixth-largest global P&C insurer.

What stands out isn't the technology ambition but the governance discipline. It's a Digital Progression Framework that enables employees to learn, test, and deploy AI responsibly while maintaining institutional controls. The company now has 50 AI use cases in production, with LibertyGPT (its secure, internal gen AI platform) deployed enterprise-wide.

Before any employee accessed the platform, Caldas established a Responsible AI Steering Committee, a mandatory training program, and Executech, an executive program raising AI literacy among senior leaders. Smart!

The LION Lens

What happened — Liberty Mutual has moved 50 AI use cases from experimentation to production under a governance-first framework, deploying AI tools to 40,000 employees while explicitly rejecting tool proliferation in favor of platform discipline.

Why it matters — Caldas' framework is the operational proof of what the governance standard above demands. Boards that can demonstrate this kind of documented AI governance (use case selection criteria, input/output standards, sponsorship, measurement) will be best positioned on their corporate liability and D&O programs at renewal.

So what?

Caldas describes AI adoption as a "vulnerable moment" for employees, a personal transformation requiring safe spaces to develop intuition.

Liberty Mutual built an entire support structure around this...a gen AI hub, an AI@Liberty peer community, a change champion network, and executive AI literacy training. When the help desk team rebuilt its workflow using gen AI, it automated 80% of the process and the technology team was redeployed to higher-complexity work.

The companies building this kind of infrastructure now will demonstrate defensible governance when the next wave of AI-related claims arrives.

The LION POV

Here's how we're advising clients:

  • Audit your AI governance documentation against the current standard. If your board cannot produce a written AI governance policy, a catalogue of deployed use cases, and documented oversight procedures, you are sitting in the 63-point spread between adoption and oversight that is generating D&O claims.
  • Through your broker, evaluate whether your carrier's internal AI governance discipline matches the standards they're applying to your renewal. Carriers with this rigor are better risk partners.
  • Build a training-and-access model: every employee touching AI tools should have documented training and clear usage guidelines. This is a renewal advantage, not a best practice.

One caution! Governance documentation that reveals known deficiencies without remediation plans can become discoverable in litigation. Document the framework and the remediation timeline.

Source: (CIO)

Want to discuss how your institution's AI governance documentation stacks up headed into your next renewal? Contact LION Specialty for a confidential review.

Travelers' "Fewer, Bigger Bets," and What their 50% Digital Claims Play Could Mean for Your Board

Summary

Travelers EVP and CTOO Mojgan Lefebvre is pivoting from AI experimentation to AI scale.

Travelers' is concentrating investment in fewer, higher-impact initiatives. The discipline runs through a two-tier model. Approximately 10,000 technical employees receive personalized AI assistants through an Anthropic partnership, while 30,000+ employees access frontier capabilities through TravAI, the company's internal agentic platform. A separate OpenAI partnership powers a fully agentic AI Claim Assistant for inbound claims calls.

The early numbers are worth watching.

Approximately 50% of policyholders reporting a first notice of loss already prefer doing so digitally, defaulting to the AI Claim Assistant with strong acceptance. More than 20,000 of 33,000 employees were using AI tools regularly by Q4 2025.

So what?

Lefebvre's accountability standard is worth studying.

AI commitments must be embedded in budgets and plans, not treated as innovation experiments. Success metrics span operational (claims resolution speed), financial (engineering efficiency), and organizational (adoption rates) dimensions. That is the accountability architecture we described above. Many of our regional and mutual insurer clients, and even our MGAs, and their boards could benefit from being a close follower.

The dual-vendor discipline seems deliberate. And arguably the best of all worlds. Anthropic for engineering and analytics, OpenAI for conversational voice AI. Lefebvre's rationale is that too many partners introduces complexity. FI boards managing their own AI vendor relationships could benefit from benchmarking against this discipline.

The 50% digital FNOL number points where claims are heading over the next three to five years. One issue worth watching: when an AI Claim Assistant provides incorrect policy-specific guidance, the E&O and bad faith exposure implications are real. For carriers deploying the technology and for FI clients experiencing the claims process on the other side.

Source: (Fortune)

The Bottom Line

The governance standard has shifted, and two of the largest carriers in the country are building the infrastructure to meet it. Liberty Mutual is rewiring 40,000 employees around governance-first AI deployment. Travelers is consolidating AI investment into fewer, measured, budget-embedded bets. Both are moving during a soft D&O market. Based on historical market cycles, that is exactly when the boards that act first lock in the advantage that lasts through the next correction.

The specific action for Monday: direct management to present a written AI governance framework, including deployed use cases, oversight procedures, and measurement criteria, at the next scheduled risk committee meeting.

In Case You Missed It!

A couple of weeks ago we launched our Six-Line Silent AI Audit series, a three-part Wednesday Intelligence series mapping a financial institution's core policies against the AI exposures most insurance policies were never written to address.

Part 1 covered D&O and EPLI, where "wrongful act" definitions assume a human decided and algorithmic discrimination doesn't map to your form's coverage trigger. Part 2 covered E&O and Cyber, where the professional/product liability boundary for AI-assisted advice is unsettled in every court and deepfake wire fraud falls between three coverage sections without triggering any of them cleanly. Part 3 delivers the full audit framework across Fiduciary and Crime/FI Bond, plus the governance documentation underwriters at leading FI writers are asking for at renewal.

Read Part 1 here, or listen to the audio version here.

Read Part 2 here, or listen to the audio version here.

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

https://lionspecialty.kit.com/posts/the-governance-standard-changed-for-financial-institutions-it-s-noisy-and-nobody-sent-a-memo

And if this briefing was forwarded to you, subscribe directly here.

Stay Covered Out There Y'all,

TASH & FLIP

Co-Founders and Managing Partners

LION Specialty

P.S. Boards get exposed by D&O mistakes they never see coming. We built a 5-day email course on what to watch for. Comment BLUEPRINT and we'll send it.

P.S.S. Nothing in this briefing constitutes legal advice. These are the opinions of the founders. It's market intelligence designed to help you ask better questions of your advisors and make sharper decisions at your next insurance renewal.

LION Specialty

Subscribe to the LION Specialty Weekly Boardroom Briefings

Everything you need to know to navigate the financial institution insurance market in ≈ 5 minutes per week. Delivered on Fridays.

Read more from LION Specialty
Great Lakes sues its own defense lawyers after a $27K fire claim spirals to $92M. Plus: the bad-faith map every carrier needs before renewal.

Edition #111Reading scan time: 5 minutesListen time: 5 minutes Here's your Friday Five: Every week our team rips through 200+ insurance, legal, regulatory, and market-risk articles so you don't have to! Prefer to listen? Check out the audio version. Three developments caught our attention this week... Insurance operators spend their careers covering everyone else. Their own E&O shield is the one starting to crack, and the same gap runs through every MGA and insurtech in the market. A denied...

3 days ago • 7 min read
$8.98 trillion in invested assets. And three coverage rules written in the 1980s that still control the outcome. Inside.

Reading time: 6 minutes Here's your Friday Five: Every week our team rips through 200+ insurance, legal, regulatory, and market-risk articles so you don't have to! 🎧 Listen to this week's edition Special edition this week. We gave the full review hour to a single book timed for the semi-quincentennial: America 250: The History of Insurance and Insurance Coverage Law and Litigation in the United States, by Scott Seaman, Pedro Hernandez, and Peter Lewis of Hinshaw & Culbertson. America turns...

10 days ago • 8 min read
A worm just poisoned 796 software packages your vendors depend on. Your cyber policy was written for a different kind of breach. Why this matters if you run a regional insurer, an MGA, or an insurtech...

Reading scan time: 6 minutesListen time: 6 minutes Your Friday Five: Every week our team rips through 200+ insurance, legal, regulatory, and market-risk articles so you don't have to! Three reasons to read this week... Regional and mutual insurers: Google just intercepted the first cyberattack built entirely by AI. It targeted the same open-source code your TPAs and core system vendors build on. Inside: what it targeted, how they caught it, and the one question to ask your top three vendors...

17 days ago • 9 min read