Monthly Archives: September 2015

Cybersecurity and the Financial Firm


You may have become associated with a broker-dealer or investment adviser because your background was finance. Or marketing.  Or even political science, law, or psychology. Not technology. So why is cybersecurity your problem? 

Because the regulators have said it is.

Starting in 2014, the SEC “launched an initiative to examine broker-dealers and investment advisers’ cybersecurity compliance and controls” and would “continue th[o]se efforts [in 2015] and…expand them….”[a]  Specific to investment advisers, the SEC provided guidance this year that funds and advisers “may wish to consider,” and which includes:

  1. periodic assessments of a firm’s unique information gathering and storage, unique or general cyber threats to the firm and its clients, and technology to mitigate those threats;
  2. “a strategy…designed to prevent, detect and respond to cybersecurity threats”
  3. implementation of that strategy “through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.”[b]

Likewise, FINRA has made it clear that broker-dealers “should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.”[c]

The regulators have backed up their admonitions with bite.  As of May 2014, “[t]he SEC and FINRA…brought more than 10 enforcement cases against firms based, at least in part, on cybersecurity­ related failures.”[d]  Those failures included “(1) cybersecurity governance; (2) protection of firm networks and customer information; (3) vendors and outsourcing; and (4) responding to cybersecurity breaches.”[e]  And those violations were costly. The sanctions for those breaches ranged “from … $100,000 to $450,000. The only exception [was] a $27,500 fine imposed against a small firm…for a procedural violation without any customer harm.”[f]


What does a financial firm need to do? For starters, create a protocol to identify cyber risk unique to that firm and then create a process to manage that risk. Recently, a federal agency (the Federal Financial Institutions Examination Council (FFIEC))[g] facilitated that process by publishing its Cybersecurity Assessment Tool.[h]  According to the FFIEC, the Tool helps “institutions identify their risks and determine their cybersecurity preparedness[, and]…provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”[i]   As such, it provides some reassurance for firms, since the structure of the Tool “confirms regulatory focus on risk mitigation and adequate management of cybersecurity preparedness, not wholesale elimination of all risk of cyber breaches.”[j]

Financial firms may mitigate some future pain by using this tool. “This [FFIEC] guidance may…impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution’s level of preparedness and how the company’s directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.”[k]  And the risk mitigation isn’t just for the financial firms. It is also for their officers and directors:  “FFIEC set forth specific expectations for the boards of financial institutions (as well as their CEOs), signaling not only the importance of governance in enterprise­-wide cybersecurity risk management, but clarifying that future regulatory examinations will focus specifically on whether the Board fulfilled its cybersecurity-related responsibilities.”[l]

Cyber security is now practically old news. Firms should not only have in place written protocols for cybersecurity, but should be tweaking and testing their existing systems and documenting all cyber breaches. Doing so is not only good business, it shows the kind of firm-wide diligence that might reassure the regulators that your firm is “on it.” Cyber threats will only become more sophisticated, and cyber security will continue to be a priority with the regulators, as data breaches and their consequences continue to headline the news. Do what’s necessary. Use the Cybersecurity Assessment Tool, or whatever other tool does the job, to assess the effectiveness of your protocols. Don’t become the subject of a regulatory enforcement referral because you or your firm fell short.


Bohdan S. Ozaruk

Attorney, Jones Morrison, LLP

[a] SEC National Exam Program, Examination Priorities for 2015, at 3, located at

[b] IM Guidance Update, No. 2015-02 (Apr. 2015), at 1-2, located at

[c] FINRA Report on Cybersecurity Practices (Feb. 2015) (“FINRA Report”), at 2, located at

[d] B. Rubin, What To Expect From SEC, FINRA Cybersecurity Enforcement (May 5, 2014) (“B. Rubin, What To Expect”), located at

[e] B. Rubin, What To Expect

[f] B. Rubin, What To Expect

[g] The FFIEC “is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions.”

[h] Located at


[j] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015), at 1, located at­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[k] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015) (“New Guidance-Cyber”), at 1, located at­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[l] New Guidance-Cyber, at 1.


Insurance Law – Eroding Limits Policies


An eroding limits policy is a policy where defense costs are considered part of the loss, and therefore reduce or exhaust, the available limits of the policy to pay damages or settlement costs. Effectively, every dollar spent in the defense of an action under an eroding limits policy is a dollar less that will be available to settle or satisfy a judgment. This can cause conflicts between the insured, the insurer, and counsel hired to defend the action. The types of policies where an eroding limits clause may be included range from commercial lines policies to Professional Liability, Directors & Officers Liability, and Employment Practices Liabilities.

Eroding limits policies have become increasingly common in recent years. They have been held to unambiguously terminate an insurer’s contractual duties once defense costs exceed the stated limits. The issue in most cases is whether the policies actually include the requisite language to enact an eroding limit. In most states, where an ambiguity exists, it is enforced as against the insurer. Therefore, to effectively create an eroding limits clause, explicit language is required.

For defense counsel, the presence of an eroding limits clause places a premium on early resolution, accurate budgeting, advance discussions with the insured and the insurer regarding litigation decisions that will affect the costs of defense and accurate disclosure of the remaining limits as the case continues.

Eroding limits policies have the potential to create bad faith litigation by the insured against the insurer, based on the insured’s failure to adequately control the cost of defense. Bad faith claims often arise out of attorney costs. These disputes usually center on an insurer’s ability to insist on market standard hourly rates, or to limit litigation to necessary activities. It is generally understood that such policies necessitate handling matters differently.  For example, if the value of a claim approaches or might exceed the policy limit, certain investigative costs (observation, site inspections, expert analysis) may not ultimately be in the best interest of the policyholder, as such expenses directly undercut the available policy limit. This creates a strain between the insured, the insurer and the attorney. An attorney, concerned that an investigation may ultimately not reveal any new information, may be hesitant to explore options that could lead to a stronger defense, as the expenses will be viewed as a bad faith activity by the insurer.

To minimize these issues, the insurer and defense counsel must regularly update the insured on all steps taken in the defense of the case. To protect against prospective bad faith suits, the attorney may even seek approval directly from them. Further, the insurer should endeavor to make an early assessment of the case, and take steps to make good faith efforts to achieve a settlement within limits. Settlement becomes a very important function in a defense within limits policy. Evaluating the reasonableness of a potential settlement is fact-sensitive. Early mediation, after some factual groundwork has been established, is an effective tactic in preventing excessive defense costs.

 Dan Morrison

Partner, Jones Morrison, LLP
Stephen J. Jones
Direct Dial For All Offices