The following brief updates exemplify trends and areas of current focus of relevant regulatory authorities:
SEC Comments Following High-Yield Fund Sweep Exam
An April 14, 2016 article in The Wall Street Journal may ease the concerns of asset managers over the regulatory response to the sudden liquidation of the Third Avenue Focused Credit Fund in December 2015. Following the fund’s collapse, the SEC launched a sweep examination of approximately eighty high-yield bond funds. In connection with the sweep, the SEC requested information on liquidity management, pricing methodology and portfolio holdings, among other matters, with the apparent aim of determining whether it should issue a preemptive risk alert. The article stated that Marc Wyatt, Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), indicated that the examinations had not identified any risks that were systemic or widespread, and that OCIE would not recommend that the SEC issue an industry-wide risk alert. Director Wyatt’s remarks suggest that the SEC is unlikely to impose immediate restrictions on high-yield bond funds in direct response to the Third Avenue Fund collapse. However, as we reported in this IM Update, advisers’ liquidity controls for mutual funds and private funds exposed to potentially illiquid fixed-income securities were identified by OCIE as one of its examination priorities for 2016.
Broker-Dealer Settles Action for Deficient Privacy Policies and Procedures
On April 12, 2016, the SEC published issued a settlement order against a broker-dealer, Craig Scott Capital, LLC, and two of its principals (collectively, “CSC”) involving allegations that CSC had violated Rule 30(a) of Regulation S-P (the “Safeguards Rule”). The Safeguards Rule requires broker-dealers, registered investment companies and registered investment advisers to adopt written policies and procedures concerning safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to insure the security and confidentiality of customer records and information.
The order stated that, from 2012 to 2014, CSC used non-firm e-mail addresses to receive over 4,000 faxes from customers and other third parties. These faxes included sensitive customer information, including customer names, addresses, social security numbers, and bank and brokerage account numbers. In addition, during the same period, the SEC alleged that the personal email addresses of CSC principals and certain employees had been used for business-related correspondence. The SEC claimed that CSC did not maintain or preserve these faxes or emails as required by Section 17(a) of the Exchange Act and Rule 17a-4 thereunder, and that the firm’s written procedures were not tailored to protect customer records and information, as required by the Safeguards Rule. In particular, the SEC alleged that CSC’s written polices and procedures failed to designate the responsible supervisor, failed to address how customer records and information transmitted through the fax system were to be handled, contained blanks as to how the firm would comply with the Safeguards Rule, and did not follow CSC’s actual practices.
The SEC did not allege that any of CSC’s clients were harmed as a result of the firm’s violations. Without CSC’s admitting or denying the SEC’s findings, the broker-dealer was censured and ordered to pay a $100,000 civil penalty, and each of the two principals was censured and ordered to pay a $25,000 civil penalty.
Commercial General Liability Insurance Covers Cyber Incident
On April 11, 2016, in an unpublished opinion,1 the U.S. Court of Appeals for the Fourth Circuit affirmed a federal district court ruling that Travelers Indemnity Company of America (“Travelers”) must defend its insured, Portal Healthcare Solutions, LLC (“Portal”), against a putative class action under Portal’s commercial general liability (“CGL”) policies.
Portal specialized in the electronic safekeeping of medical records, and Travelers issued Portal two substantially identical CGL policies in 2012 and 2013 that included an “advertising injury” section covering claims based on injury arising from the “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” or “discloses information about a person’s private life.” The putative class-action complaint alleged that Portal had published the two plaintiffs’ medical records on the Internet, based on the plaintiffs’ finding their own records when they searched for their names on the Internet.
Travelers unsuccessfully argued that its CGL policies did not cover the conduct alleged in the class action complaint, arguing that the records made accessible by online searching did not constitute “publication” nor give “publicity” about a person’s private life (because only the patients viewed their own records).
Increasingly, CGL policies expressly exclude claims based upon data breaches and, in general, CGL policies are not a substitute for specialty cyber-risk and technology E&O policies. Nevertheless, the Fourth Circuit’s opinion highlights that there may be cyber-risk coverage under an existing CGL policy. For an insured to maximize its coverage across its insurance portfolio, it may be worthwhile to consider whether existing CGL coverage and other traditional coverage apply to cyber-risk incidents. The opinion also underscores the importance of understanding any changes to existing CGL policies that may have the effect of eliminating cyber-risk coverage.