This guest article first appeared HERE

Summary

The New York State Department of Financial Services issued cybersecurity guidance on October 21 requiring boards and senior officers to "engage actively in cybersecurity risk management, including the oversight of TPSP-related risks."

DFS warns that regulated entities remain fully responsible for compliance even when outsourcing to vendors.

Financial institutions increasingly rely on cloud providers, AI platforms, and fintech partners. DFS observed entities outsourcing critical cybersecurity functions without maintaining appropriate oversight.

(source:https://www.dfs.ny.gov/industry-guidance/industry-letters/il20251021-guidance-managing-risks-third-party)

So what?

DFS will enforce these requirements through examinations and investigations.

The agency states it "has and will continue to consider the absence of appropriate TPSP risk management practices by covered entities in its examinations, investigations, and enforcement actions."

Boards need to understand which vendors have "privileged access" (those performing security functions beyond ordinary users).

These providers include IT managed services, outsourced help desks, and claims management systems. The guidance demands risk-based mitigation plans tailored to each vendor's specific threat profile, not generic compliance checklists.

For institutions operating in New York or with New York licenses, vendor management just became a board-level priority with personal accountability attached.

“AI Washing" Litigation Accelerates, Putting D&O Market on Alert

"AI Washing" is a term for what happens when a company exaggerates, misleads, or lies about how much it uses artificial intelligence (AI) in its products or services.

Think of it like "greenwashing," where a company might claim its products are "eco-friendly" when they really aren't.

In AI Washing, a company might say its platform is "powered by advanced AI" to sound impressive and attract investors, making its stock price go up. In reality, the "AI" might be a simple computer program or, in some cases, just people doing the work behind the scenes.

It's basically false advertising for technology. Regulators and investors treat it as a serious problem, like lying about your company's sales figures.

As a result, the corporate liability risk from Artificial Intelligence is no longer theoretical.

A sharp escalation in litigation shows "AI Washing" has become a primary target for plaintiffs' attorneys and regulators. While AI-related securities class actions were rare just two years ago (7 filings in 2023), they doubled to nearly 15 in 2024 and are on pace to set another record in 2025, with 12 filings in the first half of the year. This velocity has surpassed new filings related to crypto and COVID-19.

Regulators are treating this as old-fashioned fraud.

Regulators are treating this as old-fashioned fraud, not a tech issue. The SEC has already fined investment advisers Delphia and Global Predictions for "AI Washing"—falsely claiming AI-driven investment strategies. But the risk goes beyond marketing. JPMorgan Chase is now facing a lawsuit from a fintech partner alleging the bank stole its proprietary AI. This new wave of litigation carries a high price: the average settlement for such claims in the first half of 2025 spiked to $56 million, a 27% year-over-year increase.
​
​(Various Industry Sources for Securities Class Action Stats & LION Specialty’s Editorial Team)

The LION Lens

What happened — Securities class actions tied to "AI Washing" are accelerating, doubling last year and on pace for a record-breaking 2025.

Why it matters — The financial stakes are now clear. Regulators are winning cases, and settlements are costing companies an average of $56 million. This is a new, verifiable, and expensive class of D&O risk.

Practical implications — Your company's public statements - in earnings calls, investor decks, SEC filings, and marketing materials - are now a primary liability for your Directors & Officers. The risks are: your AI fails; or it's your promises about it fail.

So what?

We are in the hype phase of a new technology, and this wave of litigation is the first sign the bubble is under pressure. The analogy to the dot-com bubble is critical.

The D&O insurance market, which had just begun to stabilize, is now facing its next systemic crisis.

This is what's coming:

1. Aggressive Underwriting: Carriers will now demand to know exactly what you are saying publicly about AI, what revenue you attribute to it, and how you verify those claims.
   ​
2. Targeted Premium Hikes: Any company with a high-profile AI-driven product or a stock price heavily tied to AI will be seen as a "high-risk" D&O account and will face higher rates and retentions.
   ​
3. New Exclusions: We may begin to see more insurers attempting to add new exclusions related to the "failure to perform" of AI products or for "misrepresentation" of AI capabilities. See our recent piece on this in the link below…

Your D&O renewal is no longer just a financial transaction; it's a legal and reputational audit of your AI strategy.
​
​Carriers Deploy AI Everywhere (Except Your Coverage)​ Berkley's sweeping AI exclusion and why financial institutions face impossible choices as AI integration accelerates while coverage evaporates

The LION POV

This is a board-level disclosure risk, not an IT risk. Our job is to make sure your marketing and investor relations teams aren't writing checks your D&O policy can't cash.

Here is our specific advice:

1. Audit Your AI Disclosures: We advise clients to conduct a proactive review of all public-facing statements about AI before they go to their D&O renewal. We help you identify and challenge "AI Washing" language that could be targeted by plaintiffs' attorneys.
   ​
2. Connect Your Risks: The case against Innodata (using offshore workers to fake AI) is a perfect example of how Third-Party Service Provider (TPSP) risk and D&O risk are the same problem. Your vendor management program is now a critical defense in a shareholder lawsuit. We help you demonstrate that control.
   ​
3. Prepare for the Renewal: We proactively prepare a narrative for underwriters that demonstrates your AI governance, your controls over public statements, and your robust TPSP due diligence. In this new market, you must prove you are a best-in-class risk.

Before your next earnings call or investor day, let's discuss how your AI story will be read by a plaintiffs' attorney—and your D&O underwriter.

Nobody’s Talking about This Cyber Exposure

If your leadership team is still treating cyber risk as an IT-budget or operational-cost problem—a "drag on the expense ratio"—you are fundamentally exposed.

That's not the risk that will kill you.

Our new two-part Wednesday Intelligence series, The "Cyber Hurricane," is about the other side of the balance sheet. It's the strategic conversation CROs, CFOs, and CUOs need to be having about the "compensated" risk you are all hungrily underwriting.

Why read this? Because this isn't another "best practices" piece from an IT vendor. It's a boardroom-level brief on an existential threat, built from a candid CFO conversation.

• Part 1: "The Elephant in the (Server) Room," exposes the "Victim vs. Aggregator" blind spot. It explains why your "diversified" cyber portfolio is actually a single, correlated catastrophe—one you're pricing like property when the correlation is near-total.
  ​
• Part 2: "How the Model Breaks," is the 24-hour financial triage. We map the exact, step-by-step breakdown of how a single systemic exploit creates a liquidity squeeze, an IBNR nightmare, and a reinsurance black hole when the "one event" clause is inevitably debated.

This is the conversation that's happening right now in the boardrooms of carriers who understand this isn't a P&L hit; it's a solvency crisis. The smart ones are already re-evaluating their capital allocation and reinsurance towers. This series gives you the playbook.

Read the full analysis: [The Elephant in the Server Room - Part One]​

Part Two releases next week with the survival playbook for when systemic cyber events hit. Can't wait? Email flippen@lionspecialty.com with "Cyber Hurricane" in the subject line for immediate access.

The Bottom Line

The pressure on boards is now coming from two directions.

Regulators in New York are making you personally accountable for your vendor's cybersecurity failures. Simultaneously, shareholders are suing directors for your own company's "AI Washing," with settlements now averaging $56 million.

This is the new D&O pincer: you are liable for your TPSP's tech, and you are liable for your own tech.

If you're a director or officer at a financial services firm, these dynamics directly impact your institution's protection and your personal exposure.

That's why we created the D&O Contract Vigilance Blueprint. It's a 5-day email course to help you: • Secure better D&O insurance: Learn how to avoid common policy mistakes* • Protect your personal assets: Understand your potential liability

​>>>Get the D&O Contract Vigilance Blueprint​

Don't wait until a claim hits to find out your institution is under-protected.

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​https://lionspecialty.kit.com/posts/writing-checks-your-d-o-coverage-can-t-cash​

And if this briefing was forwarded to you, subscribe directly here.