ADDITIONAL RISK CONSIDERATIONS

Emerging topical & industry-specific risks

There is no shortage of risks that should be on public and private companies' radars in the current regulatory climate, including some that affect certain organizations more than others.

ADDITIONAL KEY TOPICS TO CONSIDER INCLUDE:

TARRIFS & GEOPOLITICAL RISKS

Shifting reciprocal tariffs continue to create operational and financial uncertainty for U.S. companies, increasing scrutiny by directors and officers liability (D&O) underwriters, and litigation risk. Several organizations have already faced shareholder suits alleging inadequate disclosure of tariff impacts, with more expected as trade policies evolve. After the Supreme Court’s February ruling that most 2025 tariffs imposed under the International Emergency Economic Powers Act are unconstitutional, companies filed hundreds of refund claims in the Court of International Trade, driven by uncertainty over timelines and administrative processes.

Boards now face heightened exposure to allegations of poor oversight, insufficient risk management, and inadequate governance. With a creative plaintiffs’ bar, allegations could include failure to appropriately anticipate or respond to rapidly shifting tariff policies, failure to reassess supply chain or financial risks in a timely manner, or a lack of adequate governance frameworks for managing evolving geopolitical pressures. Organizations should reassess governance practices, document board level risk evaluations, and strengthen disclosures to mitigate potential D&O claims.

ANTITRUST ISSUES

In 2024, the DOJ and Department of Health and Human Services announced a joint inquiry into the role of private equity in healthcare, signaling a new direction in regulatory investigations into business transactions. More recently, on Jan. 30, 2026, the FTC and the DOJ issued warning letters to 42 U.S. law firms regarding potentially unfair and anticompetitive employment practices tied to DEI hiring initiatives, marking a new application of traditional antitrust concepts to policy-driven activities. The costs of defending antitrust enforcement actions can quickly mount into millions of dollars.

CRYPTOCURRENCY & DIGITAL ASSETS

The Trump administration views cryptocurrency and digital assets favorably. In the Biden administration, lawsuits and investigations in the digital asset space were relatively frequent, whereas the current administration sees this space as important to financial innovation, with benefits for consumers and investors. In 2025, the SEC prioritized development of a crypto task force to create a “comprehensive and clear regulatory framework for crypto assets.” Stablecoin legislation — the GENIUS Act — was also passed in 2025. Additional comprehensive market structure legislation to clarify the roles and responsibilities of the SEC and Commodity Futures Trading Commission, among other things, is slowly moving through Congress.

01 Financial institutions

Regulatory and compliance risks dominate financial institution board agendas. Other top priorities include financial disclosures, consumer protection, cybersecurity, data and regulatory governance, financial crime and fraud, operational and financial resilience, and reputational and conduct risk.

While many in the financial sector expect regulatory easing to unlock growth, boards recognize that even in a “friendly” political climate, regulatory expectations persist. The tone may shift, but the exposure remains — and there will continue to be expectations around robust internal controls and compliance frameworks.

Regulatory exposures include:

Prudential capital and liquidity requirements.
Sales and market conduct rules.
Consumer and investor protection regimes.
Anti-money laundering and sanctions frameworks.
Cybersecurity and data privacy obligations.
Disclosure and governance standards varying by sector, product, and jurisdiction.

Regulatory coverage is available for many financial institutions, and the marketplace for D&O and errors and omissions (E&O) insurance is generally favorable. Risk can be transferred through D&O and E&O policies, but coverage varies materially by policy form and carrier. For example, some policies are triggered by informal or preliminary regulatory investigations or inquiries, while others are only triggered once an investigation results in a formal legal, administrative, or enforcement proceeding.

02 Education

The higher education sector is in the crosshairs of the current administration regarding DEI programs and social justice initiatives. The administration has sought to tighten or, in some cases, block federal funding for research and grants, sending target letters ordering schools to adopt a particular approach. Loss of federal research grants can devastate schools already operating under financial pressure.

Additional regulatory challenges for the education sector stem from a massive influx of money in collegiate athletics, with institutions scrambling to protect their nonprofit status, and perceived bias in student admissions and financial aid.

Cyber and privacy regulatory risk is intensifying for both K-12 and higher education as regulators increasingly treat schools and education-technology ecosystems like consumer-data businesses, with heightened sensitivity when minors’ data is involved. Federal enforcement has focused on student data collection, retention, and baseline security controls under Children’s Online Privacy Protection Act (COPPA) and FTC Act “unfair or deceptive practices” theories.

Notable examples include:

The FTC’s 2023 action against technology platform Edmodo, which resulted in a suspended $6 million COPPA penalty and injunctive relief centered on excessive data collection and misuse for advertising.
The FTC’s 2025 action against technology provider Illuminate Education, which alleged failures to implement reasonable security safeguards and deficiencies in breach handling and representations.

At the state level, New York’s 2024 $750,000 settlement with the College Board under Education Law §2-d highlights growing scrutiny of student data monetization and licensing practices, even in the absence of a traditional ransomware or extortion event.

From an insurance and claims perspective, these developments are translating into multi-vector losses that blend first-party cyber response costs with regulatory investigations, privacy litigation, and vendor liability disputes.

Common claim scenarios include:

Breaches involving third-party learning or assessment platforms that trigger forensic costs, notification, credit monitoring, and often include parallel state attorney general investigations into vendor oversight and breach-notice timing.
Privacy suits tied to tracking pixels or analytics embedded in admissions portals, student portals, or video content (often pleaded under the Video Privacy Protection Act or similar theories).

These claims frequently hinge less on technical intrusion and more on consent, disclosures, and data-sharing mechanics, increasing pressure on cyber and technology E&O policies, where coverage may be constrained by privacy statutory damages exclusions. Organizations must understand their policies' “wrongful collection” provisions and regulatory and antitrust carveouts.

03 Healthcare

Healthcare entities face turmoil and chaos in this regulatory environment, including significant shifts at the federal level and more oversight pushed to states. For example, the current administration is seeking to dismantle the Affordable Care Act and enhanced premium tax credits enacted in recent years. The Centers for Medicare and Medicaid Services are also prioritizing enforcement of the False Claims Act and medical payment reviews by recovery audit contractors to collect sizable fines and penalties.

Under the False Claims Act, so-called qui tam lawsuits — filed by federally protected whistleblowers — are spiking due to consumer frustration with the healthcare system. An uptick in D&O litigation against healthcare organizations has led insurers to restrict or narrow regulatory coverage to include defense expenses only. Other insurance markets are restricting coverage for regulatory and antitrust matters. Conditions in the D&O insurance marketplace for healthcare industry buyers are stable, with retentions tightening.

04 Private equity

Private equity operates within a complex regulatory landscape. Both private equity portfolio companies and the fund vehicles that manage them face unique exposures stemming from four primary sources:

Notable examples include:

Financial market regulators (such as the SEC).
Tax authorities at the federal, state, and foreign levels.
Industry‑specific regulators overseeing sectors like healthcare, energy, and telecommunications.
State‑level governmental bodies, including attorneys general and legislatures, which increasingly assert oversight through enforcement and statutory initiatives.

Typically, when federal regulators step back on enforcement, state regulators come forward. Recent examples include actions by state attorneys general and legislatures against private equity involvement in healthcare and other industries.

Distinct insurance solutions exist at the portfolio company and fund level that can help address these risks. Well-constructed policies are designed to respond to regulatory actions, with coverage for investigations — especially against corporate entities or funds — being more nuanced. General partnership liability (GPL) policies carried at the fund level often include broad investigation coverage, whereas portfolio company D&O policies may require more targeted negotiations to achieve similar protection.

Well‑crafted programs can create a comprehensive risk transfer framework. Thoughtfully negotiated GPL and portfolio company D&O policies can provide expansive protection, and portfolio‑level coverage can, in many cases, be structured to extend meaningful coverage to directors and officers, private equity partners, and other affiliated individuals.