A Shifting Political Landscape—and More State Regulations for Cyber

Print Email
April 4, 2025 by Elizabeth Blosfield

Cybersecurity professionals, businesses, individuals and insurers alike are fighting a war with cyber criminals, and they might be losing, according to experts on the latest episode of The Insuring Cyber Podcast.

“I feel like we’re behind and we’re losing,” said Melissa Ventrone, leader of the cybersecurity, data protection, and privacy practice at law firm Clark Hill.

She said this is because as soon as cybersecurity approaches change to keep up with the criminals, they adapt, too.

“The criminals then change their tactics and figure out different ways to get into systems, ways to use the new technology against the organization,” she said. “It really is a very complex, overwhelming type of environment.”

Ventrone said the new presidential administration is focused on increasing deregulation, which could mean fewer enforcement actions, less emphasis on current regulations, and less enactment of new regulations. This means cybersecurity standards could be pushed further down to the state level, which creates both opportunities and challenges in this volatile landscape.

“Where businesses might think it’s a good thing that you have less federal regulations, you’re now going to have more state regulations that you’ll need to comply with because the states will step into the gap left by the federal government,” she said.

She pointed to efforts to enact a federal data breach notification statute in the U.S. that have fallen short for years.

“So, there’s 50 different state data breach statutes. Then, there’s the different ones from an industry perspective. Then, you have Guam, Puerto Rico,” she said. “There’s all of these different regulations out there that people have to comply with because we don’t have a federal one.”

“There’s 50 different state data breach statutes. Then, there’s the different ones from an industry perspective… There’s are all of these different regulations out there that people have to comply with because we don’t have a federal one.”

Melissa Ventrone, Clark Hill

This confusion is echoed in the cyber insurance space as risks that determine coverage are ever changing, according to Arthur Armstrong, partner at law firm Reed Smith.

“Cyber insurance is, to me, still the wild, wild West in comparison to a lot of other lines of coverage where you have long histories of court decisions and policy forms and myriad information sources to figure out how a policy should be interpreted,” he said.

He added that because the cyber threat landscape is always evolving, the insurance market can trail behind as it tries to meet coverage needs.

“With that, you have—at least that I’ve seen in certain instances—some policies that are a little mismatched in their endorsements and the body of the policy where it can give rise to ambiguities,” he said.

A deregulatory approach by the federal government could make already complex cyber insurance applications even more burdensome with information being requested about insureds’ internal procedures and operations, he said.

“If there’s not an objective regulation that is governing companies, I think that gives rise to all the more need to really investigate with your policyholder what they are actually doing in some of those spaces that maybe were otherwise regulated,” he said.

Watch the full podcast here 👇 or on IJTV. Article continues below video.

Powered by InsuranceJournal.tv

On the other hand, less regulation could create more freedom for businesses to innovate, he said.

Specifically addressing the idea of less regulation of AI in the U.S., he said, “It could bolster continued innovation,” referring to innovations used to bolster cybersecurity defenses and those used by threat actors. With “so much activity being offloaded to AI,” questions about how this will be treated by insurance coverage will be answered at some point.

The next step, for example, is deciding who’s responsible when something goes wrong.

“At what stage did the negligence happen when there’s some sort of artificial intelligence deployment that doesn’t work out as expected,” he said.

“It’s really going to be a fertile ground for claim disputes under cyber policies and other policies,” such as general liability and E&O policies. “I think it is a new frontier.”

With this new frontier, preparation is key, Ventrone said.

“Something gets lost in translation [between] the frontline folks who are employing some of these technologies, gathering some of these data or deciding how long to keep certain personal information and the other sides of the C-suite who are just detached from that.”

Arthur Armstrong, Reed Smith

“Companies that prepare for cybersecurity incidents, respond more quickly, have a better response, mitigate damages. They recover more quickly, they protect their brand,” she said. “So, really spending the time to focus on that preparation helps the organization at the end of the day. You don’t have to have all of the newest bells and whistles. You have to make sure that the bells and whistles you do have are implemented correctly and they’re being monitored and maintained.”

Armstrong added that it’s important for everyone in a company that’s using a certain technology to know how it’s being used.

“I think something gets lost in translation maybe from the frontline folks who are employing some of these technologies, gathering some of these data or deciding how long to keep certain personal information and the other sides of the C-suite who are just detached from that,” he said. “Once you know what your exposure is, then you have to make sure your insurance policies are matching up to account for that risk.”

All of this leaves one question, according to Armstrong.

“What will be, in the next five years, the major event—whether it’s the government’s focus on cybersecurity or in the private sector–that makes everyone pivot in a direction?” he said.

He said while the answer to this question is uncertain, it’s clear that cyber events will continue to occur with no sign of slowing down.

“But what exactly they will be, particularly with the advent of AI, I think it’s hard to say,” he said. “What I always try to do with my clients is focus them back on what they can control, which is what their insurance program is and, again, having a good handle on the nature of their business, what kind of exposures that gives rise to, and making sure they’re protected.”

He concluded, “You don’t have to know as a policyholder what’s going to happen, you just have to know if something does, that you have somewhere you can turn to be made whole.”

To hear the full conversation, check out the rest of this episode of The Insuring Cyber Podcast titled, “Insuring Cyber Risk in a Shifting Political Landscape, at insurancejournal.tv or wherever you get your podcasts.

Print Email

Was this article valuable?

Here are more articles you may enjoy.

Don’t Forget Workers Comp Tariff Impacts: Berkley
Performance Review: Why Insurers Struggle to Underwrite, Price and Reserve for Commercial Auto Risks
Beyond Automation: How GenAI Informs Next Best Action in P/C Insurance Claims and Underwriting
Bill Aims to Make Staged Accidents a Federal Crime

Contributor

Elizabeth Blosfield, Carrier Management

Elizabeth is Deputy Editor at Carrier Management. She hosts The Insuring Cyber Podcast and Between the Lines, a quarterly video series exploring topics in Carrier Management's latest magazine edition. Elizabeth can be reached at eblosfield@wellsmedia.com.

Our Contributors

Chris SchrenkThe Future of Premium Audits: Using AI Assistants to Streamline Data Collection
Dawn D. Bennett-AlexanderNavigating DEI Legally: Emphasizing Equity Without Legal Pitfalls
Sandra TataThe Workplace Is Changing; So Are the Risks for Employment Discrimination Claims
Renu Ann JosephThe Growth of a New Wave of Distribution Startups in Commercial Auto Insurance
James Felton KeithNavigating DEI Legally: Emphasizing Equity Without Legal Pitfalls
Tiana SchoweThe Growth of a New Wave of Distribution Startups in Commercial Auto Insurance
See All Our Contributors