Specialty Podcast: Battling Black Basta - Cyber Threats and D&O Insurance Insights

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:09):
Hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz, and with me as always is Steve Shappell, our head of Specialty Claims and Legal. We have a lot to talk about today. There are several articles in the most recent edition of our Executive Liability Insights newsletter, touching on the issue of cyber risk, and I would encourage everyone to have a look at it. I really want to focus here on something that is even more pressing that has developed over the past week or so, and that is with respect to the Black Basta ransomware syndicate out of Russia. Now, here at Alliant, we believe in helping our clients manage cyber risk, and that goes beyond just the mechanics of the insurance transaction, right? We want to provide our clients with actionable intelligence around this emerging threat to help you take appropriate action to protect your data and your network from harm. What is happening right now is that the Black Basta Ransomware Group has been in the news. They've become a significant concern for the U.S. government, prompting the issuance of a joint Cybersecurity Advisory. This came out on May 10th, and it's entitled #StopRansomware: Black Basta. This advisory came out from multiple agencies, including the Cybersecurity Infrastructure and Security Agency, and it highlights the rising attacks by this ransomware gang, particularly targeting healthcare and other critical infrastructure sectors. Now, the Black Basta gang was first identified in April of '22.

They operate what's known as a ransomware as a service model, and this basically means that the group offers its ransomware tools and techniques to so-called affiliates. It's almost like a franchise system. These affiliates launch attacks and extort victims for the decryption key. The advisory that was issued by the U.S. government details that Black Basta affiliates have targeted over 500 organizations globally. This is a pretty significant threat, and many of these include healthcare facilities. Their tactics involve infiltrating systems through phishing emails and exploiting known vulnerabilities in software. Unlike some ransomware groups, Black Basta doesn't immediately present ransom demands on its victims. Instead, they encrypt the data and give the victims a window of time, say 10 days to two weeks to contact them before potentially leaking the stolen information.

This joint advisory, as I said, was issued by CISA, as well as the FBI, Health and Human Services and other agencies. It aims to empower the organizations that are victims of these attacks with the knowledge they need to combat it. It provides technical details on Black Basta's methods, including indicators of compromise, tactics, techniques and procedures. The purpose of this advisory is to allow cybersecurity pros to identify potential intrusions and to implement effective mitigation strategies. Now, let's put this in layperson's terms. What can your organization do to address this risk? First of all, make sure that you are installing updates to your software, firmware and operating systems immediately upon their release. Make sure that you are deploying MFA, multifactor authentication, across as many endpoints in your network as is practical, and make sure that you are implementing cybersecurity awareness training across the organization. Make sure that there's an emphasis on equipping employees to identify and report phishing attempts. By following these recommendations and staying vigilant, you can significantly reduce your organization's risk of falling victim to Black Basta and other purveyors of ransomware attacks. The other thing to keep in mind is that even if your organization is not compromised by a ransomware event, it is possible that one of your vendors, one of your business partners may have been. If that happens, you should also keep in mind that there is insurance coverage for the lost income and extra expense associated with that type of event and the disruption that causes to your operations.

This is known as dependent or contingent business interruption, and it's covered by many cyber insurance policies. It's typically not in the base form. It's typically something that your broker has to negotiate by endorsement, but you should check to see whether you have this enhancement to your coverage so that you are able to recoup some of those losses even though your organization's network may not have suffered a direct attack. The last thing I'd like to say is if you'd like to request a copy of the joint Cybersecurity Advisory, of course you can find it on the website of many government agencies, but you can also reach out to us directly at AlliantCyber@alliant.com, and we will get you a copy of that, that you can share internally with your information security staff so you can begin implementing some of these precautionary measures. I understand that there's quite a bit of complex coverage litigation that is covered in this month's newsletter, and I'm going to turn it over to Steve to tell us about some of these recent updates.

Steve Shappell (05:50):
Great, thank you, David. Really great insight to this cyber development. It reinforces the more rewarding way of managing risk we embrace here at Alliant, so great update. One of the themes is coverage matters, right? You hear me talk about this all the time. We have a lawyer on our team that David and I work with, that his mission in life is to continue to perfect wording at our direction. This month's coverage really highlights the importance of some of these issues. That language matters, and two of the cases this month involve bankruptcy. Bankruptcy is a big deal. It's really near and dear to my heart when I think about directors and officers insurance.

One of the key things we want that policy to do is to protect directors and officers from gaps indemnification. There’s some key gaps indemnification that we've got to make sure these policies respond for, and that is bankruptcy, insolvency where the entity simply does not, cannot indemnify directors and officers in inventive litigation and derivative litigation. So, these two cases in this month's newsletter about coverage litigation highlights the critical importance of getting it right. The devil's in the details. It's easy to get a policy of insurance, a D&O policy of insurance. It's hard to get it and get it right. One of these cases this month, you'll see it has a bankruptcy exclusion in it. That's troubling. To have an exclusion for a claim that's going to rise out of bankruptcy. The devil is in the details again, underwriting that specific risk for a company that is financially struggling, it's hard to get cover. How do you get cover? Do you get a side only? What do you do? The point being here to be thoughtful because what this Daileader versus Lloyd's case highlights is these claims are big when it comes in, and the carriers will use the terms and conditions they have. These policies will be turned over to outside counsel who will scrutinize the language. If you have an exclusion that says that this policy will not respond to a claim based upon or rising out of bankruptcy, you are going to have a real challenge with your coverage.

So, it’s critically important to really scrutinize the language because the language matters here, based upon a rising out of, as broad a language as you can have. One of the other themes you'll see, in addition to bankruptcy this month, was prior acts issues where we had two different claims specifically addressing them. One of them was a very interesting runoff situation, which the named insured acquired what later became subsidiary. The challenge there was whether the claims for that predecessor company would be covered under the go forward successor, the company that acquired them. There was confusing language, and rather than buying a runoff policy for that entity that was acquired, the entity chose instead to look at language in the policy, which said that a predecessor company enjoys coverage under that acquiring company's policy in the future. But the devil's in the details again, right? The words matter, and the policy very specifically says, it's not going to cover prior acts of that entity. This is an interesting area. You have a transaction, and you have an OCO being acquired by another company. Where are those liabilities going to lie? This really requires a detailed discussion and analysis of the language. Because mistaken belief that the language of that company that made the acquisition, which covers the predecessor company, would cover predecessor company's prior acts, was misguided.

The court had very strong language and observations. That policy very clearly does not cover prior acts language, and if and when you want the prior acts of a company that you acquire to be picked up by that acquiring company's insurance policy, the language has to be really clear. It needs to be really clear in the way that it picks up that cover. It doesn't have a prior acts exclusion, as opposed to here where it had a prior acts exclusion. Prior acts also come together frequently, and that was another one of the claims in this month's newsletter, which again, really highlights the critical importance of getting it right. The case involved application of Delaware law, and I would encourage you to look at this case because we often don't get as detailed analysis as we like on what it means to be related. The challenge is, the relatedness and then the application of a prior act exclusion if it's a related prior act or a related wrongful act, the challenge is it's really fact driven. So, we've got some statements of law, and we don't see enough statements of law, and then we see the application of the facts.

What was interesting about the Delaware case is it said that the courts got to see some meaningful linkage, and the court gave some meek to that. In order for there to be some meaningful linkage, the court's going to look really hard at what parties are involved, the relevant time periods involved, the theories of liability involved, and a sampling of the relevant evidence and the damages alleged. The court did this in the case in the newsletter and made a determination that there was not enough material linkage here for the prior acts, the interrelated, for the insurers to conclude that these are all going to be treated as one and therefore not covered. Very interesting, very fascinating analysis. The devil, once again in the details, factual details, but the words matter. Having language that is very clear and requires a more detailed analysis like what is the material linkage, as opposed to language that you'll see in some related, which is it's based upon, in any way, related to any fact, any circumstance alleged in a prior claim or prior wrongful act. Really interesting developments this month, and the theme being words matter. Getting the words right matters. It’s full circle back to David and myself and Peter Kelly, the lawyer on our team, we spent a lot of time and we think making a better mousetrap is the way we're going to catch more mice. We spent a lot of time on that. I appreciate everybody's time today and for those listening to the podcast, I’d encourage you to go to the Alliant website and particularly the cyber for David's earlier comment. Again, thank you for the time and I encourage you to take a look at the newsletter and ask any questions you have from it, reach out to David or myself.

David Finz (12:52):
Thanks, Steve. That wraps up the latest edition of the Alliant Specialty Podcast. Until next time, thanks for listening and take care.