Hackers Weaponize SEC Disclosure Rules Against Corporate Targets

Hackers Weaponize SEC Disclosure Rules Against Corporate Targets

November 17, 2023 at 05:44PM

Ransomware group ALPHV, also known as “BlackCat,” has filed a complaint with the US Securities and Exchange Commission (SEC), accusing a recent victim of non-compliance with new disclosure regulations. ALPHV attacked digital lending service provider MeridianLink, stole and leaked data, and then reported the breach to the SEC, claiming the victim failed to meet disclosure requirements. However, it is unclear if any user data was compromised, and the new SEC rule only goes into effect on December 18. ALPHV’s tactic could have serious consequences as the SEC can impose significant fines.

During the meeting, it was noted that the ransomware group ALPHV, also known as “BlackCat,” has filed a complaint with the US Securities and Exchange Commission (SEC) against a recent victim for failing to comply with new disclosure regulations. ALPHV successfully attacked the digital lending service provider MeridianLink on Nov. 7, exfiltrating files without encrypting them. However, aside from one interaction, ALPHV did not engage in negotiations with the company over the stolen data. The group then posted the data on its leak site and filed a report about its own crime to the SEC, claiming that its victim did not follow the new SEC guidelines for timely disclosure of data breaches. This incident highlights the importance for security leaders to consider federal legal liabilities when making disclosure decisions. The SEC’s new cyber rules for public companies require disclosure of any material cybersecurity incidents within four business days of determining their significance. It is worth noting that the new rules will take effect on Dec. 18, and smaller companies will have an additional 180 days to comply. ALPHV’s tactic of threatening to file a “failure to report” complaint against its own victim with the SEC is seen as a compelling tactic that can potentially exploit government regulations for the benefit of cybercriminals. It is important for companies to be aware of the potential disciplinary actions and fines that can result from non-compliance with SEC guidelines.

Full Article