SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

The News: The BlackCat ransomware gang, also known as ALPHV, has filed a complaint with the US Securities and Exchange Commission (SEC) against a company that refused to negotiate with it. This is the start of what is likely to be a trend of cyberattackers utilizing the SEC’s forthcoming requirement for organizations to report material data breaches and cyber incidents, set to go into effect on December 15, 2023, to coerce payments.

SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

Analyst Take: With cyberattacks growing ever more sophisticated and impactful to organizations of all industries and regions, the US SEC is implementing new legislation that requires public companies to disclose material cybersecurity incidents within 4 days of becoming aware of them. This legislation is being put in place for a few reasons:

  • Protecting investors from financial losses, reputational damage, and legal liabilities that can result from cyberattacks. This can also have the byproduct of increasing investor confidence, as a result encouraging continued or additional investment.
  • Increasing transparency, given the fact that cyberattacks can, and often do, have ripple effects across other companies – as a result negatively affecting markets’ overall stability.
  • Along a similar vein, coordinating detection and response to widespread attacks and uncovering new patterns or tactics that might be emerging among malicious actors.

The legislation comes on the heels of the lawsuit filed by the US SEC against observability and IT management software provider SolarWinds and its chief information security officer (CISO) on October 30. The lawsuit accuses investor deceit through misleading statements and omissions that concealed known security-related risks, vulnerabilities, and weaknesses in the aftermath of a cyberattack that occurred in 2020 and that affected a variety of US government and public sector organizations.

Already, this approach is a new tactic that cyber extortionists are using to coerce payments. Specifically, BlackCat has filed a complaint with the SEC against MeridianLink, a digital lending solutions provider to financial institutions, for alleged failure to disclose a breach that compromised customer data. This complaint followed BlackCat listing MeridianLink on its data leak website – an extortion tactic used by many ransomware gangs to pressure victims into paying the demanded ransom.

I anticipate that BlackCat will be far from the last ransomware gang looking to utilize the new SEC legislation to their advantage, given the uncertainty that exists as to what exactly defines a “material” data breach or compromise to security. It is also considering that CISOs already face increased and serious stakes because they can be held personally liable if their organization’s cybersecurity posture or data breach impact are deemed to be misrepresented. In fact, it raises questions about the efficacy of the new SEC rules until there is more clarity. One thing is certain, though. Cybersecurity, and as a result compliance, are dynamic and require constant vigilance and adaptation.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Top Security Issues Organizations Need to be Paying Attention to in 2023: Six Five On the Road at .conf23

What Is Comprehensive Cyber-Resiliency? — Infrastructure Matters, Episode 4

CISA Launches RVWP, a New Ransomware Warning Pilot Program Designed for Critical Infrastructure Entities

Author Information

Krista Case

Krista Case is Research Director, Cybersecurity & Resilience at The Futurum Group. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.

Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.

SHARE:

Latest Insights:

Commvault, Kyndryl, and Pure Storage Partner To Deliver Modular Recovery and Compliance Offerings for Regulated Hybrid Cloud Environments
Krista Case, Research Director at Futurum, shares insights on how Commvault, Kyndryl, and Pure Storage’s joint offering helps MSPs deliver audit-ready recovery and simplify regulatory compliance in complex hybrid cloud environments.
Ryan King, Global Head of AI and Infrastructure Ecosystem at Red Hat, joins hosts David Nicholson and Keith Townsend to explore how Red Hat and HPE are driving innovation through open source technologies.
Fidelma Russo, EVP & GM, Hybrid Cloud and CTO at HPE, and Matt Messick, Dallas Cowboys CIO, join hosts to discuss industry trends and the HPE-Cowboys partnership.
Will Townsend, VP & Principal Analyst at Moor Insights, joins hosts to explore HPE's next-gen connectivity strategy for AI and edge computing revealed at HPE Discover 2025.

Book a Demo

Thank you, we received your request, a member of our team will be in contact with you.