The News: The BlackCat ransomware gang, also known as ALPHV, has filed a complaint with the US Securities and Exchange Commission (SEC) against a company that refused to negotiate with it. This is the start of what is likely to be a trend of cyberattackers utilizing the SEC’s forthcoming requirement for organizations to report material data breaches and cyber incidents, set to go into effect on December 15, 2023, to coerce payments.
SEC Breach Disclosure Rule Exploited by Cyber-Extortionists
Analyst Take: With cyberattacks growing ever more sophisticated and impactful to organizations of all industries and regions, the US SEC is implementing new legislation that requires public companies to disclose material cybersecurity incidents within 4 days of becoming aware of them. This legislation is being put in place for a few reasons:
- Protecting investors from financial losses, reputational damage, and legal liabilities that can result from cyberattacks. This can also have the byproduct of increasing investor confidence, as a result encouraging continued or additional investment.
- Increasing transparency, given the fact that cyberattacks can, and often do, have ripple effects across other companies – as a result negatively affecting markets’ overall stability.
- Along a similar vein, coordinating detection and response to widespread attacks and uncovering new patterns or tactics that might be emerging among malicious actors.
The legislation comes on the heels of the lawsuit filed by the US SEC against observability and IT management software provider SolarWinds and its chief information security officer (CISO) on October 30. The lawsuit accuses investor deceit through misleading statements and omissions that concealed known security-related risks, vulnerabilities, and weaknesses in the aftermath of a cyberattack that occurred in 2020 and that affected a variety of US government and public sector organizations.
Already, this approach is a new tactic that cyber extortionists are using to coerce payments. Specifically, BlackCat has filed a complaint with the SEC against MeridianLink, a digital lending solutions provider to financial institutions, for alleged failure to disclose a breach that compromised customer data. This complaint followed BlackCat listing MeridianLink on its data leak website – an extortion tactic used by many ransomware gangs to pressure victims into paying the demanded ransom.
I anticipate that BlackCat will be far from the last ransomware gang looking to utilize the new SEC legislation to their advantage, given the uncertainty that exists as to what exactly defines a “material” data breach or compromise to security. It is also considering that CISOs already face increased and serious stakes because they can be held personally liable if their organization’s cybersecurity posture or data breach impact are deemed to be misrepresented. In fact, it raises questions about the efficacy of the new SEC rules until there is more clarity. One thing is certain, though. Cybersecurity, and as a result compliance, are dynamic and require constant vigilance and adaptation.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other insights from The Futurum Group:
What Is Comprehensive Cyber-Resiliency? — Infrastructure Matters, Episode 4
Author Information
Krista Case brings over 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
