SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

The News: The BlackCat ransomware gang, also known as ALPHV, has filed a complaint with the US Securities and Exchange Commission (SEC) against a company that refused to negotiate with it. This is the start of what is likely to be a trend of cyberattackers utilizing the SEC’s forthcoming requirement for organizations to report material data breaches and cyber incidents, set to go into effect on December 15, 2023, to coerce payments.

SEC Breach Disclosure Rule Exploited by Cyber-Extortionists

Analyst Take: With cyberattacks growing ever more sophisticated and impactful to organizations of all industries and regions, the US SEC is implementing new legislation that requires public companies to disclose material cybersecurity incidents within 4 days of becoming aware of them. This legislation is being put in place for a few reasons:

  • Protecting investors from financial losses, reputational damage, and legal liabilities that can result from cyberattacks. This can also have the byproduct of increasing investor confidence, as a result encouraging continued or additional investment.
  • Increasing transparency, given the fact that cyberattacks can, and often do, have ripple effects across other companies – as a result negatively affecting markets’ overall stability.
  • Along a similar vein, coordinating detection and response to widespread attacks and uncovering new patterns or tactics that might be emerging among malicious actors.

The legislation comes on the heels of the lawsuit filed by the US SEC against observability and IT management software provider SolarWinds and its chief information security officer (CISO) on October 30. The lawsuit accuses investor deceit through misleading statements and omissions that concealed known security-related risks, vulnerabilities, and weaknesses in the aftermath of a cyberattack that occurred in 2020 and that affected a variety of US government and public sector organizations.

Already, this approach is a new tactic that cyber extortionists are using to coerce payments. Specifically, BlackCat has filed a complaint with the SEC against MeridianLink, a digital lending solutions provider to financial institutions, for alleged failure to disclose a breach that compromised customer data. This complaint followed BlackCat listing MeridianLink on its data leak website – an extortion tactic used by many ransomware gangs to pressure victims into paying the demanded ransom.

I anticipate that BlackCat will be far from the last ransomware gang looking to utilize the new SEC legislation to their advantage, given the uncertainty that exists as to what exactly defines a “material” data breach or compromise to security. It is also considering that CISOs already face increased and serious stakes because they can be held personally liable if their organization’s cybersecurity posture or data breach impact are deemed to be misrepresented. In fact, it raises questions about the efficacy of the new SEC rules until there is more clarity. One thing is certain, though. Cybersecurity, and as a result compliance, are dynamic and require constant vigilance and adaptation.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Top Security Issues Organizations Need to be Paying Attention to in 2023: Six Five On the Road at .conf23

What Is Comprehensive Cyber-Resiliency? — Infrastructure Matters, Episode 4

CISA Launches RVWP, a New Ransomware Warning Pilot Program Designed for Critical Infrastructure Entities

Author Information

Krista Case

With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.

Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.

SHARE:

Latest Insights:

Growth in Flash ARR and Cloud Services Positions NetApp for AI-Aligned Momentum in FY 2026
Krista Case, Research Director at Futurum, examines how NetApp’s record Q4 margins, all-flash growth, and AI reference wins position the company for resilient performance and continued enterprise.
Phison Custom SSD Firmware Coupled With Software Drivers Allows Pytorch Applications To Use More Than the GPU RAM for Model and Data
Alastair Cooke, Tech Field Day Event Lead at Futurum, shares his insights on the Phison aiDAPTIV+ platform presented at AI Infrastructure Field Day. Phison enables the use of unmodified generative AI models on lower-cost GPUs than are typically required, making them cost-effective with large models.
HP’s Q2 FY2025 Earnings Highlight Healthy AI PC Growth and Supply Chain Agility Despite Tariff Pressures, While Print Still Struggles To Find On-Ramp to Growth
Futurum’s Olivier Blanchard shares his insights and analysis of HP, Inc.’s Q2 FY2025 earnings, which show commercial strength and supply chain agility as the company manages tariff impacts, with AI PC momentum and cautious FY25 guidance.

Book a Demo

Thank you, we received your request, a member of our team will be in contact with you.