This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
Cyber Criminals Weaponize SEC’s Future Cyber Disclosure Rules
In a first for both cybersecurity and securities law, a ransomware company filed a complaint with the U.S. Securities and Exchange Commission (“SEC”) against its own hacking victim for failure to disclose the hack itself. The move is akin to a car thief suing their victim for failing to report the stolen car to their insurer.
The ransomware company, known as AlphV/Black Cat (“AlphV”), a Russian-based group, confirmed to Databreaches.net that they made the report to the SEC, alleging MeridianLink failed to comply with the SEC’s upcoming cyberattack disclosures rules. AlphV is a well-known cyberattacker, having previously gained notoriety for attacks against major casinos and hotels.
As we have covered previously on Aug. 2, 2023, and Aug. 21, 2023, the SEC’s forthcoming cybersecurity rules do not actually take effect until December, but the incident sheds light on an emerging concern for the cybersecurity industry: cyber criminals are sophisticated, well-resourced, and will be closely following companies’ disclosures around cyberattacks to help them target future victims and assert maximum leverage, especially where ransomware is concerned.