By Anne Sherry, J.D.
Beginning next month, public companies will be required to disclose material cyber incidents within four business days. A new development reveals a presumably unintended consequence of this new rule: a ransomware attacker using a victim’s nondisclosure as additional leverage to extract a payment.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure … as mandated by the new SEC rules,” reads a whistleblower tip filed with the SEC by ALPHV/BlackCat. Plot twist: ALPHV was the attacker that caused the breach.
As reported by bleepingcomputer.com, ALPHV posted on its website screenshots of the tip it filed with the SEC. In a post entitled “MeridianLink fails to file with the SEC..so we do it for them + 24 hours to pay,” ALPHV warned that the victim had only 24 hours before the ransomware group would publish the stolen data. A timestamp on ALPHV’s post marks it as having gone up the evening of November 15.
As of the afternoon of the 17th, MeridianLink had not filed anything about the incident on EDGAR. However, a “cybersecurity update” on its website confirms the breach. “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” MeridianLink writes. “If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”
Under new Item 1.05 to Form 8-K, public companies will be required to disclose a cybersecurity incident within four business days of determining that it is material (this determination should be made “without unreasonable delay”). Although ALPHV cited the new rule in its SEC tip, companies are not required to comply with the new requirements until December 18 at the earliest.
However, under existing SEC rules, companies are required to disclose material risk factors, and those disclosures can give way to enforcement action if the SEC deems them misleading or incomplete.
Last month, the SEC charged SolarWinds Corporation and its CISO for misleading investors about the company’s cybersecurity risks and vulnerabilities. The complaint specifically alleges that SolarWinds made an incomplete disclosure about a years-long cyberattack called SUNBURST that compromised the company’s “crown jewel” software platform.
This enforcement action signaled to companies that the SEC is taking a harder line on cybersecurity breaches and is likely to watch closely what companies disclose under the new Item 1.05—potentially leaving the door open for bad actors to leverage the new rules as ALPHV has done. Saying the action represented a “regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” SolarWinds’ CEO protested, “How we responded to SUNBURST is exactly what the U.S. government seeks to encourage.”