In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules.
Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on December 15 for most public companies), and it is not known whether or when MeridianLink has made a materiality determination, this gambit shows threat actors tapping into apprehension over the SEC’s enforcement of the new rules and cybersecurity incident disclosure enforcement broadly. These tactics also echo the now-common ploy of threatening to inform customers or employees of a breach to apply pressure on the ransomware victim to pay a ransom.
It remains unclear how the SEC will treat such tips once the new cybersecurity rules come into force. On the one hand, the agency will be very wary of being exploited by threat actors to extort the businesses it regulates. On the other, recent enforcement trends suggest that the SEC will zealously investigate credible allegations of a registrant’s failure to disclose material information, with the SEC’s recent action against SolarWinds and its CISO being only the most recent example.
One thing is clear: public companies under the SEC’s jurisdiction should be taking steps to understand the new obligations in advance of the new rules coming into force next month. Going forward, companies receiving ransom demands that include such threats to notify government agencies, including the SEC, must be thoughtful in deciding how to respond. In particular, a victim making a ransom payment should carefully justify and document the payment to ensure it does not create an inference that the company paid the ransom to conceal the incident from regulators. As such, even though ransomware groups might think such threats of reporting to the SEC increase their leverage and chance for a payment, the inverse will likely be true. Most critically, businesses should keep their incident response plans updated to reflect the current regulatory requirements and the evolving threat environment.