SolutionsHire top legal talent for any scope of workGet Started Contact us to find the best fit for any in-house or law firm role Testimonials Trusted by the world's leading legal departments FAQ Frequently asked questions about working with Legal.ioEmployer Resources Tools and guides for hiring managers In a new twist in cyber extortion, ransomware group AlphV exploits SEC rules.
The Securities and Exchange Commission (SEC) has recently adopted new rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
These rules are designed to protect investors and provide transparency in the face of increasing cybersecurity threats. However, there is a growing concern that these disclosure rules could be weaponized by cyber criminals.
AlphV/Black Cat’s SEC Complaint
In a recent and unprecedented move, the ransomware group known as AlphV/Black Cat (“AlphV”) has taken advantage of the SEC’s disclosure rules in an attempt to pressure their victims.
AlphV targeted U.S. financial software firm MeridianLink, and when the company allegedly did not respond to their ransom demands, AlphV filed a complaint with the SEC. The complaint alleged that MeridianLink had failed to disclose a cyberattack to the SEC within four business days, as required by the new rules.
In an attempt to prove the legitimacy of their complaint, AlphV published a screenshot of the form they filled out on the SEC’s Tips, Complaints, and Referrals page. They also reportedly published the response they received from the SEC, which acknowledged that their complaint had been received successfully.
This appears to be the first time a ransomware group has tried to leverage the SEC’s rules to facilitate extortion. It highlights the potential for misuse of the new disclosure rules and underscores the need for companies to carefully navigate these requirements to avoid inadvertently aiding cyber criminals.
The New Disclosure Rules
The new rules require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material. They must describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.
In addition, the rules add Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.
The Potential for Weaponization
While these rules are intended to provide transparency and protect investors, there is a risk that they could be exploited by cyber criminals. By requiring companies to disclose detailed information about their cybersecurity incidents and risk management strategies, the SEC is potentially providing a roadmap for cyber criminals to exploit vulnerabilities.
For example, a detailed disclosure of a cybersecurity incident could reveal information about a company’s security infrastructure and response strategies. Cyber criminals could use this information to tailor their attacks to exploit known vulnerabilities and circumvent security measures.
Similarly, disclosures about a company’s risk management strategies could reveal weaknesses in their cybersecurity defenses. If a company discloses that it is focusing its resources on protecting against a particular type of threat, cyber criminals may choose to launch a different type of attack that the company is less prepared to defend against.
Mitigating the Risks
While the SEC’s new disclosure rules are a step in the right direction for transparency and investor protection, companies will need to navigate them carefully to avoid inadvertently aiding cyber criminals.
To mitigate these risks, companies will need to be careful about how they disclose information, aiming to provide enough information to satisfy the SEC’s requirements and inform investors, without revealing so much detail that they expose themselves to additional cybersecurity threats.
Companies may also need to invest in additional cybersecurity measures to protect against the increased risk posed by the disclosure requirements. This could include implementing more robust security infrastructure, hiring additional cybersecurity personnel, or investing in cybersecurity training for employees.
Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.
PwC's study reveals legal professionals with AI skills could see a significant increase in earnings, with potential wage premiums up to 49% in the US and 27% in the UK.
Our in-house professional community discuss their views on the practice areas Product Counsel typically come from.
News organizations The Intercept, Raw Story, and AlterNet have filed lawsuits against OpenAI in New York federal court, accusing it of copyright infringement for using their articles to train ChatGPT.
To ensure clients are protected, lawyers and law firms using generative artificial intelligence consider their applicable ethical obligations, which include competence, confidentiality, communication and charging reasonable fees.
Legal.io has added former Credit Karma legal operations director Tom Stephenson to its executive team as VP, Community & Legal Operations, as reported by Law360.
Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.
The European Union’s groundbreaking AI regulatory framework will go into effect on August 1, categorizing AI systems based on their potential impact on safety and fundamental rights.
California has passed two comprehensive bills providing AI content watermarking requirements and safety checks to prevent AI-triggered catastrophic events. Both bills were sent to Gov. Newsom for approval.
