In July 2023, the SEC released its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This rule requires publicly traded companies to report cyber breaches within four days of discovering the incident. The only approved exception is if the United States Attorney General decides that disclosing the breach would pose some threat to the security of the United States.
The notorious AlphV/BlackCat ransomware group hacked MeridianLink on November 7th and stole company data. There is no evidence that the systems were encrypted as of now. BlackCat reports that it did attempt to reach out to MeridianLink to negotiate a ransom but had not received a response. Instead of continuing to wait for MeridianLink or posting a snippet of the stolen data, BlackCat went to the SEC.
BlackCat posted a screenshot of a complaint filed on the SEC disclosure site that MeridianLink suffered a “significant breach’ and did not disclose it as the rule required. This may have been true if the rule was in effect, but given the official reporting period begins December 15, this may simply serve as a warning of a new extortion tactic ransomware groups may pursue as disclosure requirements in the United States ramp up.
There have been several occasions when ransomware groups threatened to report breaches but this is the first instance that it actually occurred publicly. Ransomware extortion tactics are increasingly bold as less companies decide to pay the ransom.