“They did WHAT??” Ransomware gangs will often test ways to pressure victims to pay. But today, threat actors associated with the AlphV (BlackCat) group tested a new approach that is raising eyebrows in the cybersecurity community. When a victim, MeridianLink, didn’t pay them quickly and didn’t even start to negotiate any payment with them, AlphV filed a complaint with the Securities & Exchange Commission (SEC). The complaint alleges that MeridianLink did not comply with the SEC’s new cybersecurity rule requiring reporting of any material incident to the SEC no later than four business days after the entity has determined that a material incident has occurred. DataBreaches.net broke the story.
But how is a material incident defined?
According to BitSight:
The SEC cybersecurity rules describe a material incident as a matter “to which there is a substantial likelihood that a reasonable investor would attach importance” in an investment decision. A reasonable investor is a hypothetical investor generally understood to be a long-term, passive investor of average wealth and sophistication.
According to the SEC rules, understanding whether a cyber incident is material requires an analysis of the total mix of quantitative and qualitative data surrounding the incident. There is not a specific financial threshold for a material cyber incident. In fact, the SEC states in the regulation, “…some cybersecurity incidents may be material yet not cross a particular financial threshold.”
In this case, the complaint is unlikely to cause problems for MeridianLink for two reasons. First, MeridianLink issued a statement to DataBreaches.net:
MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.
We have no further details to offer currently, as our investigation is ongoing.
In other words, they claim no evidence of any material incident. But it wouldn’t really matter if there was evidence because the new rule does not go into effect until December 18.
But what does this mean in terms of what ransomware groups are likely to do starting December 15?
Will they attempt to pressure victims by threatening to report them to the SEC, and if they do threaten that, will it make any difference to the victims?