In a first for both cybersecurity and securities law, a ransomware company filed a complaint with the U.S. Securities and Exchange Commission (“SEC”) against its own hacking victim for failure to disclose the hack itself. The move is akin to a car thief suing their victim for failing to report the stolen car to their insurer.
The ransomware company, known as AlphV/Black Cat (“AlphV”), a Russian-based group, confirmed to Databreaches.net that they made the report to the SEC, alleging MeridianLink failed to comply with the SEC’s upcoming cyberattack disclosures rules. AlphV is a well-known cyberattacker, having previously gained notoriety for attacks against major casinos and hotels.
As we have covered previously on Aug. 2, 2023, and Aug. 21, 2023, the SEC’s forthcoming cybersecurity rules do not actually take effect until December, but the incident sheds light on an emerging concern for the cybersecurity industry: cyber criminals are sophisticated, well-resourced, and will be closely following companies’ disclosures around cyberattacks to help them target future victims and assert maximum leverage, especially where ransomware is concerned.
The attack itself was relatively unremarkable. MeridianLink, a financial software company that services banks and mortgage lenders, apparently fixed the breach with a patch. Perhaps more notable is what this incident says about the timing of reporting cyberattacks. The SEC’s new rule requires companies to report any “material cybersecurity incident.” The rule adopts the materiality standard applied in more traditional securities fraud cases and regulations, including TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); holding that “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.”
Many analysts have interpreted this rule to require disclosure of nearly every form of cyberattack, since even if the attack itself is small, it could suggest future, more material attacks. No company, including corporate gatekeepers like compliance officers and lawyers, wants to be dinged for failing to disclose an attack. In practice, this could lead to a cyberattack mentality of, “when in doubt, report it.” The effect militates toward disclosing cyberattacks than not.
In contrast to that position is the argument that the risk of a cyberattack being repeated against a vulnerability that has been contained and remedied would be significantly lowered or nonexistent after the original attack. In other words, a horse rarely escapes the barnyard in the same place twice. And because vulnerabilities in software are the norm and not the exception, a single exploited vulnerability is not necessarily indicative of a company’s vulnerability identification and remediation program. Even responsible companies with certified risk frameworks are at risk of cybersecurity incidents.
Also, many cyberattacks are detected and blocked early. The cyberattack occurred, but there was not a reportable material cybersecurity incident under the new rule.
We would be remiss if we left the reader with the impression that only external cyberattacks are reportable under the new rule. Internal human mistakes could meet the criteria of a material cybersecurity incident if the incident results in a negative effect on the company’s bottom line.
The Securities and Exchange Commission already appears cautious about the rule’s impact. In comments at the recent Aspen Cyber Summit in New York, Erik Gerding, director of the SEC’s Division of Corporation Finance, said about the rule: “It’s not about playing gotcha with public companies … It’s about actually providing information that’s useful for investors.”
Whether the information is more useful to cyber criminals than investors will remain to be seen.
This document is intended to provide you with general information regarding the SEC's new cybersecurity disclosure rules going into effect in December. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.