Just a month before the Security and Exchange Commission’s (“SEC’s”) Material Cybersecurity Incidents Rule is set to take effect, a ransomware group has apparently taken compliance with reporting requirements into its own hands. On November 15, 2023, the ransomware group known as BlackCat (also known as “AlphV”) posted a notice on its leak site alleging that, on November 7, 2023, it breached the network of a software company that provides digital lending solutions to financial institutions and stole “customer data and operational information” from the company’s servers.
Publicly shaming a company that experiences a data security incident is not unusual for ransomware groups, sometimes even in scenarios where the ransom is paid. What makes this most recent extortion attempt unique is that BlackCat, in addition to naming the software company on its leak site, also, according to DataBreaches.net, claims to have filed a complaint with the SEC against the company for failing to file a Form 8-K, as they allege is required under the new SEC’s new Material Cybersecurity Incidents Rule. In screenshots provided to DataBreaches.net, BlackCat claims to have reported that the company failed to meet the SEC’s newly minted four-business day requirement for incidents that materially impact the business. The software company provided a statement to DataBreaches.net that the company identified the incident on November 10 and “acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident.” The company further noted that while the investigation is ongoing, it has “identified no evidence of unauthorized access to [its] production platforms, and the incident has caused minimal business interruption.”
Notwithstanding BlackCat’s purported SEC filing, which appears to be the first ever instance where a ransomware actor has filed a regulatory compliance form amidst an extortion attempt, the SEC’s new rule does not go into effect until December 15, 2023. After that time, companies will be required to:
· Report any material cybersecurity incident on Form 8-K within four business days of determining that the incident is material;
· Routinely update investors on such incidents in quarterly and annual reports; and
· Periodically disclose cyber-related governance information, including the board’s oversight and management’s implementation of cyber-related risk management policies and procedures.