Ransomware Group, in Midst of Extortion Attempt, Files Regulatory Notice with SEC

Alysa Austin, Katherine Doty Hanniford, Kimberly Kiefer Peretti, Lance Taubin
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

Just a month before the Security and Exchange Commission’s (“SEC’s”) Material Cybersecurity Incidents Rule is set to take effect, a ransomware group has apparently taken compliance with reporting requirements into its own hands.  On November 15, 2023, the ransomware group known as BlackCat (also known as “AlphV”) posted a notice on its leak site alleging that, on November 7, 2023, it breached the network of a software company that provides digital lending solutions to financial institutions and stole “customer data and operational information” from the company’s servers.

Publicly shaming a company that experiences a data security incident is not unusual for ransomware groups, sometimes even in scenarios where the ransom is paid.  What makes this most recent extortion attempt unique is that BlackCat, in addition to naming the software company on its leak site, also, according to DataBreaches.net, claims to have filed a complaint with the SEC against the company for failing to file a Form 8-K, as they allege is required under the new SEC’s new Material Cybersecurity Incidents Rule.  In screenshots provided to DataBreaches.net, BlackCat claims to have reported that the company failed to meet the SEC’s newly minted four-business day requirement for incidents that materially impact the business.  The software company provided a statement to DataBreaches.net that the company identified the incident on November 10 and “acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident.” The company further noted that while the investigation is ongoing, it has “identified no evidence of unauthorized access to [its] production platforms, and the incident has caused minimal business interruption.”

Notwithstanding BlackCat’s purported SEC filing, which appears to be the first ever instance where a ransomware actor has filed a regulatory compliance form amidst an extortion attempt, the SEC’s new rule does not go into effect until December 15, 2023.  After that time, companies will be required to:

·         Report any material cybersecurity incident on Form 8-K within four business days of determining that the incident is material;

·         Routinely update investors on such incidents in quarterly and annual reports; and

·         Periodically disclose cyber-related governance information, including the board’s oversight and management’s implementation of cyber-related risk management policies and procedures.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide