You may recall that the Securities and Exchange Commission has new rules for timely disclosure of cyberattacks.
One major reason the SEC wanted to implement these rules was its belief that companies were too slow to disclose when they had been hacked. To address this, the rules now state that a company must disclose cybersecurity incidents by filing an Item 1.05 Form 8-K within four business days of determining that the incident was material.
This new rule was intended to benefit investors—not the bad guys. But hacker groups are nothing if not creative: At least twice now, the ransomware group Alphv/BlackCat/Noberus has weaponized the SEC’s four-day disclosure rule by reporting their victim companies to the SEC.
In the first instance, Alphv contacted the SEC to report that a public company issuer had failed to report a hack. Why did Alphv have this information? Because Alphv was the hacker.
However, Alphv’s prowess doesn’t extend to reading implementation dates of disclosure rules. The whistleblower-style complaint was premature because, although the new cyber disclosure rules took effect in September 2023, the relevant four-day, 8-K requirement only took effect in December 2023.
But the calendar marches on, and Alphv was far from done. In December 2023, Alphv took a new and even more troubling tack.
According to a report at DataBreaches.net, here’s how Alphv described its next tactic against Viking Therapeutics:
Despite the stringent cybersecurity disclosure requirements set forth by the Securities and Exchange Commission (SEC), Viking Therapeutics failed to promptly report a material cybersecurity incident involving patient data as mandated. To address the new criteria for a persons [sic] reporting an incident, an employee of Viking Therapeutics has agreed to file a report after a productive talk with his family.
In other words, Alphv announced that an employee of Viking Therapeutics filed a complaint against his own company after that employee had “a productive talk with his family.”
It is certainly troubling that Alphv was publicly boasting about its mob-like ability to coerce people into being whistleblowers.
What Does This Mean for Companies?
Companies were already very concerned that the four-day disclosure rule would cause chaos. The idea that the hackers themselves would weaponize the rule, however, is an entirely new twist on what is already a fraught situation.
Any hacker worth the name will take the position that their hack is material—but that doesn’t necessarily make it so.
However, in a world where attackers themselves are alerting the SEC, it becomes increasingly challenging to dismiss any cyberattack as inconsequential. We all understand that hackers are using the whistleblower tactic to throw companies back on their heels and pressure them into paying the requested ransom as soon as possible.
It’s a cliché for a reason: the question is not whether you will be hacked, but when. With this in mind, it’s best to be proactive about putting in place the resources you will need to defend yourself.
As I’ve discussed previously, a company’s best strategy to reduce cyber liability risk is to follow these 10 steps:
1. Assess, and if needed, bolster your cyber risk management strategy. This includes staying on top of the newest versions of the latest threats from hackers.
2. Consider whether you need to hire additional in-house cyber expertise or third-party consultants.
3. Have the board’s nominating and governance committee determine whether adding a cybersecurity expert to the board is in shareholders’ best interest.
4. Assess the board’s cyber oversight process.
5. Determine whether you need to bolster the efficiency of your disclosure committee and any other materiality-determining processes.
6. Review how your company thinks about materiality and cyber breaches, including types of material harm and financial impact.
7. Consider who will be your outside counsel to advise you should you suffer a cyber incident.
8. Diligence your cyber insurance.
9. Diligence your cyber insurance broker.
10. Inform your board about how D&O and cyber insurance are being used to transfer risk away from the company.
As we discuss in our Cyber Looking Ahead Guide for 2024, ransomware isn’t going away. But the good news is that companies that take an active, forward-thinking approach to managing this risk will be able to respond swiftly and minimize the disruption to their business as well as subsequent litigation and liabilities.
