Hackers Extort Victim with SEC Whistleblower Complaint

Thomas Potter, III
Burr & Forman
Contact
LinkedIn
Facebook
X
Send
Embed

Burr & Forman

In an unintended consequence of the Securities and Exchange Commission's (SEC) unprecedented rulemaking agenda, a black-hat hacker gang has filed a whistleblower complaint against its victim for not reporting a cybersecurity incident "as mandated" by a Rule reporting requirement that isn't even required yet.

The ransomware gang ALPHV/BlackCat claimed to have hacked publicly traded MeridianLink (NYSE:  MLNK), a provider of cloud-based software solutions to financial institutions, in early November. Apparently dissatisfied by the victim's response time, BlackCat posted a screenshot of an SEC whistleblower complaint form under the headline, "MeridianLink fails to file with the SEC ...so we do it for them +24 hours to pay."

The post and whistleblower complaint claimed MeridianLink failed to report the cybersecurity incident under Item 1.05 of Form 8-K "within the stipulated four business days, as mandated by the new SEC rules." But BlackCat jumped the Rule's compliance deadline by about a month.

The SEC adopted the new cybersecurity reporting rule on July 26, 2023, with an effective date of September 5, 2023. The Rule generally requires disclosure to be filed within four business days "after a registrant determines that a cybersecurity incident is material."

New Form 8-K, Item 1.05 requires disclosure and a description of material aspects of the nature, scope, and timing of the incident, along with its material impact or reasonably likely impact on the registrant, its financial condition, and operational results. Although the Rule is effective, the compliance date for 8-K reporting is not until December 18, 2023, with further delay for smaller reporting companies.

For its part, MeridianLink's investor-relations page responds:

On November 10, MeridianLink identified a threat actor's improper access to one non-privileged user's account and removed the threat actor's access promptly. Our forensic investigation confirms that the threat actor did not access MeridianLink's networks, servers, databases, integrations, or any part of our customer product platforms. Further, no ransomware or malware was deployed on MeridianLink's network.

On that basis, it seems the company determined that the incident was not "material" in any event, so it was not reportable, even if the reporting requirement had been in effect at the time. I addressed the Rule in a previous blog post here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burr & Forman | Attorney Advertising

Written by:

Burr & Forman
Burr & Forman
Contact
more
less

Burr & Forman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide