The Securities and Exchange Commission (SEC) has recently adopted new rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. 

These rules are designed to protect investors and provide transparency in the face of increasing cybersecurity threats. However, there is a growing concern that these disclosure rules could be weaponized by cyber criminals.

AlphV/Black Cat’s SEC Complaint

In a recent and unprecedented move, the ransomware group known as AlphV/Black Cat (“AlphV”) has taken advantage of the SEC’s disclosure rules in an attempt to pressure their victims.

AlphV targeted U.S. financial software firm MeridianLink, and when the company allegedly did not respond to their ransom demands, AlphV filed a complaint with the SEC. The complaint alleged that MeridianLink had failed to disclose a cyberattack to the SEC within four business days, as required by the new rules.

In an attempt to prove the legitimacy of their complaint, AlphV published a screenshot of the form they filled out on the SEC’s Tips, Complaints, and Referrals page. They also reportedly published the response they received from the SEC, which acknowledged that their complaint had been received successfully.

This appears to be the first time a ransomware group has tried to leverage the SEC’s rules to facilitate extortion. It highlights the potential for misuse of the new disclosure rules and underscores the need for companies to carefully navigate these requirements to avoid inadvertently aiding cyber criminals.

The New Disclosure Rules

The new rules require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material. They must describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

In addition, the rules add Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The Potential for Weaponization

While these rules are intended to provide transparency and protect investors, there is a risk that they could be exploited by cyber criminals. By requiring companies to disclose detailed information about their cybersecurity incidents and risk management strategies, the SEC is potentially providing a roadmap for cyber criminals to exploit vulnerabilities.

For example, a detailed disclosure of a cybersecurity incident could reveal information about a company’s security infrastructure and response strategies. Cyber criminals could use this information to tailor their attacks to exploit known vulnerabilities and circumvent security measures.

Similarly, disclosures about a company’s risk management strategies could reveal weaknesses in their cybersecurity defenses. If a company discloses that it is focusing its resources on protecting against a particular type of threat, cyber criminals may choose to launch a different type of attack that the company is less prepared to defend against.

Mitigating the Risks

While the SEC’s new disclosure rules are a step in the right direction for transparency and investor protection, companies will need to navigate them carefully to avoid inadvertently aiding cyber criminals.

To mitigate these risks, companies will need to be careful about how they disclose information, aiming to provide enough information to satisfy the SEC’s requirements and inform investors, without revealing so much detail that they expose themselves to additional cybersecurity threats.

Companies may also need to invest in additional cybersecurity measures to protect against the increased risk posed by the disclosure requirements. This could include implementing more robust security infrastructure, hiring additional cybersecurity personnel, or investing in cybersecurity training for employees.