TheCorporateCounsel.net

This is wild, and hopefully not a sign of things to come:

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023 post on the DataBreaches.net site, and further detailed in a November 15, 2023 post on the BleepingComputer.com site.

That’s from this D&O Diary blog, and Kevin LaCroix goes on to detail why the new SEC rule isn’t the “golden ticket” that these hackers thought it was:

First, the hackers alleged that MeridianLink violated the cybersecurity disclosure guidelines by failing to make the requisite disclosure under Item 1.05 of Form 8-K within the stipulate four business days. However, the cybersecurity incident current report disclosure obligation of Item 1.05 does not go into effect until December 18, 2023, and the current reporting obligation does not go into effect for smaller reporting companies until June 15, 2024. (For further detail about the effective dates of the new cybersecurity disclosure rules, refer here.)

Second, even if the disclosure requirement were otherwise in effect, it may or may not have been triggered here. The new rules state that the cyber incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material.” (Companies cannot “unreasonably delay” the determination that they need to disclose an incident.)

While the hackers in their SEC complaint described the incident as constituting a “significant breach,” MeridianLink’s description of the incident in its statement to DataBreaches.net stated that the company had “identified no evidence of unauthorized access to our production platforms, and the incident has cause minimal business interruption.” MeridianLink may well contend that it has made no determination that the incident was “material,” and therefor that the four-day reporting period was not even triggered.

Does it matter whether the hackers understand securities laws? Kevin points out that for companies that want to avoid public attention & regulatory scrutiny, the specter of enforcement & litigation could give hackers additional leverage for their extortion schemes. As the many resources in our “Cybersecurity” Practice Area explain, the SEC rules don’t require reporting immaterial incidents (or attempted incidents). Nevertheless, I guess we now have to worry about the bad guys beating us to the punch in reporting their crimes.

– Liz Dunshee