TheCorporateCounsel.net

Last November, Liz blogged about an attempt by a hacker group to exploit the SEC’s new Form 8-K cybersecurity disclosure rules to extort money from a company by threatening to go to the SEC and tell the agency that the company failed to disclose a material hack. The same group apparently tried that tactic again in December and again last month. This recent Woodruff Sawyer blog highlights how this new threat puts public companies in a tough spot:

Companies were already very concerned that the four-day disclosure rule would cause chaos. The idea that the hackers themselves would weaponize the rule, however, is an entirely new twist on what is already a fraught situation. Any hacker worth the name will take the position that their hack is material—but that doesn’t necessarily make it so.

However, in a world where attackers themselves are alerting the SEC, it becomes increasingly challenging to dismiss any cyberattack as inconsequential. We all understand that hackers are using the whistleblower tactic to throw companies back on their heels and pressure them into paying the requested ransom as soon as possible.

It’s a cliché for a reason: the question is not whether you will be hacked, but when. With this in mind, it’s best to be proactive about putting in place the resources you will need to defend yourself.

The blog offers a list of 10 steps a company should take to reduce cyber liability risk and says that companies that take an active approach to managing cyber risk will be in the best position to respond swiftly to a breach and minimize the disruption to their business & the risk of subsequent litigation.

– John Jenkins