Ransomware group ALPHV filed a complaint against an organisation with the Securities and Exchange Commission (SEC) for not complying with the four-day rule to disclose a cyber-attack….an organisation that they themselves compromised!!

Context from an Australian standpoint – imagine being a listed organisation and getting a call from ASIC saying that they had been tipped of you have suffered a significant cyber event (data breach) because the threat actor that breached you, called them and told them….

This is it, this is the case study that puts to bed any misconception, any ignorance and any misunderstanding as to the sophistication of threat actors and the cyber-crime risk landscape.

Recap: Starting 5 September 2023, US listed organisations began having an obligation (enforced by the SEC (the U.S. government agency in charge of regulating the securities markets and protecting investors - i.e., Australia's ASIC)) to report significant cyber events within four business days of determining that a cyber incident sustained will have a “material impact” on their organisation.

Event: The ALPHV/BlackCat ransomware operation filed an SEC complaint against one of their alleged victims – MeridianLink, a publicly traded company that provides digital solutions for financial organisations such as banks, credit unions, and mortgage lenders - for not complying with the four-day rule to disclose a cyberattack.

Yesterday, the threat actor listed the software company MeridianLink on their data leak site, with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours. According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

Apparently frustrated by MeridianLink’s lack of engagement – and likely to exert pressure – ALPHV lodged a complaint with the SEC about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

Further, to show that their complaint is real, ALPHV published on their site a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

Whilst the shock value in this event is real, the reality of the sophistication and risk is what needs to be taken into consideration. Cyber & Technology risk is significant to all organisations, and more so requires a holistic all of business consideration including legal, regulatory and reputational considerations which are equally, and in some cases even more so important that the technical aspect of cyber security.