BankInfoSecurity.com reported that “The notorious BlackCat ransomware group tattled to U.S. federal regulators about an alleged victim not disclosing a material cyberattack within four business days.” The November 16, 2023 article entitled “BlackCat Gang Tattles to SEC About Victim Not Disclosing Breach” (https://www.bankinfosecurity.com/blackcat-gang-tattles-to-sec-about-victim-disclosing-breach-a-23611?rf=2023-11-17_ENEWS_SUB_BIS__Slot1_ART23611&mkt_tok=MDUxLVpYSS0yMzcAAAGPfO8qfBRKXpKKhl9uvOhaGZ8RHOMe7Jr3fnHnF8s0ca0pBaJ9np6bb_K1s597087s60t6mmROrPdxgHBfG2CY-QUlifWhx-Dt43tBOlbOiOM9ykvv1w) included these comments:
The ransomware gang – also known as Alphv – listed financial services software developer MeridianLink on its data leak site Wednesday and threatened to leak stolen data unless it receives a ransom within 24 hours. BlackCat said it had compromised MeridianLink’s systems on Nov. 7 and exfiltrated files without actually encrypting them.
“MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago,” BlackCat wrote on its leak site Wednesday. “We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission.”
The SEC adopted a rule in July that requires publicly traded companies such as MeridianLink to disclose most “material cybersecurity incidents” within four business days of determining materiality. The disclosure rule will start being enforced in mid-December for larger businesses and in mid-June for smaller publicly traded companies
Interesting, but not surprising!