On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data.   While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident.  AlphV wrote in its complaint (a copy of the submission was shared by the threat actor with DataBreaches on November 15, 2023 and is available here):

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18, ­ will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Why Would a Threat Actor Blow the Whistle on Their Own Crime?

The percentage of companies that now make extortion payments to recover access to encrypted systems or stop stolen data from being posted publicly is on the decline. Threat actors are accordingly resorting to increasingly aggressive harassment techniques to extract such payments from victims.  This move is an extension of those aggressive pressure tactics.   Large threat groups, like BlackCat/AlphV, are sophisticated and aware of regulatory, financial and other company pressures, and have in the past threatened to alert regulators or otherwise have taken to social media or other public outlets to pressure victims to pay.  In this instance, the threat actor is attempting specifically to leverage the SEC’s regulations to its advantage by increasing the cost to their targets of refusing to pay ransom– namely, by increasing the likelihood that the regulator will investigate the cybercrime victim, which can be incredibly costly, time consuming and damaging to a company’s reputation and business.

How Will the SEC Respond?

Unsurprisingly, the SEC has not yet issued a statement regarding the AlphV whistleblowing complaint, and it is not yet clear how the SEC will handle whistleblower complaints by threat actors.  However, this move could arguably result in an increase in the filing of such whistleblower tips by such threat actors and, accordingly, could more generally trigger increased investigative scrutiny into companies that fall victim to cybercrime, including investigations of whether their public disclosures or disclosure controls were deficient in connection with the cybersecurity incident.  This will become increasingly true as the new rules come into effect and require timely disclosure of material cybersecurity incidents.

Will the Threat Actor Be Entitled to a Whistleblower Award?

Probably not. Rules 21F-6 and 21F-16 under the Securities Exchange Act of 1934 provide for a reduction in whistleblower awards based on culpability and other factors, assuming that there is an enforcement action resulting from the tip exceeding $1 million in monetary remedies.

In any event, to be eligible for payment, a whistleblower must be a natural person and must disclose their identity on form WB-APP.  (This would be true even if the applicant initially submitted their complaint on an anonymous basis. See §§ 240.21F-7(b) and 240.21F-10(c).) As such, even if a threat actor were otherwise entitled to an award as a matter of law, the procedural requirements for recovery make it unlikely that they would ever seek payment, given their interest in avoiding personal liability for the underlying criminal conduct. Therefore, it is less likely that a threat actor would file a complaint with the hope of recovering an award and more likely that they would view the filing simply as further means of supporting their extortion of current and future victims.

How Should Public Companies Prepare to Respond?

Stand by your disclosure controls and materiality determination, and be prepared to respond to regulators, customers and other stakeholders from a crisis communications standpoint. With the compliance date for the new SEC cybersecurity rules looming, public companies should ensure their cybersecurity incident response plan and disclosure controls and procedures are ready.  Documenting a thorough and deliberative materiality determination, at each point in a cybersecurity incident response at which significant new facts become available, will be of paramount importance to support Item 1.05 disclosure decisions.  Lowering the bar for Item 1.05 disclosure—or, worse, paying a ransom­ in response to this type of threat—will ultimately set a dangerous precedent for future 8-K disclosures.

For more information about the SEC’s cybersecurity rules, see our prior updates:

We will continue to monitor developments in this area.

To subscribe to the Data Blog of our Data Strategy and Security practice, please click here.

Author

Andrew J. Ceresney is a partner in the New York office and Co-Chair of the Litigation Department. Mr. Ceresney represents public companies, financial institutions, asset management firms, accounting firms, boards of directors, and individuals in federal and state government investigations and contested litigation in federal and state courts. Mr. Ceresney has many years of experience prosecuting and defending a wide range of white collar criminal and civil cases, having served in senior law enforcement roles at both the United States Securities and Exchange Commission and the U.S. Attorney’s Office for the Southern District of New York. Mr. Ceresney also has tried and supervised many jury and non-jury trials and argued numerous appeals before federal and state courts of appeal.

Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Matthew Kaplan is the firm’s Chief Financial Officer, a member of the firm’s Management Committee and the Co-Head of the firm’s Capital Markets Group.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Ben Pedersen is a partner in the firm’s Capital Markets Group and member of the Special Situations team. His practice focuses on a broad range of capital markets transactions, regularly representing issuers, private equity firms and underwriters in public and private offerings of debt and equity securities, and advising public and private companies on securities laws, disclosure, corporate governance and general corporate matters. He can be reached at brpedersen@debevoise.com.

Author

Steven Slutzky is a corporate partner and Co-Head of the firm’s Capital Markets Group and a member of the firm’s Private Equity and Special Situations Groups. His practice focuses on securities offerings and related transactions, and he regularly represents issuers and underwriters in securities transactions including initial public offerings, high-yield debt offerings, secondary equity offerings, debt offerings, tender offers and consent solicitations and private placements. He can be reached at sjslutzky@debevoise.com.

Author

Jonathan Tuttle, managing partner of the Washington, D.C. office, is a member of the firm’s Litigation Department. He has represented public companies, regulated institutions, boards of directors, audit and special committees of boards, and individual directors, officers and employees in enforcement investigations and proceedings brought by the Securities and Exchange Commission, the Department of Justice, FINRA and the PCAOB, as well as in securities class actions, shareholder derivative suits, internal corporate investigations and a variety of other securities and finance-related litigation and regulatory matters.

Author

Matthew Kelly is a litigation counsel based in the firm’s New York office and a member of the Data Strategy & Security Group. His practice focuses on advising the firm’s growing number of clients on matters related to AI governance, compliance and risk management, and on data privacy. He can be reached at makelly@debevoise.com

Author

Kelly Donoghue is a corporate associate in the Capital Markets Group. She can be reached at kgdonogh@debevoise.com.