The U.S. Securities and Exchange Commission’s (“SEC”) new Form 8-K rules for reporting material cybersecurity incidents took effect on December 18, for filers other than smaller reporting companies. Publicly owned companies operating in the U.S. must comply with a new set of rules requiring them to disclose “material” cyber incidents within 96 hours.
Why should the average person be interested? While one might presume this is about stock prices, it’s not. It’s about ensuring consumers and customers of these large entities are made AWARE of cyber breaches impacting their personal data.
The SEC provides a searchable interface to their cache of records, named Edgar. You can utilize Edgar to perform searches for 8-K filings, and a host of other regulated reports from companies doing business in the United States.
This link will take you to the results of searching for 8-K filings over the past five days – and it’s really quite revealing. https://www.sec.gov/cgi-bin/current?q1=5&q2=4&q3=
What’s even more interesting is how very little time it took for adversaries to “weaponize” the use of this form an its intentions.
In November of this year AlphV hacking group penetrated MeridianLink, and actually reported them to the SEC when they refused to pay ransomware.
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules.”