If you see something, say something and get paid by the SEC
Under the SEC’s whistleblower program, “eligible whistleblowers are entitled to an award between 10 and 30% of the monetary sanctions collected in actions brought by the SEC”. The SEC paid out their largest ever whistleblower award in 2023 of $279 million. While not all the payments are this large, Americans could comfortably retire if they received just 1%. The whistleblower program allows the SEC to have inside informants, and it financially compensates them for exposing non-compliance. Informants report activity to the SEC, the information is run through a verification process, and once fines are collected the whistleblower is rewarded.
Is there ever an instance where this program doesn’t work? With the upcoming SEC cyber rules, some threat actors decided to try to cash in on the program and report “non-compliance.”Even though they did not get compensated, the event raises an important issue of insider threats and cybercriminal collaboration.
Black Cat ransomware group tried and failed to cash in on the SEC whistleblower program
In November 2023, the infamous Black Cat/ALPHV ransomware group filed a complaint with the SEC in attempts to extort MeridianLink after the company refused to pay their ransom demands. The group referenced the four-day reporting deadline in their complaint to the SEC, and stated it had been over a week since they carried out the attack. Media had a field day, and the complaint got picked up by many news sources.
Fortunately, the cybercriminals did not do their research. Firstly, the complaint was filed before the rules officially went into effect, and secondly, the complaint was made based on a misinterpretation of the 4-day reporting deadline. This deadline continues to be interpreted incorrectly. A company does not have to have to report within 4 days of the event occurring, rather, they must report within 4 days of making a materiality determination. And under the new rules, a company must make their determination “without unreasonable delay”. If the rules had already gone into effect, Black Cat would have needed to wait to report the organization for failing to file an 8-k. While this is the case, this event still shows that threat actors with a strong understanding of the rules can use this as even more leverage than they already have in the case of a cyber-attack.
Cybercriminals will leverage employees to do their bidding
Insider threats are an important risk to consider when building your cyber program. With more savvy cybercriminals, what is to stop a threat actor from working with internal employees as designated whistleblowers? The SEC can claim they won’t accept whistleblowers with illegally obtained information, but they won’t turn down an internal employee. If a threat actor can hack a public company, what is to stop them from identifying and extorting a troubled individual employee to get them to report an event? These are all hypotheticals, but these are things that could be unintended consequences from the new rules.
Preparation for the SEC cyber rules has long-term benefits beyond compliance
What is one way for companies to mitigate the risk of falling victim to an event like this? Comply with the rules. In the case of these new rules, the SEC is not punishing you for failing to prevent an attack, they’re only concerned if you fail to report the attack within their defined timeline. The good news is prepartion for the SEC cyber rules is not difficult with some guidance, and a step-by-step playbook. If you aren’t sure about where to start, reach out to us. On January 17th, we’re launching a full-suite of solutions to help you comply with the SEC cyber rules, and it’s a great time to ask us any questions you may have. Want your question answered during the event—send it to [email protected]