Security News

A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days. This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data.

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack. Hackers snitch to the SEC. According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink's network on November 7 and stole company data without encrypting systems.

The SEC's cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn't follow the NIST Cybersecurity Framework at the time of the attack. The thrust of the SEC's lawsuit concerns how the communication from and actions taken by the company and its CISO, Timothy G Brown, allegedly misled investors about its security practices and known risks, and there are claims SolarWinds did not directly address in its riposte.

The Securities and Exchange Commission brought charges against both Austin, TX-based information security software company SolarWinds and its CISO Timothy G. Brown on October 30. The SEC alleges that between SolarWinds' October 2018 initial public offering and the December 2020 announcement of the large-scale cyberattack, SolarWinds and Brown specifically " defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.

The U.S. Securities and Exchange Commission today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service hacking division. The SEC claims SolarWinds failed to notify investors about cybersecurity risks and poor practices that its Chief Information Security Officer, Timothy G. Brown, knew about.

Of particular concern is whether public companies who own and operate industrial control systems and connected IoT infrastructure are prepared to fully define operational risk, and therefore are equipped to fully disclose material business risk from cyber incidents. Operational risk in OT and IoT. Cybersecurity incidents continue to disrupt production, with companies like Clorox reporting product shortages a month after disclosure.

A New York fintech biz is set to pay $1 million in fines under a US Securities and Exchange Commission order that claims it advertised "Annualized" returns on Titan Crypto of up to 2,700 percent, a number based on a "Purely hypothetical account." Titan Global Capital Management provided investment strategies to clients and prospective clients solely through a mobile app, the SEC said.

The SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules: Public companies must “disclose any cybersecurity...

As you can imagine, especially in an online world in which ransomware breaches can bring a company to a digital standstill overnight, and where even coughing up a multimillion-dollar blackmail payment to the attackers for a "Recovery program" might not be enough to get things going again. Ransomware attacks these days frequently involve cybercriminals stealing copies of your trophy data first, notably including employee and customer details, and then scrambling your copies of those very same files, thus squeezing you into a double-play cybersecurity drama.