The ransomware group AlphV reported a victim to the SEC for failing to report a cybersecurity incident, placing government regulators in a precarious position and possibly prompting organizations to step up their compliance game and become more transparent.

On Nov. 15, the ransomware threat actor AlphV, also known as BlackCat, added and removed publicly traded financial institution MeridianLink from its leak site. But, in a twist for ransomware attackers, AlphV also reported its victim to the U.S. Securities Exchange Commission (SEC) via an anonymous tip form.

AlphV told the regulator that MeridianLink failed to report a cybersecurity incident within four days, as required under new SEC rules that don’t technically go into effect until Dec. 15. AlphV said the incident occurred on Nov. 7, but Meridian Link indicated it happened on Nov. 10. Either way, under the upcoming new rules, publicly traded companies such as MeridianLink must report cybersecurity incidents to the Commission within four business days after they determine the incident is “material.”


Read the res of the article here: