{"id":2725,"date":"2024-04-05T07:55:35","date_gmt":"2024-04-05T07:55:35","guid":{"rendered":"https:\/\/aitesonics.com\/hackers-use-a-new-sec-rule-to-snitch-on-the-company-they-infiltrated-201242292\/"},"modified":"2024-04-05T07:55:35","modified_gmt":"2024-04-05T07:55:35","slug":"hackers-use-a-new-sec-rule-to-snitch-on-the-company-they-infiltrated-201242292","status":"publish","type":"post","link":"https:\/\/aitesonics.com\/hackers-use-a-new-sec-rule-to-snitch-on-the-company-they-infiltrated-201242292\/","title":{"rendered":"Hackers use a new SEC rule to snitch on the company they infiltrated"},"content":{"rendered":"
A hacking group deployed a surprising tactic after infiltrating a financial software company\u2019s network. They reported the breach to the US Securities and Exchange Commission (SEC).<\/p>\n
DataBreaches.net<\/em> initially reported<\/a> on the incident, which was conducted by ALPHV \/ BlackCat, a group known for breaching entities as diverse as MGM Resorts<\/a> and Reddit<\/a>. The hackers reportedly infiltrated the servers of fintech company MeridianLink on November 7, stealing company data without encrypting it. However, when the business neglected to negotiate directly, the hackers increased the pressure by filing a report with the SEC.<\/p>\n They did so citing a new rule the SEC passed this summer<\/a>, which requires companies falling victim to \u201cmaterial cybersecurity incidents\u201d to report them to the agency within four business days.<\/p>\n However, the four-day requirement may not have taken effect yet. At least one official form<\/a> claims the rule kicked in 90 days after the date of publication in the Federal Register (they appear to have been published on August 4, making that alleged effective date November 2) or December 18. But the Federal Register document<\/a> says, \u201cWith respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8\u2013K and in Form 6\u2013K [the part referring to the four-day requirement], all registrants other than smaller reporting companies must begin complying on December 18, 2023.\u201d Adding to the confusion, Reuters<\/em> reported<\/a> in October that the rule takes effect on December 15.<\/p>\n Engadget reached out to the SEC to clarify whether the rule is active yet. We\u2019ll update this article if we hear back.<\/p>\n