Disclosure or TCR? SEC Cyber Intrigue Escalates
11–20–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 20, 2023, and it’s the week of Thanksgiving here in the US, which means that we should see a little lower activity from the corporate side of the house - but also obligatory reminder that foreign threat actors just call Thanksgiving Thursday and will be in the office.
This week, we’re continuing to follow news and fallout around the SEC’s focus on cyber, and the intrigue keeps building.
Disclosure or TCR?
This week, in what can only be described as truth being stranger than fiction, ransomware group AlphV filed a Tip, Complaint, and Referral notice with the SEC (also known as a TCR) on one of their victims, a publicly traded company called MerdianLink.
Posted via a screenshot on their ransomware shaming site, the threat actors wrote:
““We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules.”
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
Unfortunately for the threat actors, the disclosure rule doesn’t officially go Ito place for another few weeks, but you can bet that we’ll see others follow this pattern - or at least threatening to do this - especially if it turns out to be an effective technique.
Of course, the way to disarm this attack is to notify - or better yet, implement security controls that reduce the likelihood and impact of attacks like this.
On that note of not doing the work and then being upset when you’re called out on it, we’re seeing more somewhat breathless coverage of the SolarWinds lawsuit over in the New York Times.
They remind readers of the SEC’s enforcement director’s June speech, where he noted the SEC has “zero tolerance for gamesmanship” around cybersecurity disclosures. The article is a bit light on substance, short of a few lawyers offering quotes, but I do think the closing paragraph is a great one:
“If generic disclosures aren’t enough, what is? Being too specific about vulnerabilities could give attackers valuable information, while being too broad isn’t valuable to investors. ‘The question,’ Wolff said, ‘is can the S.E.C. define a clear middle ground.’”
The context here, of course, is disclosures before a breach, but disclosures during and after a breach will be under the microscope, as well.
We saw just this week two major companies only disclose incidents once the media picked up on them - one at Japanese manufacturer Yamaha and the other at healthcare organization WellLife. But these sorts of minimal disclosures, light on details and only done when their hand is forced, is going to be a difficult position to maintain.
An article over on DataBreaches.net last week asked the question: “Does claiming you were hacked when you had really just screwed up violate the FTC Act?”
We talked about their opinion piece last week - “If entities continue to obfuscate and lie, it’s time to mandate more transparency in breach disclosures” - and the same thread continues here.
In this piece, they talk about a breach at a healthcare provider that impacted 28,531 patients, but the reason is left out of the disclosure. Calling it a “security incident” and noting that “certain patient data may have been taken from our systems” really rubbed the DataBreaches team the wrong way, because they have some first-hand knowledge of this event.
Instead of a ransomware attack, this was simply an unsecured storage blob that a researcher discovered. There are lots of details demonstrating minimization in the disclosure - including the date, and the number of records.
I’m not here to run a fact finding mission, but I am here to point out that the horse has now left the barn on incidents, investigation, and regulation. You won’t be able to avoid disclosures because it’s not convenient, you won’t be able to minimize the impact in filings. You won’t be able to use generic disclosure language in your 10-Qs or 8-Ks.
In cybersecurity, and especially in cybersecurity disclosures, specifics matter. If you’re not comfortable with the specifics, you need to be making different decisions. If you’re on the leadership team and you don’t know what decisions are being made, you need to find out.
This is now the game, the job, and the task. Good luck - because the truth is out there.
Fundraising
From a fundraising perspective, some very interesting data this week.
First, from a purely financial number, another great week of new fund announcements, topping $29B in newly committed capital across a wide range of funds:
PAI Partners raised €7.1b for its seventh flagship private equity fund.
TPG raised $2.7b for its third Rise Fund
Kinderhook Industries raised $1.3b from Carlyle unit AlpInvest for a continuation fund that will acquire nine portfolio companies from Kinderhook's fourth and fifth funds.
Bain Capital raised $7.1b for its fifth Asia-Pacific buyout fund; and
Blackstone held an $8b first close for its new direct lending fund.
At the same time, we’re seeing numbers on 2023 deals up to this point from LSEG Deals Intelligence. While one way to read the numbers is that PE deals are off 36% year-over-year for both global and US activity, the way I read it shows Canada down 4% YoY and the US down 11%. Given the macro conditions, that doesn’t seem that bad - and all this new capital needs deal flow to get deployed, so I remain hopeful that the transaction volume will return, even if the valuations and financing structures we got used to don’t.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.nytimes.com/2023/11/18/business/dealbook/solarwinds-sec-lawsuit.html
https://www.sec.gov/news/speech/grewal-financial-times-cyber-resilience-summit-06222023
https://therecord.media/yamaha-welllife-network-confirm-cyberattacks
https://global.yamaha-motor.com/news/2023/1116/corporate.html
https://www.welllifenetwork.org/content/notice-data-privacy-incident