In a twist of irony, cybercriminals are now attempting to leverage the new SEC cybersecurity regulations to their advantage. Among these regulations is the mandate for SEC-registered companies to report significant cybersecurity incidents within four business days after they are deemed material.
MeridianLink, a prominent financial software firm serving U.S. banks, credit unions, mortgage lenders, and consumer reporting agencies, identified a cybersecurity incident on November 10, 2023. The company stated that it took immediate action to contain the threat and engaged a team of third-party experts to investigate the incident. The inquiry revealed no unauthorized access to MeridianLink’s production platforms and only minimal disruption to its operations.
However, on November 15, the notorious ransomware group, AlphV, took credit for the attack on its website. AlphV was recently involved in the highly publicized cyberattacks on Las Vegas casino properties back in September of 2023. The group claims that they initiated an attack on November 7, and while they did not encrypt any of the company’s data, they did exfiltrate files.
What makes this tweet so unique was that in addition to taking responsibility for the attack, the group posted a tweet on X (formerly Twitter), claiming to have to have reported MeridianLink to the SEC on the grounds that they had failed to file the requisite disclosure item 1.05 of Form 8-K within the stipulated four business days as mandated by the new SEC rules. In other words, the attackers reported their own victim to the authorities.
In this case, AlphV didn’t know enough about the new SEC cybersecurity requirements as they may have thought. While many of the new SEC cybersecurity regulations became effective in September 2023, the specific 8-K disclosure rule cited doesn’t apply to large companies until December 18, 2023. Smaller organizations have until June 2024 to adhere to these reporting requirements. In addition, the 4-day reporting window does not begin at the time of an attack or even the point of discovery. Instead, it begins on the attack has been fully identified as a “material cybersecurity incident.” As a result, MerdianLink did not violate any of the new reporting requirements.
There is no doubt that other cybercriminals are likely to adopt this strategy, using it as another means to pressure and extort their victims. These criminals may even begin filing complaints with various U.S. and EU regulatory bodies when companies don’t meet the specific timelines set by relevant regulations.
Organizations need to take this new twist into consideration. In addition, the SEC and other regulatory agencies will need to scrutinize reported violations as, like in this case, the reports are false or unsubstantiated. Most likely, the agencies will choose to ignore reports such uncorroborated reports.
Prevention
The unusual case of a ransomware group reporting its victim to regulatory authorities underscores the critical need for organizations to stay informed about evolving compliance regulations. Navigating the complex landscape of cybersecurity rules can be daunting, especially when it’s not your core expertise. At HALOCK Security Labs, we specialize in understanding the ever-changing domain of cybersecurity regulations. Our team of seasoned security professionals can guide you through this intricate terrain. If you are unsure about the regulatory demands facing your organization, we’re here to help. We offer thorough assessments to clarify your compliance obligations and evaluate your current security measures, ensuring you’re prepared to meet these challenges head-on.
GUIDANCE ON HOW TO APPROACH THE SEC CYBERSECURITY RULES
Compliance Week Webinar Recording and Materials: Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.