Will More Threat Actors Weaponize Cybersecurity Regulations?

On Nov. 10, MeridianLink discovered a threat actor’s access to a non-privileged user account, according to a statement on the digital lending software company’s website. While a breach like this is not novel, the ransomware group behind the attack made an attention-grabbing move. ALPHV filed a formal complaint with the US Securities and Exchange Commission (SEC), calling MeridianLink out for not disclosing the breach.

The attack took place on Nov. 7, and the ransomware group exfiltrated data, rather than encrypting it, according to databreaches.net. An insider with ALPHV told databreaches.net that MeridianLink was aware of the attack the day that it happened.

The SEC’s new data breach disclosure rule is not set to go into effect until December, but ALPHV’s complaint with the regulatory body may be a new tactic that threat actors adopt as they continue to attack and exploit victims. How should cybersecurity leaders and other enterprise executives be preparing for this possibility?

The SEC Complaint

In July, the SEC voted to adopt its new cybersecurity disclosure rules for public companies. Under these new rules, public companies will need to disclose material cybersecurity incidents within four days of determining the incident to be “material.” The rule goes into effect on Dec. 18.

Related:Understanding the Ransomware Attack Fallout on China’s ICBC

The MeridianLink breach occurred before this deadline. “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law,” the company shared in an emailed statement.

Based on what has been disclosed thus far, the breach sounds relatively minor, but ALPHV’s SEC complaint throws the company into the spotlight.

“The SEC won’t take a criminal’s word, but the spotlight is harsh. ALPHV's motives seem less about ransom, more about setting a precedent that intimidates,” Ferhat Dikbiyik, Ph.D., head of research at cyber risk monitoring company Black Kite, tells InformationWeek via email. “MeridianLink's challenge now is to navigate this tightrope of disclosure and investigation, all while under the public and regulatory microscope.”

Dikbiyik points out that ALPHV’s SEC complaint suggests that the group may have ties in the US. The group demonstrates a strong command of English and knowledge of American corporate culture, he explains. Its knowledge of the American regulatory system is particularly indicative of potential stateside ties. “ALPHV's clear English on the dark web could be AI, but their quick SEC rule exploit? That suggests boots on the ground,” says Dikbiyik.

Related:To Pay or Not to Pay? The Ransomware Dilemma

A Potential New Tactic

While US ties may have given ALPHV the insight to file the SEC complaint, other threat actors could take note of the tactic.

“I have concerns that other threat actors, following in AlphV’s footsteps, will contact governing bodies and further overwhelm organizations that are already fighting to triage a barrage of data,” Michael Isbitski, director of cybersecurity strategy at cybersecurity company Sysdig, tells InformationWeek in an email interview. “I also worry that this could become another way to extort victims.”

Dikbiyik also anticipates that this type of regulatory manipulation could become a regular tactic in the cyberattacker playbook.

“Ransomware groups are showing they can hit where it hurts: reputation and regulation. We need to prepare for this new angle of attack. When they file with the SEC, they lose the shadows that they hide behind, but the damage is already done,” he explains. “Leaders must now anticipate not just breaches but the ensuing legal fallout in the aftermath. The rules of engagement have changed.”

Related:What Are the Biggest Lessons from the MGM Ransomware Attack?

Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, emphasizes the importance of transparency following an attack like the one on MeridianLink. “Best practice here, for any company, is ongoing, transparent, compliant communication with all relevant stakeholders (customers, employees, partners, investors, journalists, analysts etc.),” she tells InformationWeek via email.

Preparing for the SEC’s Breach Disclosure Rules

The rule goes into effect in less than a month. Are public companies going to be prepared for the reporting requirement and the potential way threat actors could weaponize it?

More than half of public company executives (53%) surveyed in a Deloitte poll report that their organizations have been planning for the SEC’s new rules.

“The readiness of public companies for the SEC’s breach disclosure rules varies significantly across the corporate landscape,” Ariel Parnes, COO and cofounder of Mitiga, a cloud incident response company, shares via email.

As companies prepare, the question of “materiality” has been a point of concern. “We, the broader cybersecurity community, still have significant concerns around standards for gauging the materiality of cyber incidents and coordinating timely, effective communications between executive leadership and boards,” says Isbitski.

Jake Williams, a faculty member at IANS Research and a former US National Security Agency (NSA) hacker, stresses the importance of enterprise leadership discussing materiality thresholds. “Many public orgs I'm working with today are working with a far higher materiality threshold for cybersecurity events than they probably should,” he says in an email interview. “Of course, we’re all guessing until regulatory enforcement begins.”

Parnes points out that an enterprise’s ability to swiftly investigate cybersecurity incidents will be important given the SEC’s emphasis on timely disclosure. “Start by defining processes and procedures for breach disclosure, then test them through tabletop exercises. Identify any gaps or weaknesses in your procedures and make improvements,” he recommends. “This iterative approach ensures that your program is constantly evolving and becoming more effective.”

Cybersecurity leaders will also need to think about the added dimension of threat actors leveraging the SEC’s regulations for publicity.

“Likewise, cybersecurity leaders -- who generally prefer to keep their organization off the front page of the news where these issues are concerned -- may need to re-examine their PR and crisis communications processes for security events,” says Isbitski.

The potential for reputational damage and regulatory fines stemming from the new SEC rules and threat actor activity emphasize the importance of cybersecurity as an enterprise-wide priority. “This event with ALPHV is a reminder that cybersecurity policy and incident reporting are a cross-functional mandate for every organization -- compliance is far too often relegated to tech and security teams,” Simberkoff says.