Respect Incident Reporting to regulators - hackers are pressuring victims by reporting them to SEC
Take action: If your organization is faced with an incident, don't try to hide it. The cat is out of the bag, process it and report it. That's the best way not to be extorted nor suffer penalties. And it still shows a better level of trustworthiness than playing dumb.
The cybercriminal group AlphV took a seemingly unexpected step of reporting one of its victims, MeridianLink, to the Securities and Exchange Commission (SEC). In the report by the criminals they allege that MeridianLink had violated the SEC's new rule mandating the disclosure of significant cybersecurity incidents by publicly traded companies.
MeridianLink, a financial software firm, acknowledged that it had experienced a cybersecurity incident but stated that it had not yet determined the extent of personal information compromised. According to the company, there was no evidence of unauthorized access to their production platforms, and the disruption to their business operations was minimal.
As more organizations adopt better backup and recovery techniques, the extortion mechanisms of data unavailability are no longer profitable for cyber criminals. So they are looking for new ways to pressure victims into paying the ransom. First it was threatening the individuals whose data is stolen, now it's threatening the victim with regulatory report and fines.
Unfortunately the criminals did a half-assed job of their threat - The new SEC rule, which requires publicly traded companies to report material data breaches within four days of discovery, is not yet in effect. As such, MeridianLink was not in breach of the regulatory framework.
But as more regulatory frameworks adopt requirements for incident reporting, the threat of penalties will become more and more prevalent. And criminals will not stop abusing them.
It's prudent that organizations implement a proper process within their incident management to avoid regulatory issues:
If an incident has occurred, process it and report it. Trying to hide an incident never works, since the data is out there, and criminals of varying affiliations are aware of it. The cat is out of the bag.
Regulatory Compliance Awareness: Stay informed about regulatory requirements, and meet the timelines and criteria for reporting. If not sure, involve a lawyer.
Prepare for Communication: Effective communication is crucial in responding to cybersecurity incidents. Be ready to communicate status, actions and investigation progress to the public, which can help maintain trust with customers and stakeholders.