The November 2023 whistleblower complaint by the ALPHV/Blackcat ransomware crime syndicate to the U.S. Securities and Exchange Commission broke new ground in the rapidly evolving world of cybersecurity. ALPHV filed a complaint alleging that a publicly traded company, MeridianLink, had failed to make a timely disclosure of a material cyberattack. This would violate a new SEC rule that took effect in July 2023 mandating disclosure of attacks within four days. ALPHV wanted Meridian to pay their ransom to make the attack go away, but the way it chose to leverage the new SEC rules was perhaps the first case of unintended consequences.
A ransomware gang turned government whistleblower is unexpected, to say the least. But CISOs seeking to maintain a tight security governance ship will be facing an entirely new and unfamiliar landscape as additional unintended consequences of the new rules play out in 2024 and beyond. In this post, we’ll examine a few of the potential unintended consequences and their impact.
As we already discussed, this surprising tactic has been used by the ransomware group ALPHV/Blackcat. Other ransomware gangs will likely adopt similar tactics because their chances of collecting payment from victims are directly proportional to the pain, bad publicity and cost created. The SEC has already issued seven-figure fines against companies for failure to disclose the full extent of cyberattacks; these fines applied to incidents before the new regulations, implying that companies failing to meet the standards laid out in the new rules can expect to pay a stiff price. Third parties using disclosure as a weapon could make the disclosure process even more complicated and fraught with risk.
To be clear, this threat of regulatory disclosure merely adds a new wrinkle to attack tactics; disclosure of attacks has long been used as a weapon against victims who stand to suffer reputational or other damage when a cyberbreach hits the news. But the SEC angle ratchets up the pressure and adds a pain point.
The new SEC rules also require companies to provide detailed information about their cybersecurity risk management, strategy and governance practices. The full extent of what is acceptable remains a work in progress and will evolve. The risk of these disclosures is potentially providing bad actors with detailed insights into a company’s cybersecurity practices, making it easier for them to plan and execute attacks. For example, a significant percentage of serious attacks involve sophisticated social engineering and attempts to exploit known processes, identities and behaviors. With AI and deep fakes, social engineering and spear-phishing will become easier to execute. If a company is required to disclose significant details of who or what teams must be involved in cybersecurity processes, then attackers will surely seek to exploit that new knowledge.
In some cybersecurity incidents, the share prices of the victim company fall on news of the attack. This is more true with companies that have small or medium market capitalization. Now that the SEC has instituted a four-day notice mandate, attackers could conceivably exploit an anticipated disclosure window to sell the victim’s shares short, profiting when they fall. In another scenario, attackers might hit a victim organization on the eve of an important shopping day or, if bids are due for a critical contract, in the week before that deadline. By putting a timeline on disclosure and making it non-negotiable, the SEC makes timing attacks far more powerful.
As a former CISO, I can say for sure that it may not be possible to fully block an attack in four days. An attack might require updating software and endpoints across tens of thousands of devices and systems around the world. Not all those devices are even online or connected to the internet — in factories, for example. If a company is forced to disclose an attack even as it continues, this could encourage other attackers to pile on. This could either be to exploit the same ongoing vector or via other vectors under the premise that security response teams are already stretched, so responding to an additional response would likely be beyond their capacity. Because of the nature of shareholder lawsuits and recent court rulings, non-disclosure that material attacks are still ongoing could put litigation crosshairs on the backs of breached organizations.
Security response is costly. It requires lots of time and often requires a surge in resources. Putting a four-day window on identifying, cataloging and mitigating security incidents is the equivalent of moving from ground shipping to next-day air delivery. Speed is expensive. It can also result in waste if a wrong path is undertaken in the response and forensics and resources are poured into a dead end. Unfortunately, this budget item is likely to be lumpy and unpredictable, making it harder for CISOs to properly budget for the new security governance landscape.
These are just five potential unintended consequences of the new SEC disclosure rules. One of them has come to pass. However, attackers are creative and will likely identify other ways to exploit the new rules to gain an advantage. CISOs will face not only pressure to move quickly and comply more broadly but also to redesign their teams and processes for forensics and disclosure. CISOs will also have to find a way to strike a balance between disclosing cybersecurity practices and processes to potential investors while shielding critical information about attack surfaces and processes from bad actors. The inevitable unintended consequences inject a new wildcard into the equations that will make security governance still more complicated going forward.
Recent Articles By Author