This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
MeridianLink, a financial company, was the victim of a unique approach of cyberattack on 7th November.
The initial attack was typical; hacker group BlackCat (also known as ALPHV) breached their systems, leading to data being stolen. However, what differentiates this attack is what followed. Upon receiving no engagement from their victim when attempting to communicate, assumably regarding a ransom demand, BlackCat took a unique step.
They took the liberty of reporting their own victim to the Securities and Exchange Commission (SEC) on the grounds of failing to disclose the attack. This is a consequence of a recent change of regulations in which companies are now required to disclose cyber incidents within 4 days of their occurrence.
Fortunately for MeridianLink, the rule change does not come into place until 15th December. Had this event occurred after that date, and they had not disclosed the attack, BlackCat may have succeeded in making a criminal out of their hacking victim.
Does the SEC Rule Apply in the UK?
No, but a similar policy does apply.
In the UK the Information Commissioner’s Office has a similar policy, requiring companies to report cyber incidents after 72 hours. This applies as long as there has been a data breach, and you cannot prove that it is unlikely to result in a risk to individuals’ rights and freedoms.
Does a Disclosure Deadline Put Companies at Higher Risk?
Putting in place a disclosure deadline may create opportunities for other threat actors to take advantage of the vulnerability before it is remediated. When an organisation is rushed to disclose that they were attacked, they may not have time to be thorough in their remediation and could leave gaps in their security. This is especially relevant as their systems will likely be under increased scrutiny from hackers after the announcement of a breach, putting them in the limelight.
This may propose a higher risk to unprepared organisations who find themselves victim to cyberattacks and do not know where the vulnerability is located. The rule changes encourage preparedness, leading to the next point of this article.
How Do I Protect Myself From this Risk?
This rule change increases pressure on companies in the event of a cyberattack, by increasing the relevance of time as a factor in remediation. Taking this into consideration, the key takeaway for businesses is the importance of proactivity.
Instead of playing catch-up by waiting to be attacked and then remediating, take proactive measures to reduce the chance of attacks occurring in the first place and to plan what will happen should an attack occur.
- Ensure you have 24/7 visibility of weaknesses.
- Remediate vulnerabilities as they arise.
- Create backups of all systems in case a cyberattack does occur.
- Create an incident response plan for cyberattacks.