MeridianLink, a financial company, was the victim of a unique approach of cyberattack on 7th November.
The initial attack was typical; hacker group BlackCat (also known as ALPHV) breached their systems, leading to data being stolen. However, what differentiates this attack is what followed. Upon receiving no engagement from their victim when attempting to communicate, assumably regarding a ransom demand, BlackCat took a unique step.
They took the liberty of reporting their own victim to the Securities and Exchange Commission (SEC) on the grounds of failing to disclose the attack. This is a consequence of a recent change of regulations in which companies are now required to disclose cyber incidents within 4 days of their occurrence.
Fortunately for MeridianLink, the rule change does not come into place until 15th December. Had this event occurred after that date, and they had not disclosed the attack, BlackCat may have succeeded in making a criminal out of their hacking victim.
No, but a similar policy does apply.
In the UK the Information Commissioner’s Office has a similar policy, requiring companies to report cyber incidents after 72 hours. This applies as long as there has been a data breach, and you cannot prove that it is unlikely to result in a risk to individuals’ rights and freedoms.
Putting in place a disclosure deadline may create opportunities for other threat actors to take advantage of the vulnerability before it is remediated. When an organisation is rushed to disclose that they were attacked, they may not have time to be thorough in their remediation and could leave gaps in their security. This is especially relevant as their systems will likely be under increased scrutiny from hackers after the announcement of a breach, putting them in the limelight.
This may propose a higher risk to unprepared organisations who find themselves victim to cyberattacks and do not know where the vulnerability is located. The rule changes encourage preparedness, leading to the next point of this article.
This rule change increases pressure on companies in the event of a cyberattack, by increasing the relevance of time as a factor in remediation. Taking this into consideration, the key takeaway for businesses is the importance of proactivity.
Instead of playing catch-up by waiting to be attacked and then remediating, take proactive measures to reduce the chance of attacks occurring in the first place and to plan what will happen should an attack occur.