Well here’s a nutty new risk for cybersecurity compliance professionals at publicly traded companies: ransomware attackers reporting their own attacks against you to the Securities and Exchange Commission when you don’t meet their demands.
Yes, this actually happened last week. A ransomware group known as Alphv breached MeridianLink, a California company that provides digital lending software to banks and other financial firms. When MeridianLink ignored Alphv’s demand for a ransom, Alphv filed a complaint with the SEC accusing the company of violating the SEC’s newly adopted rules for disclosure of cybersecurity attacks.
Of course, the entire episode sounds like something out of Curb Your Enthusiasm if Larry David were a corporate IT security officer — preposterous and offensive, yet naturally hilarious at the same time; of course some hacker group out there would try something like this eventually.
The unfortunate truth, however, is that other hackers are now likely to follow suit with similar threats against other companies in the future. So if we give Alphv’s stunt some serious thought, what compliance and audit issues arise?
For example, we can mark one issue in MeridianLink’s favor right away: the SEC’s new cybersecurity disclosure rules haven’t gone into effect yet. So when Alphv complained to the SEC that it had breached MeridianLink on Nov. 7, and the company hadn’t said anything by Nov. 14 — well, MeridianLink had no obligation to do so. The new rules don’t go into effect until Dec. 15
Plus, those new rules only require disclosure of “material cybersecurity incidents” within four days of a company deciding that, yep, this incident we suffered is indeed material.
That’s where this stand-off with Alphv starts to get interesting.
Breaches vs. Ransom Attacks
To appreciate the issues here, we first need to understand exactly what Alphv did to MeridianLink.
According to Alphv itself (right in the complaint it filed with the SEC), the group only absconded with “customer and operational data” from MeridianLink. It did not encrypt any files or systems as usually happens in a ransomware attack. This was data theft, and data theft only.
That’s an important distinction when you’re assessing the materiality of a cybersecurity incident. We often say that hackers “stole” data from their victim company, but at a technical level that’s not accurate. When hackers commit a data breach, all they’re doing is copying your sensitive data and removing that copy from your control; you still have the original data there on your servers. You can still use it.
So the question arises: Is the mere copying of your data a material event that needs to be disclosed in an SEC filing? For a lot of companies the answer might well be no.
Think of a large retailer suffering a breach of customer data. That stinks, and it will likely lead to regulatory fines, civil litigation, and new costs for cybersecurity improvements — but altogether, those expenses still might not add up to a quantitatively material amount of money. By the numbers alone, maybe you wouldn’t need to notify the SEC.
On the other hand, you’d still need to consider whether the breach is qualitatively material. That analysis would depend on how the attackers penetrated your defenses. For example, did you have poor cybersecurity training and employees fell for a phishing attack? Did you fail to implement multi-factor authentication? Were your software patching processes a mess?
Any of those failures (and numerous others) could be qualitatively material failures that require disclosure, but not necessarily so — and it’s also possible that maybe your breach happened for some other reason that’s not indicative of a qualitative failure at all.
Anyway, back to MeridianLink. When asked about the breach and Alphv’s complaint to the SEC, the company simply said: “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
Maybe that’s true. If Alphv didn’t launch a ransomware attack that tied the company’s operations into knots, and only copied a bunch of confidential information that, as the company says, “caused minimal business interruption” — maybe the attack doesn’t rise to be a material cybersecurity event.
In which case, Alphv’s SEC complaint is bold and funny, but it’s not an effective threat.
It’s All About Cyber Controls
Just because Alphv’s call-the-SEC stunt might not go far in this case doesn’t mean a similar stunt will fail in other cases. So compliance officers, internal auditors, and CISOs still need to consider: what does your organization need to get right to assure that such pressure tactics won’t be a threat if they happen to you?
First, you need to have a rock-solid sense of what your compliance risks are, and that you have the correct controls in place to address those risks.
For example, financial firms typically need to have multi-factor authentication as an access control. If you’re in banking, have you implemented MFA? All companies should have rigorous employee training on cybersecurity. All companies also need strong internal processes so that known security weaknesses are passed up the chain of command so that senior executives can respond to them. (That’s what got SolarWinds into hot water with the SEC just a few weeks ago, let’s remember.)
To answer such questions, you’ll need the right tools and people to make an assessment of your cybersecurity risks. For example, you’ll need a tool (GRC software) or process (expensive consultations with lawyers) that can help you identify all your regulatory obligations for security, encryption, access control, breach notification, and the like. You’ll also need a tool to help you map your existing controls to all those compliance obligations, to sniff out holes in your cybersecurity regime that need to be filled.
Plus, someone has to be in charge of performing that compliance risk assessment. Is it the CISO? The privacy officer? The compliance officer? Somebody else, or all of the above in a committee of some kind?
Let’s bring all this back to Alphv and its complaint to the SEC. WIth that complaint, Alphv was trying to say, “Hey, SEC! This company had a material cybersecurity incident and didn’t report it, so nail them!” OK, all’s fair in love and cybersecurity war — but the best strategy to thwart such a threat is to assure that you don’t have a material cybersecurity incident in the first place.
The word “material” is key here. Your company will have cybersecurity incidents; that’s inevitable. But so long as those incidents can be deemed not material, you don’t need to report them to the SEC and the Alphv stunt goes nowhere.
Having the right controls in place will thwart the risk of a qualitatively material weakness. Then you only need to worry about whether the weakness is quantitatively material — and with the right insurance and business continuity plans in place, in many cases that answer will be no. Then the threat from Alphv and its ilk is defanged.