How the SEC's Rules on Cybersecurity Incident Disclosure Are Exploited

Cyber hygiene is no longer a nice-to-have but necessary for organizations that want to survive the relentless barrage of cyberattacks being unleashed daily.

Ken Dunham, Cyber Threat Director, Qualys Threat Research Unit

February 5, 2024

5 Min Read
The words "Securities and Exchange Commission" on wooden blocks.
Source: Dzmitry Dzemidovich via Alamy Stock Photo


Data security continues to be a leading challenge for businesses in an always-on, always-connected world. According to data from Qualys' 2023 threat landscape year in review, there were 26,447 vulnerabilities disclosed in 2023, up from 25,050 in 2022. It's the seventh straight year that vulnerabilities have increased. Of those categorized as high risk, hackers publish exploit tools for approximately 25% of them on the same day they're disclosed. Sadly, these numbers aren't surprising.

To address this ongoing trend for US organizations, the Securities and Exchange Commission (SEC) recently adopted new rules that require publicly traded companies to report cyberattacks with a material impact. Failure to do so likely will result in financial penalties and reputational damage.

Although these rules are designed to protect company stakeholders, there's another group potentially benefiting from this: threat actors. In one instance, the ALPHV ransomware gang tried to exploit the new rules to get victims to pay ransoms. The group allegedly breached MeridianLink's network on November 7, 2023, and stole company data without encrypting systems. When trying to extort MeridianLink for the ransom, the company's lack of response prompted the hackers to exert more pressure by sending a complaint directly to the SEC about MeridianLink not disclosing the cybersecurity incident that impacted "customer data and operational information." ALPHV then published the complaint and automated response from the SEC on its website to further coerce MeridianLink to comply with their demands.

While the SEC rules weren't in effect yet and MeridianLink explained that the incident "caused minimal business interruption," it does give publicly traded companies a glimpse of how things could go moving forward. This is further supported by a troubling trend in the world of ransomware extortion tactics, where over the past five years, hackers not only encrypted data with ransomware malware but also exfiltrate data, performed unauthorized disclosures, and otherwise weaponized the intrusion and data in any way possible to cash out.

In response, here are some ways public companies can regain the upper hand with threat actors who plan on using this approach:

Be Proactive About Cybersecurity

With the new SEC rules in place, publicly traded companies are obligated to report cyberattacks with a material impact. This means they also have an obligation to their shareholders to prioritize cybersecurity within their organizations. Regardless of size, all public companies must think proactively about cybersecurity. It's much tougher to respond to a cyberattack if you're not prepared for it, and far more affordable upfront than following a breach and reputational loss. Beyond the latest cybersecurity technology that can measure, communicate, and eliminate cyber-risk in real time, it's important to conduct regular penetration testing and red team testing, as well as thoroughly educate all employees and contractors on cybersecurity best practices. The threat landscape is constantly evolving, so organizations must ensure their employees are consistently increasing their knowledge. Furthermore, following the prosecution of SolarWinds' CISO for recent cyber incidents, chief information security officers need to take personal responsibility for cybersecurity. This is no longer just a business risk but a personal liability as well.

Develop a Comprehensive Incident Response Plan

Even the most cybersecurity-forward organizations can fall victim to a cyberattack, so it's critical to have a plan in place that outlines how you're going to respond in various situations. The new SEC rules put certain limitations on incident response plans, but there's still much to consider between discovering a problem and reporting it to the SEC. Well-prepared teams can often limit the damage of a cyberattack by identifying it quickly, containing it, and remediating it before the impact is felt throughout the organization. Regardless, companies should have a dedicated incident response team ready to address things swiftly, knowing immediately who to contact and what their responsibilities are. As part of this, they must prepare for a threat actor like ALPHV exposing them prematurely — whether or not there's any validity to their claims. Organizations also will need to determine the level of transparency in any given scenario and if sharing too much too soon will cause unnecessary panic, or if it will help them eliminate the threat more efficiently. Companies should stress test these scenarios before they're an actual target.

Share Learnings and Work Together

Being the victim of a cyberattack is a painful experience, but one that others in the cybersecurity community can benefit from. To neutralize threat actors moving forward, the industry must proactively work together, and that often means sharing difficult details of your own experience with others. With new tools like generative AI, threat actors are throwing more things against the wall, hoping that some will stick and lead to a lucrative payday. They're also developing more sophisticated approaches to gain initial access and move laterally within networks.

Looking Ahead

No organization wants to be the victim of a cyberattack, and furthermore, they don't want to lose control of the narrative along with it. The SEC's new rules increase organizational and personal accountability and bring more transparency to the forefront, but at the same time, it's an opportunity for threat actors to intimidate victims and get what they want. For public companies to regain the upper hand, they need to prioritize and be proactive about cybersecurity, have a clear plan for how they're going to respond should an incident occur, and, when appropriate, share their experiences and work with the cybersecurity community to establish stronger strategic defenses against threat actors.

Today's world looks a lot different than it did five or 10 years ago, and being a public company comes with greater responsibility than ever before. No longer is excellent cyber hygiene a nice-to-have, but a necessity for organizations that want to survive the relentless barrage of cyberattacks being unleashed daily.

About the Author(s)

Ken Dunham

Cyber Threat Director, Qualys Threat Research Unit

Ken Dunham is cyber threat director at Qualys Threat Research Unit. He has 30+ years of consulting experience in cybersecurity leadership, incident response, dark web operations, malware research and response, and strategic transformation. He holds a CISSP, CISM, Masters of Teacher Education with research in alternative assessment of multiple intelligences, and he has held numerous technical certifications over the years ranging from reverse engineering to network security and forensics. Mr. Dunham has a long history of innovation for nascent technologies and solutions such as the creation of training programs for U2, Warthog, and Predator systems for the USAF, responsible disclosure (iDEFENSE), and cyber threat intelligence (iSIGHT Partners). He is a widely published author with thousands of security articles and multiple books on topics ranging from Darknet disclosures to mobile threats and mitigation of malware.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights