As cybercrime, especially ransomware, has dramatically increased over the last 20 years, it should come as no surprise that both criminal investigations and financial regulations have come with this crime wave – faster in some regions of the world, slower in others. As the United States prepares for stricter cybersecurity incident reporting timelines from the United States Securities and Exchange Commission (SEC), and final rules from the Cybersecurity & Infrastructure Security Agency (CISA) on reporting ransomware payments and attacks on critical infrastructure, there is a new concern among some parties: Will criminals try to use these new rules against us?
How It Started
Let’s look at an earlier instance of attackers attempting to use regulations to further abuse victims. Efforts to regulate how companies handle data breaches and losses began in the expected regulatory-friendly place, Europe. We are all now familiar with the European Union’s General Data Protection Regulation (GDPR), the personal information it protects, and the hefty fines that can be levied for violating it. (Some of us even blame those pesky cookie warnings on those rules, but it’s not GDPR’s fault; credit those to a different law, the ePrivacy Directive.) The GPDR doesn’t cover the same material as the regulations we’re about to discuss, but there’s an important parallel in how the bad guys attempted to abuse the process.
Within months of GDPR’s official implementation in May 2018, we began to see more ransomware groups begin to not just encrypt compromised servers and databases, but also steal the information to use in so-called “double extortion” attacks. In other words, the attackers were not just extorting victims to pay for the decryption keys, but also to not have their sensitive files released. In addition, we also saw attackers attempt “triple threats,” which means the attackers threatened not only to release a victim’s sensitive files publicly, but they would also report the victim to the authorities for violating the GDPR if the victim did not pay for the decryption keys.
Was this effective? Like many things we observe in the cybercrime ecosystem, there is a lot of experimentation by threat actors to find the most profitable, efficient, and successful extortion schemes. Those that prove lucrative are copied and repeated. We have no reason to believe the GDPR threats had any impact on whether victims paid or not, as the tactic has all but disappeared. “Double extortion” was here to stay, but the extra threat of GDPR reporting was deemed unnecessary or ineffective by the criminals.
How It’s Going
The United States is typically more hesitant than Europe to wade into direct regulation of the private sector, and the US is a complex and strange regulatory patchwork thanks to much of the heavy lifting of rulemaking being left to the states, rather than handled at the federal level. However, it appears that the current wave of cybercrime is having a substantial enough financial impact on US industry that regulations are being developed in those spheres for which federal-level oversight is allowed, namely for critical infrastructure and for publicly traded companies.
There are now concerns these regulations could be weaponized, similar to the attempts to weaponize the GDPR years ago. Could regulatory attempts at protecting shareholders, the public, and the customers of cybercrime victims ultimately make things worse?
In fact, there has already been a premature attempt at trying to leverage the new SEC rules relating to cybersecurity incident disclosure, by the ALPHV/BlackCat criminal syndicate. In November 2023, ALPHV compromised the network of MeridianLink, a public FinTech company based in California. While it is not a new phenomenon for ransomware crime groups to use extortion in an attempt to get a victim to pay, we may have witnessed the first documented attempt to wield the new US regulations as a lever.
Specifically, ALPHV decided that MeridianLink was not responsive enough to their demands after an initial compromise of their network. The threat actor then allegedly filed a complaint with the SEC that MeridianLink had not disclosed a “material breach” to their investors on Form 8-K “within the stipulated four business days, as mandated by the new SEC rules” — except of course that the compliance date for the new SEC Final Rule relating to disclosure of material cybersecurity incidents do not take effect until 18 December, and the damages allegedly inflicted by ALPHV may not meet the perceived definition of a “material” event of which shareholders need to be informed.
The question once again is, will this be effective? Will criminals threatening to report victims to the authorities for alleged non-compliance apply additional pressure on those victims to pay ransoms? Let’s look more closely at the new rules to assess the potential effectiveness of these threats.
CIRCIA and the SEC: What’s New?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed in March 2022 and concerning which the CISA is scheduled to issue their Final Rules no later than March 2024, mandates that public- and private-sector organizations doing business with the federal government’s critical-infrastructure branches — a very broad slice of US companies as it happens — report cyber incidents covered in the Act (within 72 hours) and ransom payments (within 24 hours) to CISA. CISA is a branch of the Department of Homeland Security (DHS). Covered sectors include:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Bases
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
Meanwhile, over at the SEC, final rules relating to cybersecurity risk management, strategy, governance, and incident disclosure by public companies (the “Final Rule”) was approved on July 26, 2023, and became effective on September 5, 2023.
The Final Rule requires public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (as amended) to report “material” cybersecurity incidents within four business days of a company’s determination that the cybersecurity incident is material on Form 8-K as Item 1.05 (with limited exceptions relating to substantial national security or public safety risks).
In addition, the Final Rule requires new annual disclosures on Form 10-K regarding a company’s cybersecurity risk management and strategy as well as a company’s cybersecurity governance. Likewise, Foreign Private Issuers (FPIs) must provide similar annual disclosures on their Form 20-F annual reports and material cybersecurity incident disclosures on Form 6-K.
The compliance date for the new cyber incident disclosure requirements on Form 8-K and Form 6-K begins on December 18, 2023 for most public companies, while the compliance date for the new annual cybersecurity disclosures begins with a public company’s annual report on Form 10-K or Form 20-F for the fiscal year ending on or after December 15, 2023.
Starting with CIRCIA, in my view it addresses three primary problems. First it notifies CISA that an attack that could compromise national security is underway and allows them to “call in the cavalry” to provide assistance to the victim in a prompt manner. Second, it alerts CISA to new attacks, so they can then proactively reach out to other critical infrastructure operators to alert them or to provide assistance to defend their infrastructure against the same or similar attackers. Third, it allows CISA to capture the number of attacks and understand the amount of ransom being paid.
As an expert in this area, and someone who frequently discusses policy with many in government, academia, and the private sector, one of the biggest problems we face is coming to grips with the scope and scale of the attacks we are inundated with daily. Most nations are unable to fund law enforcement expertise commensurate with the increasing scale and damage inflicted through cyberattacks if there is no reporting of these crimes. This is true everywhere in the world. These new rules are one nation’s attempt at sizing up this problem for covered entities.
To date, many organizations are afraid that if they report these incidents to law enforcement, the attack may be made public or even cause the criminals to intentionally wreak more havoc on their systems. After all, if the story of an attack or breach leaks publicly it can negatively affect consumer confidence, damage share prices, and possibly disrupt negotiations with the criminals themselves.
The CIRCIA rules will help CISA with measuring the scale of these attacks and do not require public disclosure — only reporting to CISA itself. This should help assuage the fear of engaging with authorities, allow more accurate assessment of damages, and allow CISA and its partners to provide timely help in these all-too-common crises.
Meanwhile, the changes in the SEC rules are more concerned with “consistent, comparable, and decision-useful disclosures” to investors regarding cybersecurity issues that are “material” to the business. SEC filings on Form 8-K and Form 10-K are publicly available, so this can have more impact on an organization’s reputation but disclosing material cybersecurity issues was already required prior to the new Final Rule. From my perspective, the primary change that the reader should be concerned with for the scenarios presented in this article is that a public company must disclose a material cybersecurity incident within four business days of having determined an incident is in fact “material” and certain specific information must now be included in Item 1.05 of Form 8-K whereas previously, a company might have been able to disclose the incident more than four business days after such determination and the information disclosed was not consistent across companies.
So… Was the Threat Effective?
Unless we believe that the APLHV ransomware operators were canny enough to know of the new SEC Final Rule and yet not smart enough to understand how a calendar works, it seems that the November foray against MeridianLink was a sort of attempted weaponization of the regulation itself, to see if it can be used as an effective threat against victims once the new SEC Final Rule actually kicks in. Considering that they failed, it would seem it wasn’t as effective as they hoped.
There are a few reasons for this. Organizations that need to file 10-Ks and 8-Ks already have to report a cybersecurity incident if it’s material and that determination is unlikely to have been made while still defending their assets and determining the extent of the damages. (You would hope that public companies are not going to break the law by failing to comply with the SEC’s rules.) Additionally, in most ransomware attacks, the criminals have already stolen the data, in addition to having encrypted it. Their intent is to threaten to publish the information publicly if you don’t pay the ransom, so reporting you to the SEC for non-compliance is not likely to apply any additional leverage in their negotiations, even if you did contemplate non-compliance.
The good news is that affected organizations have little to worry about from these threats. The FBI (Federal Bureau of Investigation) and other law enforcement agencies are not there to publicly out victims; rather they intend to provide advice, assistance, and most importantly a record of the crime that can help both the victim and our collective security. The role of CIRCIA is not to punish, but rather to ensure that CISA has the information necessary to protect the United States’ national security and provide help when possible. Even the SEC, which has the power to fine and impose civil penalties for non-compliance, is simply trying to ensure that investors understand the impacts of these devastating attacks – not as a punishment, but as a protective mechanism. This should encourage organizations to take their information security seriously, and perhaps double down on efforts to increase their security readiness.
Be of Good Cheer
Effective defenses require a clear understanding of the threats we face, how they unfold, and how they are evolving over time. Whether it is the police, the federal government, or your private-sector security provider, we all rely on up-to-date and accurate information to inform our defenses. Ideally these rule changes will help us have a more reliable understanding of the threats we are facing. Let’s all do our part to not let criminals turn rules intended to protect us into weapons to increase pressure on victims to capitulate to their demands.
The contents of this publication are for informational purposes only and reflect the opinions of the author. Sophos is not rendering legal or other professional advice or opinions on specific facts or matters. Sophos assumes no liability in connection with the use of this publication, and you must seek your own legal or other professional advice or opinions with respect to any SEC or CIRCIA reporting requirements.