Five Unintended Consequences of the New SEC Cybersecurity Disclosure Rule
The possibility of more copycat ransomware gangs is just the start
John Morello | January 24, 2024
The November 2023 whistleblower complaint by the ALPHV/Blackcat ransomware crime syndicate to the U.S. Securities and Exchange Commission broke new ground in the rapidly evolving world of cybersecurity. ALPHV filed the complaint alleging that a publicly traded company, MeridianLink, had failed to make a timely disclosure of a material cyberattack. This would violate a new SEC rule that took effect in July 2023 mandating disclosure of attacks within four days. ALPHV clearly wanted Meridian to pay their ransom to make the attack go away. The way it chose to leverage the new SEC rules was perhaps the first case of unintended consequences.
A ransomware gang turned government whistleblower is unexpected, to say the least. But CISOs seeking to maintain a tight security governance ship will be facing an entirely new and unfamiliar landscape as additional unintended consequences of the new rules play out in 2024 and beyond.
Let's explore five potential unintended consequences of the new SEC Cybersecurity Disclosure rule, and their impact.
Threatening to Report Non-Disclosure
As we already discussed, this surprising tactic has been used by the ransomware group ALPHV/Blackcat. It is likely that other ransomware gangs will adopt similar tactics because their chances of collecting payment from victims are directly proportional to the pain, bad publicity, and cost created. The SEC has already issued seven-figure fines against companies for failure to disclose the full extent of cyberattacks; these fines applied to incidents prior to the new regulations, implying that companies failing to meet the standards laid out in the new rules can expect to pay a stiff price. Third parties using disclosure as a weapon could make the disclosure process even more complicated and fraught with risk.
To be clear, this threat of regulatory disclosure merely adds a new wrinkle to attack tactics; disclosure of attacks has long been used as a weapon against victims who stand to suffer reputational or other damage when a cyber breach hits the news. But the SEC angle ratchets up the pressure and adds an additional pain point
Bad Actors Using Mandated Disclosures to Visualize Attack Surface
The new SEC rules also require companies to provide detailed information about their cybersecurity risk management, strategy, and governance practices. The full extent of what is acceptable remains a work in progress and will evolve over time. The risk of these disclosures is potentially providing bad actors with detailed insights into a company’s cybersecurity practices, making it easier for them to plan and execute attacks.
For example, a significant percentage of serious attacks involve sophisticated social engineering and attempts to exploit known processes, identities, and behaviors. With artificial intelligence (AI) and deep fakes, social engineering and spear-phishing will become easier to execute. If a company is required to disclose significant details of who or what teams must be involved in cybersecurity processes, then attackers will surely seek to exploit that new knowledge.
Exploiting Disclosure Windows for Timing Attacks
In some cybersecurity incidents, the share prices of the victim company fall on news of the attack. This is more true with companies that have small or medium market capitalization. Now that the SEC has instituted a four-day notice mandate, attackers could conceivably exploit an anticipated disclosure window to sell the victim’s shares short, profiting when they fall. In another scenario, attackers might hit a victim organization on the eve of an important shopping day or, if bids are due for a critical contract, in the week before that deadline. By putting a timeline on disclosure and making it non-negotiable, the SEC makes timing attacks far more powerful.
Increased Vulnerability Exposure During Ongoing Attacks
As a former CISO, I can say for sure that it may not be possible to fully block an attack in four days. An attack might require updating software and endpoints across tens of thousands of devices and systems around the world. Not all those devices are even online or connected to the Internet — in factories, for example. If a company is forced to disclose an attack even as it continues, this could encourage other attackers to pile on. This could either be to exploit the same ongoing vector or via other vectors under the premise that security response teams are already stretched, so responding to an additional response would likely be beyond their capacity. Because of the nature of shareholder lawsuits and recent court rulings, non-disclosure that material attacks are still ongoing could put litigation crosshairs on the backs of breached organizations.
Increased Cybersecurity Costs for Registered Companies
Security response is costly. It requires lots of time and often requires a surge in resources. Putting a four-day window on identifying, cataloging, and mitigating security incidents is the equivalent of moving from ground shipping to next-day air delivery. Speed is expensive. It can also result in waste if a wrong path is undertaken in the response and forensics and resources are poured into a dead end. Unfortunately, this budget item is likely to be lumpy and unpredictable, making it harder for CISOs to properly budget for the new security governance landscape.
Other Unintended Shoes Likely to Drop
These are just five potential unintended consequences of the new SEC disclosure rules. One of them has come to pass. However, attackers are creative and will likely identify other ways to exploit the new rules to gain an advantage. CISOs will face not only pressure to move quickly and comply more broadly, but also to redesign their teams and processes for forensics and disclosure. CISOs will also have to find a way to strike a balance between disclosing cybersecurity practices and processes to potential investors while shielding critical information about attack surfaces and processes from bad actors.
The inevitable unintended consequences inject a new wildcard into the equations that will make security governance still more complicated going forward.
Security governance is getting personal
For CISOs, CEOs, BODs, and security teams, staying ahead of the emerging consequences of evolving security governance changes requires a proactive approach with a focus on compliance, transparency, and strategic risk management.
Download our whitepaper, "Navigating a New Security Governance Reality: A CISO's Guide to Cybersecurity Disclosure and Compliance" for:
- Real-world ideas for improving your security governance to better navigate recent global disclosure changes
- An understanding of personal and corporate liability risks security leaders assume when they don’t prioritize security governance
- A checklist of ideas to help you reshape your security processes in response to new challenges