In a cybersecurity breach, a hacking group reported infiltrating MeridianLink to the SEC. Facing unproductive negotiations, the hackers leveraged a recent SEC rule mandating companies to report "material cybersecurity incidents" within four business days.
(Photo : Mark Wilson/Getty Images)
WASHINGTON - AUGUST 14: A security guard stands outside of the Security and Exchange Commission offices August 14, 2002 in Washington, DC. August 14 was the deadline for many large U.S. companies to submit sworn statements from their chief executive and chief financial officers certifying the accuracy of financial reports.
Reporting Breach to SEC
Hacking group ALPHV / BlackCat took an unconventional approach by reporting their breach of the financial software company MeridianLink to the US Securities and Exchange Commission (SEC), as reported by Engadget.
This group, known for previous breaches involving entities such as MGM Resorts and Reddit, infiltrated MeridianLink's servers on November 7, extracting company data without encryption. When direct negotiations with the company proved unproductive, the hackers invoked a recently passed SEC rule.
The reported rule, introduced in the summer, mandates that companies experiencing "material cybersecurity incidents" must notify the SEC within four business days. However, conflicting information has emerged regarding the effective date of this rule.
While one official form suggests a 90-day waiting period after publication in the Federal Register (potentially making the effective date November 2 or December 18), the Federal Register document indicates a broader compliance commencement for most registrants on December 18, 2023.
Adding to the confusion, Reuters reported in October that the rule takes effect on December 15. The disparate timelines contribute to uncertainties surrounding the application of the rule and its implications for cybersecurity incident reporting.
MeridanLink's Response
BleepingComputer received a statement from MeridianLink, affirming their swift response to contain the cyber threat. The company stated that, as of their ongoing investigation, no unauthorized access to production platforms has been identified, and the incident resulted in minimal business disruption.
MeridianLink is still assessing the potential breach of consumer personal information and has committed to informing affected parties if any such compromise is confirmed.
While the effectiveness of the SEC's intervention or their inclination to act upon MeridianLink's delayed reporting remains uncertain, the incident highlights an ironic twist-the regulatory rule intended to ensure prompt disclosure might inadvertently empower cyber attackers.
Instead of resorting to traditional tactics like contacting customers or applying direct pressure, hackers could exploit the reporting rule by alerting regulatory bodies like the SEC.
Also Read: Black Basta Ransomware Gang Steals 'Large Number of Files' from Toronto Public Library
Amid a surge in security breaches at U.S. entities, the SEC has implemented fresh regulations mandating publicly traded companies to disclose cyberattacks with a substantial impact, influencing investment decisions.
The newly introduced rule stipulates that reporting of cybersecurity incidents is required within four business days after a registrant deems the incident as material.
Although Reuters indicated in early October that the SEC's latest cybersecurity regulations are scheduled to become effective on December 15, 2023, uncertainties persist around the rule's timeline and implications.
Related Article: Microsoft Reveals Latest SolarWinds Hacker Attack, SEC Probes Companies Victimized
