Estimated reading time: 1 minute, 50 seconds

Hackers Wield Securities Fraud as Extra Threat  

Ransomware attackers have shown that they are willing and able to use securities disclosure rules against corporate targets, throwing another spanner in the works for cybersecurity pros.

ransomware 3998798 640 smallFinancial software company MeridianLink has confirmed to The Record, a publication by cybersecurity firm Recorded Future, that it was hit by a cyberattack. AlphaV, also known as Black Cat—the ransomware group suspected in the hacks of MGM Resorts and other prominent targets—previously claimed to DataBreaches to have stolen files from MeridianLink.

Notably, though, AlphaV further claimed to DataBreaches that it reported the breach to the Securities and Exchange Commission. The breach had purportedly taken place a week earlier. New SEC reporting rules effective December 5 require companies to disclose a “material” cybersecurity incident within four days of it being identified. As The Record notes, however, government officials have clarified that the four-day timeline applies only after an attack has been deemed to be material, not after its initial discovery.

Hackers have flirted with notifying regulators before. Over the summer, a different ransomware gang threatened to report companies under the European Union’s General Data Protection Regulation, the continent’s sweeping privacy law.

Patrick Tiquet, vice president of security and architecture at Keeper Security, told Dark Reading, "This is yet another warning to security leaders, who must recognize that disclosure decisions and plans are no longer solely guided by security best practices,” Tiquet said. “Federal legal liabilities also play an important role.”

“This is an industry-wide wake-up call,” Ferhat Dikbiyik, head of research at cyber risk management firm Black Kite, told CSO. Jim Doggett, CISO of cybersecurity firm Semperis, added to the news outlet that the move ultimately wasn’t surprising given that ransomware is “ever-evolving” and motivated by profits alone.

Thomas Barton, senior IR analyst at Integrity360, told CSHub the alleged SEC complaint shows that ransomware threat actors have matured to such an extent that they can incorporate regulators in their extortion threats.

What’s more, Sean Deuby, principal technologist at Semperis, wrote in an op-ed for SC Magazine that tattling to regulators “could become the new normal for ransomware operators.”

As Bloomberg columnist Matt Levine writes columnist Matt Levine writes, “Hackers know everything is securities fraud.”

 

 

Read 2594 times
Rate this item
(0 votes)

Visit other PMG Sites: