Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
It may be the ultimate example of a digital poacher turned gamekeeper. After ransomware gang AlphV/BlackCat attacked MeridianLink last month, the hackers decided that the software company hadn’t complied with new Securities and Exchange Commission rules to disclose cyber incidents. So they notified the regulator of this failure, posting a photo of the form where the gang highlighted this “concerning issue”.
The hackers had it wrong, however. The rules, which require companies to issue a public filing within four days of identifying a “material” cyber security incident, don’t come into force until the middle of December.
But the move certainly attracted attention: “To the extent that we’ve been having discussions about whether this rule adds another tool to the tool chest of the hackers, this makes it very clear,” says Erez Liebermann, a partner at the law firm Debevoise & Plimpton. “The SEC has put the hackers in the driving seat.”
The new regulations are pushing the boundaries of what is generally-agreed as best practice in the cyber community: that greater transparency is an important weapon against the onslaught from online criminals. The known number of cyber attacks has increased by 75 per cent over the past five years, according to EY. The $20bn cost of ransomware attacks in 2021 was 57 times higher than in 2015. It is forecast to mushroom again to $265bn by 2031, according to Cybersecurity Ventures.
Despite this surge in criminal activity, many companies still haven’t done the equivalent of locking the doors and windows, and many boards don’t know enough to ask why. Fewer than 70 per cent of Fortune 100 companies cite cyber security expertise in at least one director’s biography. Only 16 per cent said that their risk management included simulations or testing of their incidence response. “It completely amazes me that we continue not to do the basics,” says one former US policymaker. “If companies do the basic cyber hygiene and have an intelligent back-up, you are almost certainly never going to have a really bad day.”
The SEC rules have prompted concern, including from the US Chamber of Commerce. The four-day disclosure threshold is challenging, and will need sensible enforcement: given the uncertainties (and general panic) after a significant breach becomes known, disclosures may be partial or frequently amended as the scale or severity is ascertained. Advisers also argue that worrying about announcements could distract from containing an incident, and that conceding that a hack is “material” hands power to an attacker.
Still, the impetus globally is towards sharing information for the sake of the system. In the most extreme example, radical transparency and collaboration between the public and private sectors is credited with helping contain cyber attacks in Ukraine since the outbreak of the war in Russia.
Governments generally have been too slow to insist on information sharing to build a complete picture of cyber crime and, crucially, to offer companies non-judgemental support to manage attacks or contain damage. The US and EU have expanded requirements to report incidents to authorities for sectors considered critical infrastructure. Australia last month proposed expanding its equivalent across the entire economy.
In part, disclosure policies may be trying to discourage ransomware payments, by removing the option to write a cheque (or hand over some crypto) and make it all quietly go away. In financial services, which tends to lead the way, the New York state regulator now requires companies to notify them and justify when an extortion payment is made.
Secrecy, ultimately, can’t help. Ciaran Martin, former head of the UK’s National Cyber Security Centre, sees a parallel with Europe’s data protection rules: “For all its flaws, GDPR took away a highly problematic right to hide a problem and that was a good thing.” The US is increasingly using information it receives voluntarily to issue public warnings, as it did last month based on a report from Boeing about the Citrix Bleed bug. The SEC’s rules take that a step further in terms of how quickly investors, customers and suppliers will be alerted to a new risk.
At the very least, the need to understand a cyber attack at speed, judge its severity and then agree a potentially-embarrassing disclosure is transforming corporate planning around how to handle incidents, say advisers. That should encourage greater focus and investment in resilience, as well as ensuring that cyber concerns are keenly felt and well understood at the very top of companies. Which, of course, is as it should have been for some time.
Read the full article here