The Threat of Weaponizing Cybersecurity Regulations?

Regulations requiring organizations to disclose cybersecurity incidents are now standard across the globe, from US SEC materiality rules to EU NIS2, to name a few. Fines for personal data breaches are also typical of GDPR and other privacy acts.

Yet it's worth reminding of unintended consequences: ransomware-as-a-service operators are now adapting their business model to focus on exfiltrating and then threatening to make stolen data public. Data encryption is not their only goal anymore.

Cybersecurity disclosure and transparency regulations inadvertently drive this change, with threat actors leveraging disclosure rules as a means to exert additional pressure, threatening to release sensitive information unless ransom is paid.

Early examples are already in: see this case of a ransomware gang filing a formal complaint to US Security Exchange Commission on behalf of its victim.

In the near future, it's conceivable ransomware operators will focus on threatening reporting data breaches directly to say, GDPR or NIS2 competent authorities, as these regulations stipulate heavy fines.

As an example, see Palo Alto Networks' analysis of a ransomware-as-a-service platform called Medusa (see here). They have a web shop-like online presence, with various new pricing tiers or "packages" victims can choose (see screenshot below): from a standard fee of $10,000 for a time extension to prevent data from being published, to paid requests to delete or download data.

Do strict transparency and disclosure requirements have other unintended consequences? For ex. handing attackers insights on which companies to target and how to attack them?

Regulators and cybersecurity insiders should take into account these unintended consequences.