Ransomware cyber

MeridianLink

Jan 12, 2026 3 min read
MeridianLink

In 2023, MeridianLink, a U.S.-based software provider for financial institutions, became a target of the ransomware group AlphV (BlackCat). The hackers exploited the SEC’s four-day cybersecurity incident disclosure rule by filing a formal complaint against MeridianLink, alleging its failure to report a data breach within the mandated timeframe. This tactic weaponized regulatory pressure, forcing the company into a precarious position: either disclose incomplete breach details prematurely risking reputational damage, investor confusion, and operational disruption or face legal penalties and heightened scrutiny.The attack underscored vulnerabilities in the SEC’s rule, as threat actors leveraged it to amplify extortion efforts, knowing public disclosure could destabilize the company’s response. While the exact scope of the breach (e.g., customer/employee data exposure) was not fully clarified at the time of the complaint, the incident highlighted how ransomware groups now manipulate regulatory frameworks to coerce victims. The case also raised concerns about insurance liabilities, market manipulation risks, and conflicts with law enforcement investigations, as premature disclosures could hinder forensic analysis or national security protocols. MeridianLink’s ordeal exemplifies the broader industry backlash against the SEC’s rule, which banking associations argue prioritizes arbitrary deadlines over effective cybersecurity response.

Source: https://thecyberexpress.com/banks-urge-sec-to-end-cyber-disclosure-mandate/

TPRM report: https://www.rankiteo.com/company/meridianlink

"id": "mer39105639112725",
"linkid": "meridianlink",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Government/Financial Regulation',
                        'location': 'United States',
                        'name': 'U.S. Securities and Exchange Commission (SEC)',
                        'type': 'Regulatory Body'},
                       {'industry': 'Financial Services',
                        'location': 'United States',
                        'name': 'American Bankers Association (ABA)',
                        'size': 'Represents $24.1 trillion industry',
                        'type': 'Industry Association'},
                       {'industry': 'Financial Services',
                        'location': 'United States',
                        'name': 'Bank Policy Institute (BPI)',
                        'type': 'Industry Association'},
                       {'industry': 'Capital Markets',
                        'location': 'United States',
                        'name': 'Securities Industry and Financial Markets '
                                'Association (SIFMA)',
                        'size': 'Represents 1 million employees',
                        'type': 'Industry Association'},
                       {'industry': 'Community Banking',
                        'location': 'United States',
                        'name': 'Independent Community Bankers of America '
                                '(ICBA)',
                        'type': 'Industry Association'},
                       {'industry': 'Global Banking',
                        'location': 'United States (HQ)',
                        'name': 'Institute of International Bankers (IIB)',
                        'size': 'Represents banks from 35+ countries',
                        'type': 'Industry Association'},
                       {'industry': 'Financial Technology',
                        'location': 'United States',
                        'name': 'MeridianLink',
                        'type': 'Company'}],
 'date_publicly_disclosed': '2024-01-01',
 'description': 'Five major banking associations (American Bankers '
                'Association, Bank Policy Institute, Securities Industry and '
                'Financial Markets Association, Independent Community Bankers '
                'of America, and Institute of International Bankers) have '
                'formally petitioned the U.S. Securities and Exchange '
                'Commission (SEC) to repeal a rule mandating public companies '
                'to disclose material cybersecurity incidents within four '
                'business days. The rule, effective since 2023, is argued to '
                'pose unnecessary risks, fail investor protection, and '
                'conflict with national security and law enforcement efforts. '
                'The petition highlights real-world consequences, including '
                'premature disclosures, weaponization by threat actors (e.g., '
                "AlphV's SEC complaint against MeridianLink), and operational "
                'disruptions. The groups advocate for rescinding Form 8-K Item '
                '1.05 and Form 6-K requirements, citing existing disclosure '
                'frameworks as sufficient.',
 'impact': {'brand_reputation_impact': ['Potential reputational harm from '
                                        'premature disclosures'],
            'legal_liabilities': ['Increased insurance liabilities',
                                  'Regulatory non-compliance risks'],
            'operational_impact': ['Confusion in disclosure decisions',
                                   'Interference with incident response',
                                   'Hindered law enforcement collaboration',
                                   'Discouraged internal communications']},
 'investigation_status': 'Ongoing (Regulatory Review)',
 'lessons_learned': ['Premature disclosures undermine cybersecurity response '
                     'and mislead investors.',
                     'Regulatory frameworks can be weaponized by threat actors '
                     "(e.g., AlphV's SEC complaint).",
                     'Conflicts between public disclosure rules and national '
                     'security/law enforcement priorities create operational '
                     'risks.',
                     'Patchwork guidance indicates fundamental flaws in rule '
                     'design.'],
 'motivation': ['Policy Change',
                'Risk Mitigation',
                'Investor Protection Concerns',
                'National Security Alignment'],
 'post_incident_analysis': {'corrective_actions': ['Proposed rescission of '
                                                   'Form 8-K Item 1.05 and '
                                                   'Form 6-K requirements.',
                                                   'Advocacy for flexible, '
                                                   'risk-based disclosure '
                                                   'frameworks.',
                                                   'Collaboration with law '
                                                   'enforcement to avoid '
                                                   'conflicting mandates.'],
                            'root_causes': ['Overly prescriptive disclosure '
                                            'timelines (4-day rule).',
                                            'Lack of alignment between SEC '
                                            'rules and other federal '
                                            'cybersecurity programs.',
                                            'Ambiguity in materiality '
                                            'thresholds for cybersecurity '
                                            'incidents.',
                                            'Exploitation of regulatory gaps '
                                            'by threat actors.']},
 'recommendations': ['Rescind SEC Form 8-K Item 1.05 and Form 6-K disclosure '
                     'requirements.',
                     'Rely on existing material information disclosure '
                     'frameworks.',
                     'Align cybersecurity incident reporting with national '
                     'security and law enforcement needs.',
                     'Avoid mandatory timelines that conflict with incident '
                     'response best practices.'],
 'references': [{'source': 'American Bankers Association (ABA) Press Release'},
                {'source': 'SEC Rule 192 Petition (Joint Submission)'},
                {'source': 'AlphV SEC Complaint Against MeridianLink (2023)'}],
 'regulatory_compliance': {'legal_actions': ['Petition to rescind SEC Rule '
                                             '(Form 8-K Item 1.05 and Form '
                                             '6-K)'],
                           'regulatory_notifications': ['SEC Rule 192 '
                                                        'petition']},
 'response': {'communication_strategy': ['Petition under SEC Rule 192',
                                         'Public advocacy',
                                         'Media engagement']},
 'stakeholder_advisories': ['Petition signed by ABA, BPI, SIFMA, ICBA, and '
                            'IIB'],
 'threat_actor': ['AlphV (mentioned in context of exploiting the rule)'],
 'title': 'Banking Associations Petition SEC to Repeal Cybersecurity Incident '
          'Disclosure Rule',
 'type': ['Regulatory Dispute', 'Policy Advocacy']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.