he U.S. Securities and Exchange Commission (SEC) has brought charges against four present and former publicly traded companies, alleging that they delivered “materially misleading disclosures” tied to the notorious SolarWinds cyber intrusion in 2020. The firms – Avaya, Check Point, Mimecast, and Unisys – face penalties for mismanaging information related to the extensive breach stemming from the SolarWinds Orion software supply chain attack. This mishandling, the SEC argues, constitutes a violation of the Securities Act of 1933 and the Securities Exchange Act of 1934, along with associated regulatory guidelines.
Avaya, in this settlement, will incur a fine of $1 million, Check Point faces $995,000, Mimecast is charged $990,000, while Unisys has been hit with the largest fine at $4 million. Additionally, Unisys is cited for non-compliance with disclosure controls and procedural guidelines.
“Public entities may be vulnerable to cyber incursions, yet they must not further harm their shareholders or the investing populace by issuing misleading statements regarding the security incidents they endure,” asserted Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement. “Here, SEC findings indicate that these corporations conveyed skewed accounts of the events in question, obscuring the real magnitude of the incidents from investors.”
According to the SEC, each company had ascertained that Russian operatives, the orchestrators of the SolarWinds Orion breach, had gained unauthorized access to their systems. Despite this knowledge, the companies chose to dilute the perceived impact of the incident in their public disclosures.
In particular, the SEC noted that Unisys referred to the cybersecurity risks as “hypothetical” although the company knew that sensitive data, amounting to over 33 GB, had been extracted across two separate instances.
The investigation further revealed that Avaya understated the extent of the breach, indicating the hacker accessed only a “limited number” of emails when, in fact, the company was aware that at least 145 files within its cloud infrastructure had also been compromised.
For Check Point and Mimecast, the SEC took issue with their generalized disclosures of breach-related risks. Mimecast notably failed to clarify the kind of data the threat actor exfiltrated, as well as the number of encrypted credentials accessed.
“In some cases, the cyber risks were described as theoretical or generic, even when the companies were cognizant that the flagged risks had already come to fruition,” commented Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit. “The federal securities laws do not permit partial truths, and there is no exemption for risk-factor disclosures.”