The Securities and Exchange Commission (SEC) has charged Unisys Corp, Avaya Holdings, Check Point Software Technologies Ltd, and Mimecast Limited for making misleading disclosures in relation to the 2020 SolarWinds attack.
Unisys was also charged with disclosure controls and procedures violations and all four companies have been fined civil penalties, with Unisys paying $4 million, Avaya $1 million, Check Point $995,000 and Mimecast $990,000.
According to the SEC, the four companies learned between 2020 and 2021 that their systems had been breached but "negligently minimised its cybersecurity incident in (their) public disclosures".
The SEC found that Unisys knew it had two SolarWinds-related intrusions but described its risks from these events as hypothetical, while Avaya stated that only a small number of its email messages had been accessed, when it knew that at least 145 files in its cloud had also been infiltrated; Check Point was aware of the intrusion but described the "cyber intrusions and risks from them in generic terms" and, lastly, Mimecast played down the impact of the attack by not publicly announcing the nature of the code stolen by the hackers and the amount of encrypted credentials that were accessed.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimise their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
The SEC also noted that it was a bad strategy for companies to downplay the extent of a cyber security breach, adding that half-truths were prohibited by federal securities laws.
Each of the companies named by the SEC has agreed to pay the penalty imposed on them and cease and desist from future violations of the charged provisions.
