The Securities and Exchange Commission (SEC) has charged four current and former public companies, namely Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC also charged Unisys with disclosure controls and procedures violations.
The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimise their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
Keith McCammon, CTO at cybersecurity company Red Canary says the SEC’s action is notable as the SEC is looking retroactively at major incidents such as the SolarWinds breach and imposing fines based on violations of long-standing rules.
“This underscores the importance of clear, honest, and timely disclosure of material cybersecurity incidents to all stakeholders,” he said. “One of the best things companies can do to prepare is to clearly define a material cybersecurity incident in the context of their business, where a key component of both the criteria and response plan is the identification of key stakeholders.”
“We are starting to see more and clearer signals that the US government at-large, via the National Cybersecurity Strategy, CISA, and other agencies, will continue to push for legislation and enforcement as it relates to cybersecurity preparedness, compliance, and reporting.”
According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021 that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorisation. However, each negligently minimised its cybersecurity incident in its public disclosures.
The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving the exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.
The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the]company’s email messages” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file-sharing environment.
The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimised the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules. Without admitting or denying the SEC’s findings, each company agreed to cease and desist from future violations of the charged provisions and to pay penalties. Each company cooperated during the investigation by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls.
The companies agreed to pay the following civil penalties to settle the SEC’s charges:
-
Unisys will pay a USD4 million civil penalty;
-
Avaya will pay a USD1 million civil penalty;
-
Check Point will pay a USD995,000 civil penalty; and
-
Mimecast will pay a USD990,000 civil penalty.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialised. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”