The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies with “misleading disclosures” related to a large-scale cyber attack that resulted in SolarWinds hack in 2020.
The SEC said the companies — Avaya, Check Point, Mimecastand Unisys – are being punished for how they managed the disclosure process after the SolarWinds Orion software supply chain incident and downplayed the breach, thereby violating the Securities Act of 1933, the Securities Act of 1934 and related regulations thereunder .
To that end, Avaya will pay a $1 million fine, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million to settle the charges. In addition, the SEC accused Unisys of violating its control and disclosure procedures.
“While public companies may become targets of cyber-attacks, they have a duty not to further victimize their shareholders or other members of the investing public by disclosing misleading information about the cyber security incidents they have experienced.” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
“Here, the SEC’s orders reveal that these companies misrepresented the incidents at issue, leaving investors in the dark about the true extent of the incidents.”
According to the SEC, all four companies learned Russian threats behind the SolarWinds Orion hack gained unauthorized access to their systems, but chose to downplay the incident in their public announcements.
An independent federal agency said Unisys chose to describe the risks posed by the intrusion as “hypothetical” despite knowing that the cyber security developments had led to the theft of more than 33GB of data from two different cases.
The investigation also found that Avaya said the threat actor had accessed a “limited number” of the company’s emails, when in fact it was known that the attackers also accessed at least 145 files in its cloud environment.
As for Check Point and Mimecast, the SEC took issue with how they generally described the risks of the breach, with the latter also failing to disclose the nature of the code the threat actor stole and the number of encrypted credentials the threat actor accessed.
“In two of these cases, the relevant cybersecurity risk factors were formulated hypothetically or generically, when the companies knew that the anticipated risks had already materialized,” said Jorge G. Tenreiro, Acting Head of Crypto Assets and Cyberspace. “Federal securities laws prohibit half-truths, and there are no exceptions for statements in risk factor disclosures.”
