Introduction

The US Securities and Exchange Commission (SEC) has levied civil penalties totaling nearly $7 million against Unisys Corp. [6], Avaya Holdings Corp. [1] [2] [4] [6], Check Point Software Technologies Ltd. [1] [2] [4] [5] [6], and Mimecast Limited [1] [2] [4] [6]. These penalties are due to the companies’ materially misleading disclosures concerning cybersecurity risks and their downplaying of the severity of intrusions related to the SolarWinds supply chain attack, discovered in late 2020 [5].

Description

The SolarWinds breach involved the Russian nation-state threat group APT29, also known as Midnight Blizzard or Nobelium, which injected malicious code into software updates for SolarWinds’ Orion IT management platform [2]. This incident affected numerous organizations, including US government agencies [2] [5]. Despite being victims of the breach [3], each company is accused of negligently misrepresenting their knowledge of unauthorized access to their systems, thereby leaving investors unaware of the true extent of the breaches [6].

Unisys will pay a $4 million civil penalty for characterizing its cybersecurity risks as hypothetical [4], despite being aware that significant data had been exfiltrated during two SolarWinds-related intrusions. The SEC noted deficiencies in Unisys’ disclosure controls as contributing factors to its misleading statements [5]. The company emphasized that its settlement was reached on a non-scienter basis, indicating no knowledge or intent of wrongdoing [2].

Avaya will pay a $1 million civil penalty for misrepresenting the extent of the breach, claiming that only a “limited number” of the company’s email messages were accessed, while failing to disclose that at least 145 files in its cloud file-sharing environment were also compromised [4].

Check Point will pay a $995,000 civil penalty for acknowledging the intrusion but using vague language to describe the cyber risks, despite being aware of the unauthorized access to its systems and asserting that no customer data was compromised.

Mimecast will pay a $990,000 civil penalty for minimizing the incident by not adequately disclosing the nature of the code that was exfiltrated and the quantity of encrypted credentials accessed by the threat actor. The company [1] [2] [4] [5], now privately held [1], stated it believed it had met its disclosure obligations at the time of the incident and became aware of the breach in 2021.

All companies cooperated with the SEC’s investigation and agreed to the penalties without admitting or denying the findings [3]. The SEC emphasized the importance of accurate disclosures to protect investors from misleading information regarding cybersecurity incidents [3]. This announcement follows a previous SEC accusation against SolarWinds and its Chief Information Security Officer for misleading investors about cybersecurity practices prior to the attack [2]. Each company has issued statements regarding the resolution of the SEC matters [2], highlighting their commitment to enhancing cybersecurity measures [2].

Conclusion

The SEC’s actions underscore the critical importance of transparency and accuracy in corporate disclosures related to cybersecurity incidents. These penalties serve as a reminder to companies of the potential consequences of failing to adequately inform investors about cybersecurity risks and breaches. Moving forward, organizations are likely to enhance their cybersecurity measures and disclosure practices to mitigate risks and ensure compliance with regulatory expectations.

References

[1] https://www.cybersecuritydive.com/news/sec-settles-charges-4-companies-solarwinds/730668/
[2] https://www.techtarget.com/searchSecurity/news/366614413/SEC-charges-4-companies-for-downplaying-SolarWinds-attack-risks
[3] https://techcrunch.com/2024/10/22/sec-fines-four-companies-7-million-for-misleading-cyber-disclosures-regarding-solarwinds-hack/
[4] https://www.infosecurity-magazine.com/news/sec-charges-solarwinds-hack/
[5] https://www.crn.com/news/security/2024/unisys-check-point-mimecast-avaya-fined-by-sec-over-solarwinds-related-breaches
[6] https://www.law.com/corpcounsel/2024/10/22/sec-fines-4-companies-7m-for-downplaying-breaches-tied-to-massive-solarwinds-hack/