SEC Fines Four Cybersecurity Companies for Misleading Disclosures Post-SolarWinds Attack

In a significant enforcement action, the U.S. Securities and Exchange Commission (SEC) has imposed hefty fines on four cybersecurity companies—Check Point, Avaya, Unisys, and Mimecast—over misleading disclosures related to cybersecurity risks following the notorious SolarWinds cyberattack in 2020. This decision marks a pivotal moment in the ongoing scrutiny of corporate transparency in the face of cyber threats.

Background of the SolarWinds Cyberattack

The SolarWinds incident is widely regarded as one of the most consequential cyberattacks in history. Russian operatives infiltrated SolarWinds’ Orion IT monitoring application, embedding malware that allowed them to access the networks of numerous high-profile targets, including various U.S. government agencies such as the Departments of Commerce, Defense, and Homeland Security. The attack, attributed to the Russian Foreign Intelligence Service, raised alarms about the vulnerabilities in both private and public sector cybersecurity practices.

SEC’s Findings and Charges

Following a comprehensive investigation, the SEC charged the four companies for providing “materially misleading” disclosures regarding cybersecurity incidents. The investigation revealed that each company had been aware of breaches to their systems by the same hackers behind the SolarWinds attack but failed to adequately inform investors about the true extent of these breaches.

• Unisys was found to have described cybersecurity risks as hypothetical, despite knowing that their systems had been breached twice and that significant data had been stolen.
• Avaya downplayed the breach, stating that only a “limited number” of email messages were accessed, while in reality, 145 other files were compromised.
• Check Point offered vague descriptions of the incident, failing to provide specific details about the breach.
• Mimecast minimized the attack by not disclosing the nature of the code exfiltrated and the volume of encrypted credentials accessed.

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, emphasized that companies must not mislead their shareholders or the investing public during cyber incidents. He stated, “The SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

Financial Penalties Imposed

The SEC’s enforcement action resulted in substantial financial penalties for the four companies:

• Unisys: $4 million
• Avaya: $1 million
• Check Point: $995,000
• Mimecast: $990,000

While the companies agreed to the settlements, they neither admitted nor denied the SEC’s findings. This approach allows them to move forward while addressing the regulatory concerns raised by the investigation.

Company Responses

Each of the four companies has publicly acknowledged the settlement, although some expressed disagreement with the SEC’s findings. A spokesperson for Check Point noted that the company had previously investigated the SolarWinds incident and found no evidence of customer data being accessed. They emphasized that cooperating with the SEC was in their best interest, allowing them to focus on defending against cyberattacks.

Mimecast defended its actions by stating that it had made extensive disclosures during its response to the incident in 2021, maintaining transparency with partners and customers. Similarly, Avaya expressed satisfaction in resolving the issue with the SEC, while Unisys opted not to comment beyond its SEC filing.

Broader Implications for Cybersecurity Disclosure

The SEC’s actions against these companies underscore a growing expectation for transparency in cybersecurity disclosures. Jorge Tenreiro, acting chief of the SEC Crypto Assets and Cyber Unit, criticized the companies for framing cybersecurity risks in hypothetical terms when they were already facing real threats. He warned that downplaying the extent of a material cybersecurity breach is a poor strategy, as federal securities laws prohibit half-truths in disclosures.

This case serves as a cautionary tale for companies in the cybersecurity sector and beyond. As cyber threats continue to evolve, the importance of clear and accurate communication regarding cybersecurity risks cannot be overstated. Investors and stakeholders expect companies to be forthright about the challenges they face, especially when those challenges can have significant financial implications.

Conclusion

The fines imposed on Check Point, Avaya, Unisys, and Mimecast reflect a critical moment in the intersection of cybersecurity and corporate governance. As the digital landscape becomes increasingly fraught with risks, companies must prioritize transparency and accountability in their disclosures. The SEC’s actions signal a commitment to holding organizations accountable for misleading their investors, reinforcing the notion that in the realm of cybersecurity, honesty is not just the best policy—it’s a legal obligation.