SEC Charges Four Companies Over Misleading Cyber Disclosures

In a significant move aimed at enforcing transparency in corporate cybersecurity practices, the Securities and Exchange Commission (SEC) has charged four public companies—Avaya Holdings, Check Point Software Technologies, Mimecast, and Unisys—for making misleading disclosures regarding cybersecurity incidents. This action underscores the SEC’s commitment to holding companies accountable for their public statements, particularly in an era where cybersecurity threats are increasingly prevalent.

The Allegations

The SEC’s investigation revealed that these companies downplayed the severity of cybersecurity incidents after discovering unauthorized access to their systems. According to a press release issued by the SEC on October 22, 2024, each company failed to provide accurate and comprehensive information to investors regarding the risks associated with cyber intrusions.

• Avaya Holdings claimed that a threat actor had accessed only a “limited number” of email messages, which the SEC deemed misleading.
• Check Point Software Technologies described the risks of cyber intrusions in vague and generic terms, failing to convey the potential impact on their operations and customers.
• Mimecast did not disclose the full extent of the attack, leading to questions about the integrity of their risk assessments.
• Unisys characterized the risks from cybersecurity events as hypothetical, which the SEC found to be an inadequate representation of the actual threats faced.

These charges stemmed from an investigation into the broader implications of the SolarWinds Orion software compromise, which had far-reaching effects across various sectors.

Legal Implications

Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, emphasized the importance of truthful disclosures in the realm of public companies. “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” he stated. This assertion highlights the SEC’s stance that companies must provide clear and accurate information to investors, particularly regarding cybersecurity risks that could affect their financial health.

Settlements and Penalties

Without admitting or denying the SEC’s findings, each of the four companies has agreed to cease and desist from future violations of the charged provisions. They will also pay civil penalties as follows:

• Avaya Holdings: $1 million
• Check Point Software Technologies: $995,000
• Mimecast: $990,000
• Unisys: $4 million

These penalties serve as a reminder to all public companies about the importance of transparency and accountability in their cybersecurity practices.

Company Responses

In the wake of the SEC’s announcement, each company issued statements reflecting their commitment to improving cybersecurity measures and cooperating with regulatory authorities.

• Avaya Holdings expressed satisfaction in resolving the matter, emphasizing its ongoing efforts to enhance cybersecurity controls and acknowledging the SEC’s recognition of its voluntary cooperation.

• Check Point Software Technologies stated that its investigation into the SolarWinds incident found no evidence of customer data being compromised. The company opted to settle with the SEC to maintain its focus on defending against cyberattacks globally.

• Mimecast, although no longer publicly traded, asserted that it had complied with its disclosure obligations at the time of the incident. The company highlighted its commitment to enhancing resilience in response to the attack.

• Unisys noted in its Form 8K filing that the SEC acknowledged its cooperation and remediation efforts, indicating a desire to resolve the matter constructively for the benefit of its stakeholders.

Conclusion

The SEC’s actions against Avaya, Check Point, Mimecast, and Unisys serve as a critical reminder of the importance of accurate and transparent disclosures in the face of cybersecurity threats. As cyber incidents become more frequent and sophisticated, public companies must prioritize clear communication with investors regarding the risks they face. This case not only highlights the SEC’s role in enforcing compliance but also sets a precedent for how companies should approach cybersecurity disclosures moving forward. In an increasingly digital world, the integrity of corporate communication is paramount, and the repercussions of misleading disclosures can be significant.