SEC Charges Four Firms Over Misleading SolarWinds Attack Claims

SEC Charges Four Companies Over Misleading Cybersecurity Disclosures Related to SolarWinds Hack

The U.S. Securities and Exchange Commission (SEC) has taken significant action by charging four public companies—Avaya, Check Point, Mimecast, and Unisys—for making "materially misleading disclosures" following the notorious SolarWinds cyberattack in 2020. This incident, which involved a large-scale breach of the SolarWinds Orion software supply chain, has raised serious concerns about corporate transparency in the face of cybersecurity threats.

These companies are being penalized for downplaying the severity of the breach and failing to adequately inform investors, which violates the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC’s findings underscore the critical importance of accurate disclosures in maintaining investor trust and market integrity.

Financial Penalties for Misleading Disclosures

As a result of the SEC’s investigation, each company has agreed to financial settlements for their misleading disclosures:

  • Avaya: $1 million fine
  • Check Point: $995,000 fine
  • Mimecast: $990,000 fine
  • Unisys: $4 million fine, with additional charges for violations of disclosure controls and procedures

SEC’s Stance on Cybersecurity Accountability

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, emphasized that while public companies are often targets of cyberattacks, they have a responsibility to their shareholders and the investing public. “Misleading disclosures about cybersecurity incidents not only obscure the truth but also leave investors in the dark,” he stated.

The SEC’s investigation revealed that all four companies were aware that Russian threat actors had unlawfully accessed their systems yet chose to minimize the incident’s scope in their public disclosures. Notably, Unisys referred to the risks posed by the breach as "hypothetical," despite evidence that over 33 GB of data had been exfiltrated during the attacks.

Specific Findings Against Each Company

  • Avaya: Misrepresented the extent of the breach, claiming only a "limited number" of email messages were accessed, while attackers accessed at least 145 files from its cloud environment.
  • Check Point and Mimecast: Both companies framed the risks broadly and failed to disclose critical details about the nature of the exfiltrated code and the number of encrypted credentials compromised.

Implications for Public Companies

The SEC’s actions serve as a warning to all public companies about their obligations under federal securities laws. “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” stated Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit.

As the cybersecurity landscape evolves, companies must prioritize transparency and accuracy in their disclosures to protect investors and maintain compliance with regulatory standards.

Conclusion

The SEC’s enforcement actions against Avaya, Check Point, Mimecast, and Unisys highlight the critical intersection of cybersecurity and corporate governance. Companies must recognize the importance of providing clear and truthful information about cybersecurity incidents, fostering trust with their investors and the public.

If you found this article insightful, feel free to share your thoughts in the comments below or explore more articles on cybersecurity and corporate governance on our website. Follow us on Twitter and LinkedIn for the latest updates and exclusive content.

Best deals on Microsoft Office
Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *