The U.S. Securities and Exchange Commission (SEC) announced Tuesday that it has fined four companies $7 million for misleading statements about their cybersecurity incidents, particularly concerning the high-profile 2019 SolarWinds hack.
Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited were found to have downplayed the severity of their data breaches in public disclosures, obscuring the full scope of the incidents from investors and the public.
The SEC charged the companies with "materially misleading disclosures regarding cybersecurity risks and intrusions." Unisys was also charged with disclosure controls and procedures violations. The fines range from nearly $1 million to $4 million per company.
The SEC's investigation found that the companies, all victims of the SolarWinds hack, failed to report the scope of the breaches accurately. According to the SEC, these companies described their cybersecurity incidents in ways that either minimized the impact or presented the risks as hypothetical, even when the companies knew that their systems had been compromised.
Sanjay Wadhwa, Acting Director of the SEC's Division of Enforcement, emphasized the importance of full and transparent disclosure. "While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," Wadhwa said. "Here, the SEC's orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."
Unisys Corp., which received the largest fine of $4 million, inaccurately described its cybersecurity risks as hypothetical in its SEC filings despite being aware of two significant breaches related to SolarWinds. According to the SEC, these breaches resulted in the unauthorized access and exfiltration of more than 33 gigabytes of data from its systems. Yet, the company failed to disclose these incidents to investors adequately. The SEC further noted that Unisys lacked proper internal controls to ensure accurate and timely reporting of such high-risk incidents.
Avaya Holdings Corp. was fined $1 million after it failed to disclose the full extent of the SolarWinds-related breach. The SEC found that Avaya's filings described only "a limited number of company email messages" being accessed by the hackers, even though the company knew that at least 145 files from its cloud-sharing environment had been compromised. Avaya's misleading disclosure came despite evidence that the hackers had also monitored the emails of the company's cybersecurity responders.
Check Point Software Technologies Ltd. was fined $995,000. Although the company knew its systems had been breached, it continued to use generic language to describe its cybersecurity risks in its public disclosures. This was despite finding that hackers had installed malware and moved within its network, indicating that the threat was far more significant than Check Point reported.
Mimecast Limited was fined $990,000 for minimizing the details of its breach, which involved the exfiltration of critical code and encrypted credentials. While Mimecast publicly disclosed some aspects of the breach, the SEC found that it omitted crucial information about the quantity of data stolen and the extent of the compromise, leaving investors unaware of the potential risks.
The SEC's action is part of a broader effort to ensure publicly traded companies provide transparent and accurate information about cybersecurity risks and incidents. Jorge G. Tenreiro, Acting Chief of the SEC's Crypto Assets and Cyber Unit, stressed that the agency will not tolerate companies presenting incomplete or inaccurate information in their filings. "Downplaying the extent of a material cybersecurity breach is a bad strategy," Tenreiro said. "The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures."
[RELATED: Wells Notice Against SolarWinds CISO Could Be First of Its Kind]
The SEC clarified that the companies cooperated with the investigation and agreed to improve their cybersecurity controls. Without admitting or denying the charges, each company settled by paying the civil penalties and committing to cease future violations of the relevant provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.
The SolarWinds hack, which compromised the software update system of IT management company SolarWinds, had wide-reaching effects across public and private sectors. The breach, attributed to Russian intelligence, affected multiple U.S. government agencies and several private companies. This case has become a critical reference point for how companies should manage and disclose cybersecurity risks and incidents.
The SEC's actions signal to other organizations that complete transparency in cyber disclosures is no longer optional. "Investors deserve to know when companies have experienced cyberattacks that could have significant impacts on their business, and the SEC will continue to hold companies accountable when they fail to provide truthful and complete information," Wadhwa said.
[RELATED: SEC Provides Clarity on Disclosing Material vs. Non-Material Cyber Incidents]
Follow SecureWorld News for more stories related to cybersecurity.
