SEC Fines Companies For ‘Misleading’ SolarWinds Incident Disclosures

The U.S. Securities and Exchange Commission (SEC) is not happy with how Unisys, Avaya, Check Point Software and Mimecast disclosed incidents and risks related to the SolarWinds supply-chain attack a few years ago.

On Tuesday, the SEC announced it has charged the four companies for making “materially misleading disclosures” related to the SolarWinds attack, which was first publicly reported in 2020 and impacted many companies. The charges stem from an investigation into public companies that were potentially impacted by this attack, according to the SEC on Tuesday.

Key Details:

• Unisys, Avaya and Check Point learned that the threat actors behind the SolarWinds attacks had accessed their systems in 2020, and Mimecast found out in 2021

• According to the SEC, each company “negligently minimized its cybersecurity incident in its public disclosures” filed between 2021 and 2022, either by being vague or hypothetical, or by shying away from important details that showed the true scope of the incidents

• Unisys has also been charged with disclosure controls and procedures violations

• The four companies must pay civil penalties: $4 million for Unisys, $1 million for Avaya, $995,000 for Check Point and $990,000 for Mimecast

Misleading Disclosures: Unisys knew that it had been hit by two SolarWinds-related intrusions and data had been exfiltrated - but in its annual report the company “inaccurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms.” The misleading disclosure resulted partly from the company’s insufficient disclosure controls, said the SEC. 

Check Point also knew of a SolarWinds-related intrusion but “described cyber intrusions and risks from them in generic terms.” In Mimecast’s case, the company sought to minimize the attack by failing to disclose the nature of the code and the quantity of encrypted credentials that had been accessed. Meanwhile, Avaya’s disclosure stated that threat actors had accessed a “limited number of [the] company’s email messages.” However, the SEC said that at the time Avaya knew that at least 145 files in its cloud file sharing environment had been compromised. 

The Big Picture: For these specific charges, the companies violated certain provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, according to the SEC. However, the SEC has put a lot of emphasis overall on how public companies disclose cybersecurity incidents and risks, adopting a rule last year that requires public companies to disclose material cybersecurity incidents within four days, for instance.

The SEC’s biggest concern is making sure that investors aren’t left in the dark when it comes to the scope of security incidents.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, in a Tuesday statement.