SEC Charges 4 Companies Over Misleading SolarWinds Cyber Attack Disclosures

The U.S. Securities and Exchange Commission (SEC) has initiated charges against four companies—Avaya, Check Point, Mimecast, and Unisys—for failing to provide accurate disclosures regarding a significant cyberattack linked to the SolarWinds hack in 2020. The SEC’s action highlights the companies’ alleged violations of the Securities Act of 1933 and the Securities Exchange Act of 1934, as they reportedly misrepresented the true impact of the cybersecurity breach on their operations and shareholders.

As part of the enforcement actions, Avaya is set to pay a $1 million penalty, Check Point $995,000, Mimecast $990,000, and Unisys $4 million. Additionally, Unisys faces charges for not adhering to proper disclosure controls and procedures, indicating a more severe oversight in its reporting mechanisms. The SEC’s investigations found that all four companies were aware that Russian cyber adversaries had unlawfully accessed their systems but chose to downplay the extent of these breaches in their public statements.

According to the SEC’s findings, Unisys characterized the vulnerabilities resulting from the attacks as “hypothetical,” despite evidence that over 33 GB of data had been exfiltrated multiple times. This wording misled investors regarding the potential risks and realities of the cyber incident. Avaya, on the other hand, described the email content accessed by attackers as “limited,” while being aware that at least 145 files were compromised in their cloud environments.

Check Point and Mimecast similarly faced scrutiny for their disclosures, which the SEC described as vague and overly general. Mimecast notably failed to specify the nature of the code that was exfiltrated or to quantify the encrypted credentials accessed by the attackers. The SEC emphasized that presenting cybersecurity risks in a hypothetical manner was improper given that the risks had already manifested as actual breaches.

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, stated that companies must refrain from issuing misleading disclosures that could further harm their shareholders, particularly in the context of cybersecurity attacks. The SEC underscored its commitment to holding companies accountable for misleading investors, reinforcing that half-truths are prohibited under federal securities laws, even within risk-factor disclosures.

Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, echoed similar sentiments, highlighting that the companies’ actions amounted to inadequate representations of known risks. The SEC’s decisive measures aim to ensure that public companies provide transparent and truthful information regarding the cybersecurity incidents they encounter, safeguarding investor interests.

This enforcement action serves as a critical reminder for public companies about the importance of accurate reporting and disclosure in the wake of cyberattacks. As digital threats continue to evolve, adherence to regulatory standards in disclosure practices becomes increasingly vital to maintain trust and accountability within the market.