The Securities and Exchange Commission (SEC) is still unveiling the layers of the 2020 SolarWinds breach, which has resurfaced years after its initial attack. This recent revelation has led to the SEC charging four companies for allegedly downplaying the impact of the breach on their systems. The fines imposed by the SEC are meant to serve as a warning to other companies who may consider adopting a similar nonchalant approach when faced with cybersecurity incidents.
Unisys, a prominent player in the technology industry, received the largest civil penalty of $4 million for its inadequate disclosure practices and violations of controls. The SEC’s order against Unisys highlighted that the company misrepresented the risks posed by cybersecurity events by categorizing them as hypothetical, despite experiencing two intrusions related to SolarWinds that led to the exfiltration of substantial amounts of data. The agency also pointed out that Unisys’ misleading disclosures were a result of deficient disclosure controls within the company.
In response to the SEC’s actions, Unisys has remained silent and has not provided any comment on the matter. On the other hand, Avaya Holdings Corp., another company implicated in the breach, agreed to pay $1 million for failing to disclose the full extent of the breach. Although Avaya initially admitted that a threat actor had accessed a limited number of email messages, the SEC discovered that 145 files in its cloud environment had also been compromised. Avaya expressed relief at resolving the issue with the SEC and emphasized its commitment to enhancing its cybersecurity program moving forward.
Check Point, a software company in the spotlight, received a fine of $995,000 for its vague disclosures related to the breach. Despite maintaining that it had investigated the SolarWinds incident and found no evidence of compromised customer data, Check Point agreed to settle with the SEC to avoid prolonged legal battles. Mimecast, the fourth company charged by the SEC, was fined $990,000 for failing to disclose critical details about the breach, including the nature of the code extracted by the threat actor and the quantity of encrypted credentials accessed. Mimecast asserted that it had made extensive disclosures following the incident and had cooperated fully with the SEC, despite no longer being a publicly traded company under SEC jurisdiction.
The SEC’s crackdown on these companies is part of a broader effort to deter vague and misleading disclosures following cybersecurity breaches. Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit at the SEC, emphasized the importance of transparent and precise disclosures in such circumstances. The enforcement action taken by the SEC serves as a warning to all companies to provide accurate and detailed information when reporting cybersecurity incidents.
Beth Burgin Waller, a cybersecurity attorney, underscored the significance of companies providing technically precise disclosures and cautioned against relying on generalizations or hypothetical scenarios. She advised that companies must consider the potential risks of post-incident litigation and ensure thorough collaboration between chief information security officers and legal teams. The evolving landscape of enterprise cybersecurity calls for heightened vigilance and adherence to regulatory requirements to mitigate the repercussions of data breaches.
In conclusion, the SEC’s actions against these companies highlight the importance of transparency and accuracy in disclosing cybersecurity incidents. By holding companies accountable for their actions, the SEC aims to set a precedent that will encourage better cybersecurity practices and prevent future breaches from being downplayed or misrepresented. It serves as a reminder to all organizations to prioritize cybersecurity measures and maintain open communication with regulators in the face of potential threats.