The U.S. Securities and Exchange Commission recently charged four technology companies for making misleading cybersecurity disclosures in connection to the SolarWinds supply chain attack that occurred in 2020. Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited were all named in the charges, with Unisys facing additional allegations of violating disclosure controls and procedures.
The charges stemmed from an investigation by the SEC into companies that may have been affected by the SolarWinds supply chain attack, which was orchestrated by a Russian nation-state threat group known as APT29 or Midnight Blizzard. This group injected malicious code into software updates for SolarWinds’ Orion IT management platform, compromising thousands of customers and leading to breaches in numerous organizations, including U.S. government agencies.
The SEC accused the four companies of downplaying their knowledge of unauthorized access to their systems by the threat group responsible for the SolarWinds attack. Specifically, Unisys was charged with concealing two intrusions related to SolarWinds that resulted in stolen data. Avaya was accused of minimizing the extent of email messages accessed by the threat actors, while Mimecast failed to disclose the type and quantity of data exfiltrated. Check Point, a cybersecurity vendor, was criticized for describing a network intrusion in generic terms.
As a result of the charges, the companies agreed to pay civil penalties to settle the allegations. Unisys will pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000. In response to the SEC charges, Avaya, Mimecast, and Check Point issued statements expressing their commitment to enhancing cybersecurity controls and compliance with regulatory requirements.
Furthermore, the companies emphasized the steps they have taken to strengthen their cybersecurity programs and address the issues raised by the SEC. Avaya highlighted its cooperation with the SEC and efforts to improve cybersecurity controls, while Mimecast emphasized its proactive approach in responding to security incidents and enhancing resilience. Check Point stated that it decided to settle with the SEC to focus on assisting customers in defending against cyberattacks.
This development comes after the SEC previously accused SolarWinds and its CISO Timothy Brown of misleading investors about the company’s cybersecurity practices and vulnerabilities leading up to the supply chain attack. However, earlier this year, a U.S. District Judge dismissed many of the charges in the SEC’s lawsuit against SolarWinds, raising questions about the enforcement of cybersecurity disclosure regulations.
In conclusion, the SEC’s charges against the four technology companies highlight the importance of transparent cybersecurity disclosures and adherence to regulatory requirements in the face of evolving cyber threats. Companies must prioritize cybersecurity measures and communication to protect their systems and customers from malicious actors.