The Securities and Exchange Commission has taken action against four companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – for allegedly making misleading disclosures regarding cybersecurity risks and intrusions. The SEC also accused Unisys of violating disclosure controls and procedures.
These charges stem from an investigation into public companies potentially affected by the compromise of SolarWinds’ Orion software and related activities. The companies have agreed to pay civil penalties to settle the charges brought by the SEC.
Unisys is set to pay a $4 million civil penalty, Avaya will pay $1 million, Check Point will pay $995,000, and Mimecast will pay $990,000.
The SEC’s orders state that Unisys, Avaya, and Check Point were aware in 2020 of unauthorized access to their systems by the threat actor linked to the SolarWinds Orion hack. Mimecast learned of this in 2021. Despite this knowledge, the companies allegedly downplayed the incidents in their public disclosures.
The order against Unisys points out that the company described cybersecurity risks as hypothetical, despite experiencing two intrusions related to SolarWinds that involved substantial data exfiltration. The SEC found that Unisys’ deficient disclosure controls contributed to these misleading disclosures.
Avaya was accused of misleadingly stating that the threat actor had only accessed a “limited number” of the company’s email messages when, in reality, they had also accessed numerous files in its cloud file sharing environment. Check Point allegedly knew about the intrusion but provided vague descriptions of cyber intrusions and associated risks. Mimecast was charged with failing to disclose the full extent of the attack, including the nature of the exfiltrated code and the volume of credentials accessed by the threat actor.
Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, emphasized the importance of transparency in cybersecurity disclosures. He stated that downplaying the severity of a cybersecurity breach is not a viable strategy and that companies must be forthcoming about material risks.
The SEC’s orders found that each company violated provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. While neither admitting nor denying the findings, the companies have agreed to cease future violations and pay the specified penalties. They cooperated with the investigation by providing necessary analyses and taking steps to bolster their cybersecurity controls.
This action by the SEC follows previous charges against SolarWinds and its CISO for allegedly misrepresenting cybersecurity practices and failing to disclose known risks. The regulatory body continues to crack down on companies that fail to uphold transparency and adequately address cybersecurity threats.