The Securities and Exchange Commission (SEC) has taken decisive action against four companies for downplaying the extent of their involvement in the notorious 2019 SolarWinds cyberattack, issuing fines totaling more than $6 million. Cybersecurity firms Check Point and Mimecast, along with tech companies Unisys and Avaya, have agreed to pay penalties after being found guilty of misleading shareholders about the breaches that compromised their systems.
The SolarWinds hack, which compromised numerous organizations, including government agencies and Fortune 500 companies, exposed critical flaws in the cybersecurity infrastructure of these firms. In its investigation, the SEC accused the companies of "negligently" misrepresenting the scope of the breaches, potentially obscuring the risks to investors.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
The SEC’s investigation uncovered a range of disclosure failures across the four companies. Avaya initially reported that hackers had only accessed "a limited number" of its email accounts. However, investigators revealed that at least 145 files within its cloud-based file sharing environment were also compromised. Similarly, Check Point was faulted for using vague language in describing the nature of the attacks, failing to clarify the specific intrusions it had experienced.
Mimecast, which has agreed to pay a $990,000 penalty, was found to have minimized the extent of the breach, neglecting to disclose key details such as the type and amount of encrypted credentials stolen by hackers. Meanwhile, Unisys described its exposure to cybersecurity risks in hypothetical terms, despite suffering two confirmed breaches related to the SolarWinds attack.
All four companies have settled with the SEC, agreeing to pay fines and pledging to cease and desist from future violations of disclosure rules. They neither admitted nor denied the SEC's findings.
Despite the penalties, the companies have maintained that they took steps to cooperate with investigators and protect their clients.
Avaya spokesperson Julianne Embry emphasized the company’s commitment to enhancing cybersecurity, noting that the SEC “recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls.”
Check Point’s spokesperson Gil Messing shared a similar sentiment: “Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest.”
Timothy Hamilton, a spokesperson for Mimecast, defended the company’s actions during the attack. “We made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,” he said. Hamilton also maintained that Mimecast “complied with our disclosure obligations based on the regulatory requirements at that time.”
The SEC’s move marks another significant step in the agency's efforts to tighten rules surrounding cybersecurity disclosures, and this could be just the beginning. "Today’s SEC’s announcement of its latest enforcement actions... should put all public company CEOs and Boards on notice,” said Andy Lunsford, CEO and Co-founder of BreachRx, a cybersecurity compliance firm.
Lunsford highlighted how the SEC is increasingly scrutinizing not just the timing of company disclosures but also the adequacy of their internal cybersecurity response protocols. "The SEC’s investigations and charges show an intense review of what facts the organizations knew at what time, how they acted on those facts, when they made disclosures, and when they updated those disclosures," he said.
This heightened scrutiny follows the SEC’s introduction of new cybersecurity disclosure rules, requiring companies to include information about the material effects of cybersecurity incidents in their 10-K filings. Lunsford noted that many companies are falling short of these standards, especially in the tech sector, where cybersecurity incidents can have a significant impact on customer trust and business stability.
“For tech companies, finding the bar for materiality may be much lower than people think,” he said.
The SEC's actions against Unisys, Avaya, Check Point, and Mimecast send a strong signal that vague or incomplete disclosures will no longer be tolerated. As the agency continues to ramp up its enforcement, companies may find themselves under increased pressure to be more transparent about the true impact of cybersecurity incidents.