The SEC Charges Technology Companies for Misleading Disclosures During SolarWinds Cybersecurity Incident
In a recent development, the Securities and Exchange Commission (SEC) has taken action against four public technology companies for allegedly making misleading disclosures concerning cybersecurity risks and intrusions related to the SolarWinds supply chain attack in 2020.
The companies implicated in the charges are Unisys Corp, Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited. Each of these companies is accused of downplaying the impact of the SolarWinds hack in their public disclosures.
Unisys, in particular, is also facing charges for violations related to disclosure controls and procedures.
As part of the settlement, each of the companies has agreed to pay civil penalties to resolve the charges:
- Unisys will pay a $4 million civil penalty for failing to disclose two SolarWinds-related intrusions accurately.
- Avaya will pay a $1 million civil penalty for not disclosing the full extent of the data breach.
- Check Point will pay a $995,000 civil penalty for providing generic descriptions of cyber intrusions in its disclosures.
- Mimecast will pay a $990,000 civil penalty for understating the severity of the attack and the data accessed by the threat actor.
The SEC found that all four companies violated provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. While the companies neither admitted nor denied the SEC’s findings, they have agreed to cease and desist from future violations and pay the penalties.
Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, expressed concerns about the companies’ actions affecting investors’ understanding of the incident. He emphasized the importance of transparency in disclosing cybersecurity incidents to shareholders and the investing public.
In the aftermath of the SolarWinds supply chain attack in 2020, which saw Russian state hackers infiltrate SolarWinds software and compromise numerous organizations, the importance of accurate and timely disclosure of cybersecurity incidents cannot be understated.
With cybersecurity threats on the rise, it is crucial for companies to prioritize transparency and accountability in their disclosures to protect investors and stakeholders.
Image credit: Mark Van Scyoc / Shutterstock.com