Cybersecurity

SEC fines four companies $7 million for “downplaying” cyberattack

October 23, 2024


An American regulator has charged and imposed penalties totalling $7 million on four companies for making misleading disclosures linked to the 2019 SolarWinds data breach.

The Securities and Exchange Commission (SEC) fined cybersecurity firms Check Point and Mimecast $995,000 and $999,000, respectively. Tech companies Unisys and Avaya faced larger fines, with Unisys paying $4 million and Avaya $1 million.

These companies were all victims of a cybersecurity breach of SolarWinds’ software, which the SEC said was one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.

According to the SEC, each company committed different violations that negligently downplayed and minimised the impact of the breaches.

It said that Unisys, Avaya, and Check Point learned in 2020, while Mimecast learned in 2021, that the threat actor likely responsible for the SolarWinds Orion hack had gained unauthorised access to their system, but each downplayed the severity of the incident in their public disclosures.

In particular, the regulator ruled that Avaya and Mimecast disclosed information about the cyberattack, but the disclosures left out certain material information.

Meanwhile, Check Point and Unisys failed to update an existing risk factor in response to the breach. The SEC said without acknowledging the compromise of their networks, these risk factors became materially misleading.

The SEC noted that all companies cooperated with its investigation and agreed to pay the penalties and to cease and desist from future violations of the charged provisions, without admitting or denying the findings.

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said: “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

Last Updated: 24 October 2024