The Securities and Exchange Commission (SEC) has charged and fined Unisys, Avaya, Unisys, Mimecast and Check Point Software for "making materially misleading disclosures regarding cybersecurity risks and intrusions".
It levied the fines following an investigation of public companies that were "potentially impacted" by the compromise of SolarWinds’ Orion software.
None of the companies have admitted or denied the SEC's findings, but agreed to cease and desist from future violations and pay a civil penalty.
The largest fine was the $4 million payment agreed by Unisys, which was also charged with disclosure controls and procedures violations.
Avaya will pay a $1 million civil penalty, with Check Point hit by a $995,000 fine and Mimecast $990,000.
Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said: “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.
“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue."
READ MORE: SolarWinds and its CISO not off the hook over “materially misleading” security statement
The SEC alleged that Unisys, Avaya, and Check Point "learned the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization" back in 2020, with Mimecast reportedly learning of the issue in 2021.
Each of the companies is said to have "negligently minimized its cybersecurity incident in its public disclosures".
The SEC claimed that Unisys described its "risks from cybersecurity events" as "hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data".
The order also claims that these "materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."
Avaya stated that a threat actor had accessed a “limited number of [the] Company’s email messages” when it knew that at least 145 files in its cloud file-sharing environment had been accessed, the SEC alleged.
The SEC’s order against Check Point claimed that it "knew of the intrusion but described cyber intrusions and risks from them in generic terms". Mimecast is said to have "minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed."
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
The SEC found that each company violated provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules.
