Written by: Haim Ravia, and Dotan Hammer
The U.S. Securities and Exchange Commission (SEC) charged four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The companies have settled the SEC’s charges, paying a total of $7 million in civil penalties.
The companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, were victims of breaches resulting from the SolarWinds Cyber-attack uncovered in November 2020. The breach originated in a vulnerability in the computer networks of the Texas-based company SolarWinds.
According to the charges, the companies had all become aware by early 2021 that the threat actor behind the SolarWinds Cyber-attack had accessed their system but played down the incident in each of their public disclosures. The SEC’s charges illustrate practices such as describing the cybersecurity events in hypothetical or generic terms and presenting misleading information regarding the scale of the breach or type of code and files breached by the threat actor. The SEC also stated that these practices “further victimize[d] … shareholders or other members of the investing public”.
The companies cooperated with the SEC’s investigation. They agreed to cease and desist from further violations, while neither admitting nor denying the SEC’s findings. Each company also agreed to pay the civil penalties: $4 million will be paid by Unisys, $1 million by Avaya, $995,000 by Check Point, and $990,000 by Mimecast.
Click here to read the SEC’s notice regarding the charges.
