Oct 23, 2024 11:41:00

The U.S. Securities and Exchange Commission fines four companies more than $10 million in total for misleading disclosures about the risks of the SolarWinds hack

The U.S. Securities and Exchange Commission (SEC) has charged four companies, Unisys, Avaya Holdings, Check Point Software Technologies, and Mimecast, with making materially misleading disclosures about the impact of a serious cyberattack that used SolarWinds' Orion Platform software in 2020. The four companies have agreed to pay a total of $6,985,000 in penalties to settle the charges.

SEC.gov | SEC Charges Four Companies With Misleading Cyber Disclosures

https://www.sec.gov/newsroom/press-releases/2024-174

SEC settles charges with 4 firms it says downplayed SolarWinds hack exposure | Cybersecurity Dive

https://www.cybersecuritydive.com/news/sec-settles-charges-4-companies-solarwinds/730668/

SEC fines four companies $7M for 'misleading cyber disclosures' regarding SolarWinds hack | TechCrunch
https://techcrunch.com/2024/10/22/sec-fines-four-companies-7-million-for-misleading-cyber-disclosures-regarding-solarwinds-hack/

The cyberattack that exploited SolarWinds software in 2020 caused widespread damage to government agencies and large corporations, with Microsoft President Brad Smith describing it as 'one of the most serious cyberattacks in the past decade.'

What is the attack on SolarWinds' 'Orion Platform' that Microsoft President calls 'one of the most serious cyber attacks in the past decade'? - GIGAZINE

'As this action shows, public companies may be targets of cyberattacks, but they have a responsibility not to increase victimization of their shareholders and other public investors by making misleading disclosures about cybersecurity incidents they encounter,' said Sanjay Wadhwa of the SEC's Enforcement Division. 'The SEC's orders find that these companies made misleading disclosures about the incidents and concealed the true scope of the incidents from investors.'

According to the SEC, Unisys, Avaya, and Check Point knew in 2020, and Mimecast knew in 2021, that threat actors using the Orion Platform had gained unauthorized access to their systems, but disclosed only minimal information about them.

Unisys, for example, described the risk as hypothetical despite two separate breaches that exposed gigabytes of data, and Avaya knew threat actors had compromised at least 145 files it shared in the cloud, but underreported it in its disclosure by saying a limited number of emails were accessed.

As a result of the allegations, Unisys will pay a fine of $4 million, Avaya will pay $1 million, Check Point will pay $995,000, and Mimecast will pay $990,000.

The SEC stated, 'Underreporting significant cybersecurity breaches is a flawed strategy. In two of these cases, the companies knew the risks they warned about had already materialized but instead used assumptions and general frameworks to describe them. Federal securities laws prohibit half-truths, and there is no exception for them in risk factor disclosures.'