The Securities and Exchange Commission (SEC) has charged four current and former public technology companies with making materially misleading disclosures regarding cybersecurity risks and intrusions relating to the SolarWinds supply chain attack in 2020.
Unisys Corp, Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited are each accused of negligently minimizing the impact of the SolarWinds hack in their public disclosures.
The SEC has additionally charged Unisys with disclosure controls and procedures violations.
All four companies have agreed to pay civil penalties to settle the charges:
- Unisys will pay a $4m civil penalty. The SEC’s order noted that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. These materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls, the agency added.
- Avaya will pay a $1m civil penalty. The firm stated that a threat actor had accessed a “limited number of the company’s email messages” when it knew the threat actor had also accessed at least 145 files in its cloud file sharing environment.
- Check Point will pay a $995,000 civil penalty. The SEC’s order found that the company knew of the intrusion but described cyber intrusions and risks from them in generic terms.
- Mimecast will pay a $990,000 civil penalty. The company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
The orders found that each of the companies violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder.
No admission or denial of the SEC findings have been made by any of the firms involved.
However, each of the accused has agreed to cease and desist from future violations of the charged provisions as well as pay the described penalties.
Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement said the four companies’ actions had left investors in the dark about the true scope of the incident.
“As today’s enforcement actions reflect, while public companies may become targets of cyber-attacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” he commented.
In July 2024, a US judge dismissed most of the SEC charges made against SolarWinds and its CISO, Timothy Brown, after the agency accused them of hiding cybersecurity weaknesses in its products before the attack.
During the notorious supply chain incident in 2020, Russian state hackers infiltrated SolarWinds software and inserted malicious code – later dubbed Sunburst – into their Orion network management software.
This code allowed the attackers to remotely access and potentially steal data from any system running the infected software.
The hackers were able to access the systems and data of numerous companies and federal government agencies as a result.
Image credit: Mark Van Scyoc / Shutterstock.com