SEC Imposes Almost $7 Million in Penalties on Four Tech Companies with Half-Truth Cybersecurity Disclosures

The SEC recently charged four companies (Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited) for making misleading cybersecurity disclosures, in enforcement actions that saw a total of $6.985 million in penalties. The critical issue here is not that these companies suffered cybersecurity attacks—as hacks today, particularly from foreign governments, are almost impossible to prevent—but that their cybersecurity disclosures downplayed the impact of the attacks. Each company learned in 2020 or 2021 that the threat actor behind the SolarWinds Orion cyberattacks had accessed their systems without authorization, but instead minimized the impact of the breach and/or the quantity of files and credentials that had been accessed.

“The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder.

The SolarWinds Orion software compromise occurred in late 2019 when hackers since identified as from the Russian Foreign Intelligence Service accessed SolarWinds—a network management software company used by the federal government—and installed malware on SolarWinds’ network management and monitoring suite of products called Orion, which it then used to create a “backdoor” to spy on SolarWinds’ customers and organizations once they ran the Orion software update containing the malware.

From the four companies charged, Unisys, which received the largest fine, was also charged with disclosure controls violations. Unisys had framed the breaches as hypothetical, despite purportedly having confirmation of the exfiltration of gigabytes of data. Civil penalties include $4 million for Unisys, $1 million for Avaya, $995,000 for Check Point, and $990,000 for Mimecast. All companies cooperated with the SEC’s investigation and none admitted to or denied the SEC’s findings. For more details, visit the official press release here.