The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020.
The SEC said the companies – Avaya, Check Point, Mimecast, and Unisys – are being penalized for how they handled the disclosure process in the aftermath of the SolarWinds Orion software supply chain incident and downplaying the extent of the breach, thereby infringing the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules under them.
To that end, Avaya will pay a fine of $1 million, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million to settle the charges. In addition, the SEC has charged Unisys with disclosure controls and procedures violations.
"While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of the SEC's Division of Enforcement.
"Here, the SEC's orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."
According to the SEC, all four companies learned the Russian threat actors behind the SolarWinds Orion hack had accessed their systems in an unauthorized manner, but chose to minimize the scope of the incident in their public disclosures.
Unisys, the independent federal agency said, chose to describe the risks arising as a result of the intrusion as "hypothetical" despite being aware of the fact that the cybersecurity events led to the exfiltration of more than 33 GB of data on two different occasions.
The investigation also found that Avaya stated the threat actor had accessed a "limited number" of the company's email messages, when, in reality, it was aware that the attackers had also accessed at least 145 files in its cloud environment.
As for Check Point and Mimecast, the SEC took issue with how they painted the risks from the breach in broad strokes, with the latter also failing to disclose the nature of the code the threat actor exfiltrated and the number of encrypted credentials the threat actor accessed.
"In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, said. "The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures."