The Securities and Exchange Commission (SEC) announced Tuesday that it has charged and imposed penalties on four companies for making misleading disclosures in connection with the 2019 SolarWinds data breach.
The four companies indicted are cybersecurity firm Check Point, which will pay a civil fine of $995,000. Mimecast will pay $990,000. Tech companies Unisys will pay $4 million and Avaya $1 million.
All of these companies were victims of the hack that hit SolarWinds and affected several other companies and government agencies that were using SolarWinds software. According to the SEC, the companies committed a variety of violations that “negligently” downplayed and minimized the harms of their violations.
“Publicly listed companies may be targets of cyber-attacks, but they should not further victimize shareholders and other public investors by making misleading disclosures about cybersecurity incidents they have encountered.” It is the responsibility of companies to do so,” said Sanjay Wadhwa, acting SEC director. Executive department. “Here, the SEC's order finds that these companies provided misleading disclosures regarding the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
According to the SEC, each company committed different violations. Avaya said the hackers accessed a “limited number” of its emails, but did not say the hackers also accessed “at least 145 files within the company's cloud file sharing environment.” Even though Check Point knew about the breach, it “described the cyber intrusion and risks” in “general terms.” Mimecast “minimized the attack by not disclosing” the code and amount of the company's encrypted credentials that the hackers stole. Unisys also “described its risk from cybersecurity events as hypothetical” despite two SolarWinds-related breaches.
Two SolarWinds-related breaches occurred.
The SEC said all companies had agreed to cooperate with the investigation, pay fines and “cease future violations of the provisions of the indictment,” but that they would “neither admit nor deny” the SEC's findings.
Avaya spokeswoman Julianne Embry told TechCrunch that the SEC “recognized Avaya's voluntary cooperation and has taken certain steps to strengthen the company's cybersecurity controls.”
“Check Point investigated the SolarWinds incident and found no evidence that customer data, code or other sensitive information was accessed,” Check Point spokesperson Gil Messing told TechCrunch. spoke. Nevertheless, Check Point has determined that it is in its best interest to cooperate with the SEC to resolve the dispute. ”
Mimecast spokesperson Timothy Hamilton told TechCrunch that in the wake of the SolarWinds hack, the company has made “extensive disclosures and proactively and transparently communicated with customers and partners, including those who were not affected.” I was involved,” he said.
“We believed that we were complying with our disclosure obligations under the regulatory requirements at the time,” Hamilton said.
When TechCrunch reached out for comment, Unisys spokesperson Jamie Bade declined to comment, referring to the company's 8-K filing made public on Tuesday. Unisys said in a filing that it has reached a settlement with the SEC to resolve the regulatory investigation into the company.
In recent years, the SEC has imposed a series of new obligations on publicly traded companies regarding disclosure of data breaches and their impact on the company and its customers and users.