The U.S. Securities and Exchange Commission (SEC) has fined four companies for misleading disclosures about the 2020 SolarWinds hack. Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited were all victims of the breach but reportedly minimized the damage and impact in their public statements. The SEC imposed civil penalties ranging from $990,000 to $4 million on the companies.
Unisys received the largest fine of $4 million due to additional procedural violations. Avaya Holdings will pay $1 million, Check Point $995,000, and Mimecast $990,000. The SEC’s investigation revealed that about 18,000 SolarWinds clients had installed the malicious trojan, but the Russian state-sponsored hackers selectively targeted a smaller number of victims.
The fined companies were found to have negligently understated their cybersecurity disclosures, misleading investors. Unisys described the risks as hypothetical despite knowing attackers had penetrated their system multiple times and exfiltrated tens of gigabytes of data. Avaya failed to disclose that attackers stole at least 145 cloud-hosted files in addition to accessing internal emails.
Mimecast did not specify the extent of stolen encrypted credentials and the nature of the exfiltrated code. Check Point was criticized for describing the intrusion in overly generic terms.
Sec fines cybersecurity negligence
The companies agreed to cease future violations of this nature without admitting to the specific charges. The SEC noted that each company’s voluntary cooperation, including steps to improve cybersecurity controls, influenced its decisions. Nearly five years after the SolarWinds hack, developments and fallout continue.
The case demonstrates that cybersecurity disclosures involving potential negligence or downplaying of the circumstances have become an increasing enforcement priority for the SEC. New rules for publicly traded companies, effective from the end of last year, now require the disclosure of material incidents within four business days of discovery. Smaller companies with under $100 million in annual revenue can receive a 180-day extension.
The SEC has demonstrated its willingness to retrospectively scrutinize cybersecurity disclosures in major cases involving national security or widespread financial damage. However, its record is not unblemished. In addition to clearing SolarWinds’ CISO Timothy Brown, a July court decision also nullified the SEC’s justification for penalizing SolarWinds over its own disclosures.
Two SEC commissioners, Hester Peirce and Mark Uyeda, dissented from the current fines, arguing that the victims should not be treated as perpetrators. Nevertheless, organizations should anticipate similar actions from the SEC in high-profile cases. The SolarWinds hack remains a pivotal case in cybersecurity, illustrating the enduring consequences of data breaches and the increasing importance of transparent and responsible cybersecurity practices.