SEC Charges Four Companies Over SolarWinds Hacks, Issues Millions In Penalties

Zinger Key Points
  • The SEC charges four companies for misleading disclosures about cybersecurity breaches tied to the SolarWinds hack.
  • Unisys, Avaya, Check Point and Mimecast face fines totaling more than $7 million for downplaying the breaches.

The U.S. Securities and Exchange Commission (SEC) charged four major companies — Unisys Corp.UIS, Avaya Holdings Corp., Check Point Software Technologies CHKP and Mimecast — with making materially misleading public disclosures related to cybersecurity risks and breaches.

SEC argued these four companies downplayed the seriousness of the SolarWinds Corp. SWI Orion software supply chain attack in their filings, potentially misleading investors about the true impact of the breaches.

"As today's enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of the SEC's Division of Enforcement.

Unisys, a major IT services provider, was hit with an additional charge for failing to implement proper disclosure controls and procedures. The company will pay a $4 million civil penalty, the highest among the four.

The SEC found that Unisys described cybersecurity risks as hypothetical in its public disclosures despite knowing that two SolarWinds-related breaches occurred, resulting in the exfiltration of gigabytes of data. According to the SEC, Unisys’ disclosures were "materially misleading" partly due to its deficient internal controls.

Other fines include $1 million for Avaya, $995,000 for Check Point and $990,000 for Mimecast.

Avaya, a telecommunications firm, claimed the SolarWinds hackers accessed only a "limited number of email messages," while SEC findings revealed the cybercriminals accessed at least 145 files in Avaya's cloud file-sharing environment.

Check Point, an Israeli cybersecurity firm, allegedly minimized the breach by using vague descriptions of the cyber intrusions and their potential risks.

Mimecast, which specializes in cloud email and data security, was found to have underreported the extent of the attack by failing to disclose the type of code exfiltrated and the number of encrypted credentials compromised.

The SolarWinds hack was a major cyberattack in 2020, during which Russian state-sponsored hackers inserted malicious code into SolarWinds' Orion software. This “Sunburst” malicious code provided attackers with remote access to the systems of thousands of organizations, including private-sector firms such as Microsoft and FireEye and major U.S. government departments such as Homeland Security and Treasury.

Although the companies have not admitted to or denied the SEC’s findings, they have agreed to pay the fines and take corrective measures to strengthen their cybersecurity practices.

The SEC filed a lawsuit in October 2023, but this July U.S. District Judge Paul Engelmayer dismissed most of the accusations against SolarWinds, ruling that claims of defrauding investors were speculative.

Read Next:
OpenAI Appoints Former Uber Exec As Compliance Officer To Oversee Regulatory Issues

Photo: Shutterstock

Market News and Data brought to you by Benzinga APIs
Comments
Loading...
Posted In: GovernmentNewsRegulationsLegalGlobalSECTechAvaya HoldingsCheck PointCybersecurityhackhackingMimecastSEC
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!