SEC fines four companies for downplaying SolarWinds hack
Add Axios as your preferred source to
see more of our stories on Google.
Photo by Suzanne Cordeiro/AFP via Getty Images.
The Securities and Exchange Commission fined four cybersecurity companies for downplaying to investors the impact the 2020 Russian hack of SolarWinds had on their own systems.
Why it matters: It's rare to see companies come under regulatory fire for cybersecurity disclosures.
Zoom in: Unisys, Avaya, Check Point Software Technologies and Mimecast agreed to pay the SEC significant civil fines to settle charges that they made materially misleading disclosures about their cyber risk, according to a press release Tuesday.
- Unisys will pay $4 million. The agency alleges that Unisys, a global tech solutions provider, publicly described its risks in the SolarWinds hack as hypothetical when it already knew it had been breached twice.
- Avaya will pay $1 million. The SEC says the business phone company told investors that hackers stole only a "limited number" of company emails, despite an internal probe showing hackers stole at least 145 files from its cloud systems.
- Check Point will pay $995,000. The cybersecurity company only described its potential impact in "generic terms" publicly when the firm knew internally that it was already hacked, the agency alleges.
- Mimecast will pay $990,000. The SEC says Mimecast failed to disclose the type of code and the number of login credentials a hacker stole during a SolarWinds-related incident.
Catch up quick: Russian government hackers infiltrated SolarWinds' Orion product and used it as a jumping off point to gain access to hundreds of customers' systems, including government agencies and tech companies.
- The SEC had also pursued fraud charges against SolarWinds, claiming it had presented false and misleading statements to investors leading up to the incident.
- A judge dismissed all but one of those charges in July.
The big picture: The agency has become a more aggressive enforcer of its cybersecurity disclosure requirements.
- The SEC rolled out new rules last year requiring companies to disclose cybersecurity incidents that have a material impact on a business within four business days.
- The enforcement actions and new rules have sparked fear among some security executives who worry they'll be held liable for their companies' cybersecurity challenges.
What they're saying: Gil Messing, chief of staff at Check Point, told Axios the company first acknowledge the issue in an SEC filing in December.
- "Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world," he said in a statement.
- A Mimecast spokesperson said in a statement the company believes it complied with the disclosure requirements it was facing at the time of the incident. "Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the person said.
- An Avaya spokesperson said in a statement it is pleased it has now resolved the matter "related to historical cybersecurity issues" and that the company is continuing to "focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."
- Unisys said in an 8-K filing on Tuesday that the matter was related to an issue the company first disclosed in November 2022 and that it has since made several improvements to its internal cybersecurity program.
Editor's note: This story was updated with a comment from Unisys.
