The US Securities and Exchange Commission (SEC) on Tuesday announced charges and million-dollar penalties against four prominent companies for “making materially misleading public disclosures related to cybersecurity risks and intrusions.”
The four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited — downplayed the impact of breaches linked to the SolarWinds Orion software supply chain incident, the SEC said.
The SEC also charged Unisys with disclosure controls and procedures violations and penalized the IT services powerhouse for inadequately addressing cybersecurity risks, even though it knew of two SolarWinds-related breaches involving data exfiltration.
“The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data,” the agency said.
The SEC said the companies agreed to pay civil penalties:
- Unisys Corp.: $4 million
- Avaya Holdings Corp.: $1 million
- Check Point Software Technologies Ltd.: $995,000
- Mimecast Limited: $990,000
According to the SEC, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that hackers behind the SolarWinds Orion breach had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.
“The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls,” it added.
In Avaya’s case, the SEC investigation found the company’s claims that the threat actor accessed a “limited number of [the] Company’s email messages” was not the whole truth.
“Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment,” the agency said.
The SEC order against Check Point found the company knew of the intrusion but described cyber intrusions and risks from them in generic terms. It also charged Mimecast with minimizing the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
Related: Judge Dismisses SEC Charges Against SolarWinds and CISO
Related: SolarWinds Says 18,000 Customers Used Compromised Orion Product
Related: SEC Charges SolarWinds and CISO With Fraud, Cybersecurity Failures
Related: SolarWinds Shares Info on Cyberattack Impact, Initial Access Vector