CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack

The SEC announces penalties against Unisys, Avaya, Check Point and Mimecast for downplaying the impact of the SolarWinds Orion hack.

SolarWinds

The US Securities and Exchange Commission (SEC) on Tuesday announced charges and million-dollar penalties against four prominent companies for “making materially misleading public disclosures related to cybersecurity risks and intrusions.”

The four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited — downplayed the impact of breaches linked to the SolarWinds Orion software supply chain incident, the SEC said.

The SEC also charged Unisys with disclosure controls and procedures violations and penalized the IT services powerhouse for inadequately addressing cybersecurity risks, even though it knew of two SolarWinds-related breaches involving data exfiltration.

“The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data,” the agency said.

The SEC said the companies agreed to pay civil penalties:

  • Unisys Corp.: $4 million
  • Avaya Holdings Corp.: $1 million
  • Check Point Software Technologies Ltd.: $995,000
  • Mimecast Limited: $990,000

According to the SEC, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that hackers behind the SolarWinds Orion breach had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.

“The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls,” it added.

In Avaya’s case, the SEC investigation found the company’s claims that the threat actor accessed a “limited number of [the] Company’s email messages” was not the whole truth.

“Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment,” the agency said.

Advertisement. Scroll to continue reading.

The SEC order against Check Point found the company knew of the intrusion but described cyber intrusions and risks from them in generic terms. It also charged Mimecast with minimizing the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed. 

Related: Judge Dismisses SEC Charges Against SolarWinds and CISO 

Related: SolarWinds Says 18,000 Customers Used Compromised Orion Product

Related: SEC Charges SolarWinds and CISO With Fraud, Cybersecurity Failures

Related: SolarWinds Shares Info on Cyberattack Impact, Initial Access Vector

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.