SEC Accuses 4 Firms for False SolarWinds Cyberattack Disclosure
The Securities and Exchange Commission (SEC) in the United States has alleged four existing and former public enterprises for issuing “significantly misleading statements” concerning the extensive cyber onslaught that originated from the assault on SolarWinds in 2020.
Per the SEC, Avaya, Check Point, Mimecast, and Unisys are facing consequences for their handling of the disclosure procedure following the SolarWinds Orion software supply chain event and for playing down the breach’s extent, thereby violating the Securities Act of 1933 and the related rules under the Securities Exchange Act of 1934.
For this reason, Avaya will offer a penalty of $1 million, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million to resolve the accusations. Furthermore, Unisys is facing charges for breaching disclosure controls and procedures, as per the SEC.
“Although public firms may fall prey to cyberattacks, it is their responsibility not to further victimize their shareholders or other investing members by issuing deceptive statements regarding the cybersecurity incidents encountered,” stated Sanjay Wadhwa, the current head of the SEC’s Enforcement Division.
“In this scenario, the SEC’s rulings reveal that these firms released misleading disclosures concerning the incidents, leaving investors clueless about the actual scale of the events,” he added.
As per the SEC, all four firms were informed about the Russian hackers
Unisys, the external government entity stated, decided to portray the risks stemming from the intrusion as “theoretical” despite being aware that the cybersecurity occurrences had led to the exfiltration of over 33 GB of data on two separate occasions.
The investigation also revealed that Avaya declared the threat actors had breached only a “limited number” of the company’s email communications, whereas, in reality, it knew the attackers had also accessed no less than 145 files in its cloud system.
Regarding Check Point and Mimecast, the SEC raised concerns about how they portrayed the risks from the intrusion broadly, with the latter also failing to reveal the type of code the threat actors exfiltrated and the quantity of encrypted access credentials they obtained.
“In two of these cases, the pertinent cyber hazard factors were depicted in hypothetical or generic terms when the firms were aware that the cautioned risks had materialized,” stated Jorge G. Tenreiro, the current leader of the Crypto Assets and Cyber Unit. “The federal securities laws prohibit incomplete truths, and no exemptions are granted for statements in risk warnings.”
About Author
