The Securities and Exchange Commission announced it has charged four current and former public companies with materially misleading cyber disclosures.
The SEC said that the firms, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, made misleading disclosures regarding cybersecurity risks and intrusions. Unisys was also charged with disclosure controls and procedures violations.
The companies agreed to pay the following penalties to settle the SEC’s charges:
-Unisys will pay a $4 million civil penalty;
-Avaya. will pay a $1 million civil penalty;
-Check Point will pay a $995,000 civil penalty; and
-Mimecast will pay a $990,000 civil penalty.
The charges stemmed from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
According to the SEC’s orders, Unisys, Avaya, Check Point and Mimecast learned that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident when making public disclosures.
Unisys described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The SEC determined that the misleading disclosures resulted in part from Unisys’ deficient disclosure controls.
Avaya stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when the firm knew the actor had also accessed at least 145 files in its cloud file sharing environment, the SEC said.
The SEC’s order said Check Point knew of the intrusion but described cyber intrusions and risks from them in generic terms. Mimecast minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed, regulators said.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
Each company was found to have violated certain provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder. The firms did not admit or deny the findings but agreed to cease and desist from future violations of the charged provisions and to pay the penalties. Each company cooperated during the SEC’s investigation, including by voluntarily providing analyses or presentations to help expedite the probe and by voluntarily taking steps to enhance its cybersecurity controls.
The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. Our attorneys fully understand the regulatory scrutiny financial professionals and their firms face from the various regulators that oversee the financial services industry. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.