Four top security companies have been charged for downplaying the impact the SolarWinds Orion compromise had on their systems, an action which violated certain provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, among other related rules.
The US Securities and Exchange Commission charged and fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited for “making materially misleading disclosures regarding cybersecurity risks and intrusions.”
All companies have received civil penalties, with Unisys expected to pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.
Misleading disclosures
The 2020 attack on SolarWinds’ Orion infrastructure management software saw threat actors push updates to the Orion software that were loaded with malware, infecting other organizations downstream in the supply chain that used the Orion software.
The attack impacted thousands of businesses and several branches of the US government, including the US Department of Homeland Security, the US Treasury Department, and the US Department of Commerce.
Among the businesses impacted by the attack were the four charged by the SEC, which in its press release stated Unisys, “described its risks from cybersecurity events as hypothetical” despite the company having knowingly experienced two attacks as a result of the SolarWinds attack that resulted in large amounts of data being exfiltrated.
The charge against Avaya states the company attempted to downplay the impact of the SolarWinds attack, stating attackers had accessed a “limited number of [the] Company’s email messages.” In actuality, Avaya was already aware the threat actors had broken into the companies cloud file sharing system and gained access to at least 145 files.
Check Point and Mimecast were also found to have downplayed the impact of the attack on their systems.
Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said, “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”