
The US Securities and Exchange Commission (US) is charging four cybersecurity companies for providing misleading disclosures related to the SolarWinds Orion hack. Unisys, Avaya, CheckPoint, and Mimecast allegedly failed to inform investors they had also been breached.
According to the SEC, four companies made misleading disclosures regarding the intrusions and cyber risks.
According to the settlement reached, Unisys will pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000 in civil penalties.
The charges resulted from an investigation that revealed the impacts of the SolarWinds’ Orion software compromise and related activities.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement.
Wadhwa compared the act to “leaving investors in the dark about the true scope of the incidents.”
In 2020-2021, the four companies learned that the threat actor behind the SolarWinds Orion hack had accessed their systems without authorization. Still, each negligently minimized its cybersecurity incident in its public disclosures.
According to the SEC, Unisys described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving the exfiltration of gigabytes of data.
Avaya stated that the threat actor had accessed a “limited number of [the] Company’s email messages.” However, the investigation uncovered that the hackers also had accessed at least 145 files in its cloud file-sharing environment.
Check Point described cyber intrusions and risks from them “in generic terms.” At the same time, Mimecast minimized the attack by failing to disclose the nature of the exfiltrated code and the quantity of stolen encrypted credentials.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit.
“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”
The companies neither admitted nor denied the SEC’s findings and agreed to cease future violations of the charged provisions and to pay the penalties.
SolarWinds made headlines when a Russian cyber espionage group carried out a highly sophisticated supply chain attack, potentially affecting more than 300,000 customers worldwide, including government agencies, military offices, major US telecommunications companies, education institutions, and Fortune 500 companies.
Your email address will not be published. Required fields are markedmarked