SEC Fines Companies Millions for Downplaying SolarWinds Breach

The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.

Unisys was dealt the largest civil penalty — $4 million — for its disclosure practices, as well as for controls violations.

"The SEC's order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC announcement of the fines read. "The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."

Unisys has not responded to Dark Reading's request for comment.

Avaya Holdings Corp. agreed to pay $1 million for its statements that admitted a threat actor has accessed what the company characterized at the time as a "limited number" of company email messages, but failed to mention the company was also aware that 145 files in its cloud environment were also compromised, according to the SEC.

Avaya, similarly to the other fined companies, said in its statement the company is glad to put this issue to rest.

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls," according to a statement from Avaya provided to Dark Reading. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Check Point was intentionally vague in its disclosures, according to the SEC, which fined the software company $995,000. Check Point's statement maintains the company acted earnestly but is glad to move on.

"The SEC's announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point's 2021 20-F Annual Report filing," the Check Point statement read. "As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."

The SEC dealt the lightest penalty to Mimecast, which will pay $990,000, for "failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed," the SEC said.

Mimecast said in a statement that the company acted transparently, adding that it is no longer a publicly traded company under SEC jurisdiction, but nonetheless will continue to comply with the SEC enforcement.

"In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the Mimecast statement read. "We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."

SEC Trying to Deter Vague Data Breach Disclosures

The intention of the charges and subsequent fines is to deter other companies from taking the same "half-truth" communications approach following a breach, the SEC explained.

"Downplaying the extent of a material cybersecurity breach is a bad strategy," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit said in a statement. "In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

The lesson companies should take from this SEC enforcement action is that regulators are looking for technically precise disclosures, according to cybersecurity attorney Beth Burgin Waller.

"Companies can no longer rely on generalizations or hypotheticals," she adds. "The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits."

This new enterprise cybersecurity terrain will require chief information security officers to work more closely legal teams, Burgin Waller says.

"The SEC is creating tension for many companies post-incident by forcing disclosure of details very early on in an incident investigation that will be cited back to the business in future litigation," she adds. "CISOs need to be prepared to work closely with in-house and outside counsel on SEC cyber-incident materiality determinations, especially in light of the technical precision required of companies in these enforcement announcements."