The U.S. Securities and Exchange Commission (SEC) has taken significant action against four prominent companies—Avaya Holdings, Check Point Software, Mimecast, and Unisys Corp—by charging them for allegedly misleading investors about the severity of the 2020 SolarWinds cyber attack. This incident is widely regarded as one of the largest cyber attacks in history, affecting over 30,000 organizations, including critical government agencies, through a supply chain attack that exploited vulnerabilities in the SolarWinds Orion network management system. By inserting malicious code into a legitimate software update, threat actors gained unauthorized access to numerous customer networks, creating a cascading effect that allowed them to infiltrate further into connected systems.
According to the SEC’s findings, the companies involved significantly downplayed the impact of the breach in their disclosures to investors. Avaya Holdings, for instance, reported that only a “limited number” of its email messages had been accessed, while it was later revealed that the attackers had also accessed 145 files in its cloud environment. This misleading portrayal not only obscured the true extent of the breach but also left investors unaware of the potential risks and ramifications associated with the attack. Similarly, Check Point Software provided vague descriptions of the incident, failing to accurately communicate the threats that had materialized.
Mimecast faced charges for its lack of transparency regarding the nature of the code stolen by the hackers and the number of encrypted credentials that were compromised. By not disclosing critical information about the breach, Mimecast misled its stakeholders, putting them at a disadvantage when assessing the company’s security posture. Unisys, despite being aware of the substantial data exfiltration that had occurred, described the cyber risks as “hypothetical,” demonstrating a serious lapse in its disclosure practices.
In light of these violations, the SEC has imposed financial penalties on the four companies, with Unisys facing the largest fine of $4 million, followed by Avaya at $1 million, Check Point at $995,000, and Mimecast at $990,000. While none of the companies admitted to the SEC’s findings, they agreed to pay the penalties and have committed to improving their disclosure practices. The SEC’s enforcement actions highlight the critical need for public companies to provide accurate and transparent information about cybersecurity incidents, ensuring that investors are not left in the dark about potential threats and vulnerabilities that could impact their investments.
Reference: