.@CheckPointSW, @Mimecast Settle SEC Case From SolarWinds Hack: https://t.co/oL5mlY56T5
“Downplaying the extent of a material cybersecurity breach is a bad strategy. The federal securities laws prohibit half-truths, and there is no exception for risk-factor disclosures.”$CHKP
— Michael Novinson (@MichaelNovinson) October 23, 2024
The Securities and Exchange Commission (SEC) has fined four companies for misleading disclosures related to the 2020 SolarWinds Orion software breach. Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies, and Mimecast Limited were charged with downplaying the breach’s impact or treating the incident as theoretical, despite knowing that significant information had been stolen. Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, stated, “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
The companies have agreed to pay fines without acknowledging wrongdoing.
NEW: The SEC fined four tech companies with a combined $7 million fine for “negligently” downplaying and minimizing the impact of the SolarWinds supply chain hack.
The companies fined are: Avaya, Check Point, Mimecast, and Unysis. https://t.co/zhRZAtctbP
— Lorenzo Franceschi-Bicchierai (@lorenzofb) October 22, 2024
Unisys will pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.
It's never a good look for a cybersecurity vendor to be compromised by an adversary, but it's an even worse look to get compromised and not disclose it. Current or potential customers naturally have to ask, "…then what *can* I trust you about?" https://t.co/3PTuJDVJVG
— Eric Parizo (@EricParizo) October 22, 2024
Avaya discovered in December 2020 that at least one cloud server holding customer data and another server for their lab network were breached by hackers linked to the Russian government. Despite further findings of breached cloud email and file-sharing systems, Avaya’s February 2021 quarterly report downplayed the impact, stating only a limited number of emails were accessed.
Unisys’ investigation revealed multiple system breaches over 16 months, including unauthorized access to seven network and 34 cloud-based accounts.
Sec fines for breach disclosures
However, Unisys inaccurately described the intrusions in their reporting, suggesting them as hypothetical risks.
The @SECGov is starting to hand out some real #cybersecurity fines, hitting four companies with penalties over lax disclosures. https://t.co/1lyEsNV2zU
— Mike Swift (@Swiftstories) October 22, 2024
Check Point’s December 2020 investigation found two infected servers and evidence of the hackers moving within their network. However, subsequent SEC filings described their cybersecurity risks with language similar to past reports. Mimecast discovered that hackers used a stolen authentication certificate to breach five customer cloud platforms, access internal emails, and steal code for an encrypted database holding customer credentials.
Mimecast’s SEC reporting, however, omitted critical details about the extent of the breach. U.S. officials and private threat intelligence firms have attributed the SolarWinds Orion compromise to the Russian Foreign Intelligence Service (SVR) as part of a long-term espionage campaign. The breach affected at least nine federal agencies and nearly 100 private-sector organizations.
