SEC fines four companies for sloppy disclosure of incidents related to the SolarWinds case

The U.S. Securities and Exchange Commission announced nearly $7 million in fines against companies it accused of failing to properly disclose security incidents.

The commission said Avaya, Unisys, Check Point and Mimecast would pay fines ranging from $990,000 to $4 million to settle allegations that they mishandled the disclosure of their respective incidents related to the SolarWinds Orion data breach be.

The cases date back to late 2020 (early 2021 in Mimecast's case), when each of the companies learned that their own networks had been compromised by attackers who gained access using credentials stolen from SolarWinds and its hosted services company.

While the upstream breach resulted in dozens of data and network breaches, the SEC said these four tech companies in particular were unclear about the extent to which they were compromised and did not specify the severity or nature of the attacks measures down.

“Today’s enforcement actions demonstrate that while publicly traded companies can be targeted by cyberattacks, it is their duty not to further victimize their shareholders or other members of the investing public by making misleading disclosures about the cybersecurity incidents they have encountered said SEC Enforcement Director Sanjay Wadhwa.

“The SEC’s orders find that these companies made misleading statements about the incidents in question and left investors unclear about the true extent of the incidents.”

When contacted by SC Media, each of the four companies provided a statement regarding the fines.

Unisys was given by far the largest fine of $4 million.

“Like many companies, Unisys was affected by the SolarWinds cyberattack. “We have constructively resolved the matter with the Securities and Exchange Commission, which has acknowledged our voluntary and full cooperation,” the company said.

“We are excited to move forward and continue to strive to provide exceptional service to our customers.”

Avaya was fined $1 million for downplaying the number of internal emails that threat actors were able to steal.

“We are pleased to have resolved with the SEC this disclosure issue related to historic cybersecurity issues dating back to late 2020 and that the agency recognized Avaya's voluntary cooperation and that we have taken certain steps to strengthen the company's cybersecurity controls to improve,” reads Avaya’s statement.

“Avaya remains focused on strengthening our cybersecurity program, both in the development and delivery of our products and services to our valued customers and in our internal operations.”

Check Point narrowly missed the $1 million mark and was fined $995,000. The company remained defiant in its statement.

“As noted in the SEC’s order, Check Point investigated the SolarWinds incident and found no evidence that customer data, code, or other sensitive information was accessed,” Check Point said.

“However, Check Point has determined that cooperating and resolving the dispute with the SEC is in its best interests and will allow the company to continue to focus on helping its customers defend against cyberattacks around the world.”

Mimecast got off lightly and was fined $950,000.

“In response to the 2021 incident, Mimecast made comprehensive disclosures and worked proactively and transparently with our customers and partners, including those who were not affected,” the company said.

“We were confident that we had complied with our disclosure obligations based on the regulatory requirements at the time.”