SEC penalizes cyber firms for misleading SolarWinds hack disclosures

IT and cybersecurity firms Unisys, Avaya, Check Point, and Mimecast have been ordered by the Securities and Exchange Commission to pay fines of $4 million, $1 million, $995,000, and $990,000, respectively, for their misleading disclosures regarding the impact of the SolarWinds hack of Russian state-backed threat actors on their systems, according to The Record, a news site by cybersecurity firm Recorded Future.

All of the companies were alleged by the SEC to have downplayed the intrusion, with Unisys discovered by a federal investigation to have regarded the attack’s risk as “hypothetical” despite awareness of massive data theft and Avaya disclosing only limited email message access despite knowledge of more extensive compromise. “Downplaying the extent of a material cybersecurity breach is a bad strategy. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” said SEC Crypto Assets and Cyber Unit Acting Chief Jorge Tenreiro. Such penalties have no longer been contested by the fined firms despite certain disagreements with the SEC’s findings.