Incident Response, Government Regulations, Breach

SEC fines 4 firms for sloppy incident disclosures related to SolarWinds case

Share
Many dollar banks note on money background

The U.S. Securities and Exchange Commission announced nearly $7 million in fines against companies it accused of failing to properly disclose security incidents.

The commission said that Avaya, Unisys, Check Point, and Mimecast would pay out fines ranging from $990,000 to $4 million to settle charges that they mishandled the disclosure of their respective incidents stemming from the SolarWinds Orion data breach.

The cases date back to late 2020 (early 2021 in the case of Mimecast) when each of the companies learned that their own networks were compromised by attackers who gained access using credentials stolen by SolarWinds and its hosted services company.

While the upstream breach lead to dozens of data and network breach incidents, the SEC said that these four tech firms in particular were not clear about the extent to which they were compromised, either downplaying the severity of the attacks and the nature of what was taken.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said SEC enforcement division acting director Sanjay Wadhwa.

“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

When contacted by SC Media, each of the four companies had a statement to offer regarding the fines.

Unisys was handed the largest fine by far, getting dinged to the tune of $4 million.

“Like many companies, Unisys was impacted by the SolarWinds cyberattack. We have constructively resolved the matter with the Securities and Exchange Commission, which recognized our voluntary and full cooperation,” the company said.

“We are pleased to move forward and remain committed to delivering exceptional service to our clients.”

Avaya was fined $1 million on allegations the company downplayed the number of internal emails threat actors managed to steal.

“We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls,” the Avaya statement read.

“Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations.”

Check Point narrowly avoided the $1 million mark, taking a fine of $995,000. The company remained defiant in its statement.

“As mentioned in the SEC’s order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed,” Check Point said.

“Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world.”

Mimecast got off lightest, taking a $950,000 penalty.

“In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,” the company said.

“We believed that we complied with our disclosure obligations based on the regulatory requirements at that time.”

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.