Unisys, Avaya, Check Point and Mimecast have all been charged with making materially misleading disclosures regarding cybersecurity risks and intrusions. 

In a Security and Exchange Commission (SEC) statement, it said the four companies have been charged following an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.

Negligently Minimised

The SEC said the four companies found that the threat actor behind the SolarWinds Orion hack had accessed their systems, and “negligently minimised” the impact of the cybersecurity incident in its public disclosures.

It found that Unisys knew it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data, and “described its risks from cybersecurity events as hypothetical.” Unisys will pay a $4 million civil penalty, and has been charged with disclosure controls and procedures violations.

The order against Avaya found it stated that the threat actor had accessed a “limited number of [the] company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. It will pay a $1 million civil penalty.

Check Point was found to know of the intrusion, but described cyber intrusions and risks from them in generic terms. It will pay a $995,000 civil penalty.

Mimecast was found to have minimised the attack, by failing to disclose the nature of the code that the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed. Mimecast will pay a $990,000 civil penalty.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimise their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement.

“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

Sunburst

In the 2020 intrusion, known as Sunburst. attackers were able to gain access to US Government networks via malicious code in the SolarWinds Orion product - as well as Microsoft and VMware - which allowed them to gain elevated credentials in a number of US Government departments.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit.

“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialised. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

Statements and Resolution

A statement from Avaya said: "We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls. Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Mimecast said it has resolved a matter with the SEC involving statements about a security incident that Mimecast became aware of in January 2021. "In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," it said.

"We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers.”

A spokesperson for Check Point said: "The SEC’s announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 Solarwinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point’s 2021 20-F Annual Report filing.

"As mentioned in the SEC’s order,  Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyber-attacks throughout the world."  

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.