On Oct. 22, 2024, the Securities and Exchange Commission announced that it charged four technology companies with making materially misleading disclosures about the effect the SolarWinds cyberattack had on these issuers. To settle the claims, the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Ltd., agreed to pay a total of nearly $7 million in civil penalties.
The SEC’s charges arose from an investigation of public companies that were potentially impacted by the massive SolarWinds cyberattack. SolarWinds provides an IT performance and monitoring product called Orion, which issued a routine software update in March 2020. Multiple news outlets reported in early 2021 that hackers, likely backed by Russia’s intelligence service, slipped malicious code into the Orion software update and used it to access the networks, systems and data of thousands of SolarWinds customers. The SEC alleged that all four companies knew by December 2020 that at least some of their systems had been compromised through the Orion software update.
The SEC claimed that the companies’ public disclosures following these discoveries “negligently minimized” the severity of the breaches and the new cybersecurity risks that arose from the SolarWinds attack. Specifically, the SEC found that Unisys, which will pay a $4 million fine, misrepresented the cyberattack by describing hypothetical risks when it in fact knew that gigabytes of data had been stolen over the course of 16 months. The SEC also concluded that this failure resulted from deficient internal disclosure controls. The SEC found that Avaya, which was fined $1 million, downplayed the severity of the breach by representing that a limited number of emails were accessed when it knew that a threat actor had taken 145 files from its cloud file storage. The SEC determined that Check Point, which will pay a $995,000 fine, described the cybersecurity risks arising from the attack too generally and failed to update these generic risk disclosures when it discovered that its systems had in fact been infiltrated. The SEC concluded that Mimecast, which will pay a $990,000 fine, failed to disclose the number of customers affected by the threat actor’s access to encrypted credentials and server and configuration information. All four companies settled the charges without admitting or denying the allegations.
Since the SolarWinds attack, the SEC updated its cybersecurity disclosure rules, which now require companies to report material cybersecurity incidents within four business days of determining that the incident is material (discussed here). Companies must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations” and amend filings when they discover new material information.
These charges are a continuation of the SEC’s increasing focus on regulating company conduct related to cybersecurity risk management and breach disclosures. Public companies that have experienced a cybersecurity incident should ensure that their disclosures adequately inform investors of the full range of risks and harms known to the company that may affect reasonable investors’ investment decisions, and consider whether their disclosures need to be updated as more specific information may come to light. Companies should also tailor their disclosures to the particular cybersecurity risks and incidents facing that company, and avoid using generic or hypothetical risk factor disclosures when the company knows the risks have materialized, as noted on page two of the Check Point order.
Read the SEC’s press release here.
We will continue to follow these and other legal developments. Please reach out to Kramer Levin’s Privacy, Cybersecurity and Data Innovation or Public Companies groups for more information.