In a significant development from the SolarWinds cyberattack fallout, the U.S. Securities and Exchange Commission (SEC) has fined four major cybersecurity companies for their inadequate and misleading public disclosures. The fines, which total millions of dollars, target Check Point, Avaya, Unisys, and Mimecast for downplaying the severity of breaches tied to the SolarWinds incident in 2020.

These companies were found to have minimized or inadequately reported the risks and impacts of the cyberattacks that compromised their systems, despite being fully aware of the extent of the damage caused by the hackers.

The SolarWinds incident is widely regarded as one of the most consequential cyber breaches in history, affecting multiple U.S. government agencies and prominent private sector entities. The SEC’s action underscores the growing scrutiny on how companies disclose cybersecurity risks to investors and the public, holding firms accountable for what the Commission called “materially misleading” statements.

This case sets a new precedent for how cyber breaches must be handled in financial disclosures under regulatory standards.

Why It Matters: This case serves as a warning to all companies on the importance of transparency in cybersecurity disclosures. As cyber threats become more pervasive and sophisticated, failing to provide accurate, timely information to investors and the public can lead to serious consequences. The penalties highlight the SEC’s growing focus on ensuring companies are truthful in their reporting, especially when national security and public trust are at stake.

• The SEC Takes Action: The SEC fined four cybersecurity firms, Check Point, Avaya, Unisys, and Mimecast, millions of dollars for making misleading disclosures about their cybersecurity risks following the SolarWinds cyberattack in 2020. The argument is that the companies failed to fully inform the public and their investors about the extent of the breaches they had suffered.

• Details of the Violations: The SEC concluded that Unisys minimized its breach in disclosures, failing to acknowledge data theft, while Avaya understated the number of compromised files. Check Point and Mimecast was accused of downplaying the scope of their intrusions, with Mimecast omitting critical details about the stolen code and encrypted credentials accessed by the hackers.

• Fines and Corporate Responses: Unisys received the largest penalty at $4 million, while Avaya, Check Point, and Mimecast were fined between $990,000 and $1 million each. Though the companies cooperated with the SEC investigation, they neither admitted nor denied the findings, with some expressing a desire to settle the matter swiftly.

• Ongoing Legal Fallout: The SolarWinds breach continues to have wide-reaching legal and financial consequences. The SEC has also been pursuing cases against SolarWinds itself and its executives, accusing them of misrepresenting their cybersecurity practices, though some charges were dismissed in July 2023.

Go Deeper -> Four Cyber Companies Fined for SolarWinds Disclosure Failures – The Record

SEC Charges Four Companies Over Misleading Disclosures on SolarWinds Hack – SecurityWeek