In a significant move, the U.S. Securities and Exchange Commission (SEC) has filed charges against four companies—Avaya, Check Point, Mimecast, and Unisys—for failing to provide accurate disclosures about a cyberattack that originated from the SolarWinds breach in 2020. This extensive cyber incident raised alarms across the technology sector and has now led to regulatory scrutiny.
The SEC’s findings indicate that these companies misrepresented the severity of the cyber breach, violating critical provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. Each company faces substantial financial penalties, with Unisys bearing the heaviest burden at $4 million, followed by fines of $1 million for Avaya, $995,000 for Check Point, and $990,000 for Mimecast. The SEC’s actions underscore the responsibility public companies hold in transparent communication regarding cybersecurity incidents.
Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, emphasized that public companies must not further endanger their shareholders through misleading disclosures related to cyber incidents. The charged companies acknowledged that Russian state-sponsored actors had infiltrated their systems, yet chose to downplay the implications in their public statements, leaving investors uninformed about the depth of the breach.
The investigation revealed that while Avaya described the intrusion as affecting a “limited number” of email messages, it was aware that at least 145 files were compromised in its cloud environment. Unisys went further by characterizing the risks as “hypothetical,” notwithstanding evidence that significant data exfiltration had already occurred, totaling over 33 GB on two separate occasions.
Check Point and Mimecast were similarly scrutinized for their vague assessments of the inherent risks, with Mimecast failing to disclose critical details about the nature of the malicious code exfiltrated, as well as the number of encrypted credentials that had been accessed. The SEC noted that in some instances, risk factors were presented in a generic manner despite the companies’ awareness that actual risks had materialized.
Throughout this investigation, the SEC has invoked the MITRE ATT&CK framework to contextualize the tactics and techniques potentially employed by the adversaries. Initial access methods could have included phishing or exploiting vulnerabilities within the SolarWinds software. Following entry, tactics such as privilege escalation and lateral movement might have been utilized to access sensitive systems, further exacerbating the damage and complicating incident response efforts.
The ramifications of these charges extend beyond financial penalties, highlighting the vital importance of robust cybersecurity practices and transparent communication within corporate governance. As demonstrated in this case, organizations must commit to comprehensive disclosure processes to not only protect their shareholders but also uphold the integrity of the market.
The SEC’s decisive actions serve as a reminder to all industry players of the critical nature of cybersecurity transparency, especially given the evolving threat landscape characterized by increased state-sponsored cyberattacks. For stakeholders in technology and finance, the expectation for diligence and accountability remains high as regulatory frameworks tighten in response to these cyber threats.
