Supply chain, Governance, Risk and Compliance

SEC Penalizes Firms After Misleading SolarWinds Hack Disclosures

Share
A stark image of a locked down laptop with police tape across it, symbolizing the quarantine of a system following a severe malware attack

The Securities and Exchange Commission (SEC) ordered IT and cybersecurity firms Unisys, Avaya, Check Point, and Mimecast to pay fines of $4 million, $1 million, $995,000, and $990,000, respectively, for their misleading disclosures regarding the impact of the SolarWinds hack by Russian state-backed threat actors on their systems, according to The Record, a news site by cybersecurity firm Recorded Future.

The SEC alleged all of the companies downplayed the intrusion; a federal investigation discovered Unisys regarded the attack's risk as "hypothetical" despite awareness of massive data theft and Avaya disclosing only limited email message access despite knowledge of more extensive compromise.

"Downplaying the extent of a material cybersecurity breach is a bad strategy. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures," said SEC Crypto Assets and Cyber Unit Acting Chief Jorge Tenreiro.

The penalties have no longer been contested by the fined firms despite certain disagreements with the SEC's findings.