The Securities and Exchange Commission (SEC) has charged four current and former public companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited—with providing materially misleading disclosures about cybersecurity risks and breaches. Additionally, Unisys was charged with violations related to inadequate disclosure controls and procedures.
These charges stemmed from an investigation involving companies potentially impacted by the SolarWinds Orion software compromise and other related cyber activities. The involved companies agreed to pay civil penalties to settle the SEC's charges: Unisys will pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.
According to the SEC’s findings, each company became aware of unauthorized access by a threat actor linked to the SolarWinds Orion hack—Unisys, Avaya, and Check Point in 2020, and Mimecast in 2021—but negligently downplayed these incidents in their public disclosures. The SEC determined that Unisys portrayed its cybersecurity risks as hypothetical despite experiencing two SolarWinds-related breaches resulting in the exfiltration of large amounts of data. Avaya’s disclosures misrepresented the breach by indicating that only a limited number of emails were accessed, even though the threat actor had gained access to at least 145 additional files. Check Point, while aware of the intrusion, described the risks in generic terms. Mimecast failed to fully disclose the nature and extent of the exfiltrated code and the volume of compromised encrypted credentials.
The SEC emphasized that minimizing or misrepresenting the extent of a material cybersecurity breach is a serious violation. Jorge G. Tenreiro, Acting Chief of the SEC’s Crypto Assets and Cyber Unit, stated that framing cybersecurity risks hypothetically when they had already occurred violates federal securities laws, which prohibit misleading disclosures. All four companies have agreed to cease further violations and pay the specified penalties, while cooperating during the investigation by providing voluntary information and taking steps to strengthen their cybersecurity controls. This enforcement action follows similar charges previously brought against SolarWinds and its CISO for overstating the company's cybersecurity posture and failing to address known risks.