Written by 
The US Securities and Exchange Commission is cracking down on four companies for failing to disclose the full scope of how the SolarWinds hack impacted their businesses.
The four companies—IT security providers Check Point and Mimecast, IT solutions provider Unisys, and cloud collaboration software maker Avaya—have agreed to pay fines for allegedly downplaying the breach in public filings.
The 2020 SolarWinds hack involved suspected Russian hackers breaking into numerous US government agencies and private companies by tampering with software updates from SolarWinds, a Texas-based IT company that served thousands of enterprise customers.
The four companies learned they had been ensnared in the SolarWinds hack in 2020 and 2021. “But each negligently minimized” the incident in public disclosures, the SEC alleges.
In Unisys’s case, the company described the breach as “hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data,” the SEC says. Meanwhile, Avaya told investors the hacking incident had only affected a limited number of company email messages when, in reality, the hackers accessed at least 145 files. Unisys must now pay a $4 million civil penalty, while Avaya has agreed to pay $1 million.
As for Check Point, it “knew of the intrusion but described cyber intrusions and risks from them in generic terms,” the SEC says. Mimecast allegedly tried to minimize the breach by failing to disclose what kind of computer code the hackers had stolen from the company and the quantity of encrypted credentials” that had been looted. Both will now pay about $990,000 as a fine.
“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized,” says SEC Acting Chief of the Crypto Assets and Cyber Unit Jorge Tenreiro. “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
Recommended by Our Editors
The SEC requires listed companies to publicly report significant data breaches within four business days. The increased scrutiny might motivate the private sector to treat IT security more seriously as ransomware attacks and other hacking incidents become all too common.
The four companies didn’t immediately respond to a request for comment. However, according to the SEC, each “agreed to cease and desist from future violations of the charged provisions and to pay the penalties.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
Read the latest from Michael Kan