Earlier this week, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000. The SEC’s October 22, 2024, press release about the charges against the four companies can be found here.
According to the SEC’s order, during the period 2020-2021, each of the four companies – Unisys, Avaya, Check Point, and Mimecast – learned that the threat actor behind the SolarWinds hack had accessed their systems without authorization. The SEC alleges, each of the companies “negligently minimized its cybersecurity incident in its public disclosures.” In the cease-and-desist orders, the SEC charged that each of the companies violated applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and applicable rules thereunder.
With respect to Unisys, the SEC alleges that the company “described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions” involving exfiltration of date. The SEC’s cease-and-desist order against Unisys, a copy of which can be found here, alleges that the company’s materially misleading disclosures resulted in part from Unisys’ “deficient disclosure controls.” As part of its resolution of the charges, Unisys agreed to pay a $4 million civil penalty.
In its charges against Avaya, the SEC alleges that the company stated in its disclosures that the threat actor had accessed a limited number of the company’s email messages, when the SEC alleges, “Avaya knew that thread actor had also accessed at least 145 files in its cloud sharing environment.” Avaya agreed to pay a civil penalty of $1 million. The SEC’s cease-and-desist order against Avaya can be found here.
With respect to Check Point, the SEC charged that the company “knew of the intrusion but described cyber intrusions and risks from them in generic terms.” Check Point agreed to pay a civil penalty of $995,000. The SEC’s cease-and-desist order against Check Point can be found here.
Finally, with respect to Mimecast, the SEC charged that the company “minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.” Mimecast agreed to pay a civil penalty of $900,000. The SEC’s cease-and-desist order against Mimecast can be found here.
In its press release, the SEC included statements by agency officials seeking to explain why the agency brought charges against the four companies. One official is quoted as saying that, while companies may be targeted in cyberattacks, “it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.” The SEC’s charges these four companies of “provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
In a separate statement quoted in the press release, a second SEC official charged the four companies of “downplaying the extent of a material cybersecurity breach.” In two of the cases, the official said, “the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”
Discussion
In bringing the charges against the four companies, the SEC was clearly intending to send a message to reporting companies about disclosing cybersecurity incidents. The message is that companies should not downplay or soft-pedal the incident and should disclose enough information to allow investors to be able to assess the seriousness and scope of the incident.
It is worth thinking about not just the message that the SEC intended to send; it is also worth thinking about the message that companies will receive from the charges against these four companies. And in that respect it is worth noting that the SEC’s charges were filed against the companies over a joint dissenting statement from Commissioner Hester Pierce and Mark Uyeda. As Meredith Ervine noted in her October 23, 2024, post on TheCorporateCounsel.net blog (here), the dissent is worth reading at length and in full, and would justify a blog post all on its own.
As Ervine noted in the post, the dissenting commissioners take the position that the SEC is regulating by enforcement action and cited immaterial undisclosed details to support the charges. The dissent asserts that the level of detail the SEC charges that the four companies omitted will motivate companies to fill their disclosures with “immaterial details about an incident, or worse, provide disclosures [about] immaterial incidents.”
Whether or not you agree with the dissent’s perspective, it is certainly a question worth asking – will the agency’s charges against these four companies lead to improved cybersecurity incident reporting, or just more cybersecurity reporting with a level of detail that is immaterial from investors’ perspective?
In any event, at least one message other reporting companies should take from these enforcement actions is that when reporting on a cybersecurity incident, it is important not to try to downplay or soft-pedal the incident. That is certainly a good rule of thumb for companies faced with having to disclose a cybersecurity incident.