The Securities and Exchange Commission disclosed settlement agreements with four companies Tuesday on charges they made misleading disclosures in connection with the 2020 state-linked hack of SolarWinds.
Each of the companies — Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast — all learned the threat actor behind the SolarWinds hack had gained access to their systems, the SEC said.
The SEC alleges the four companies each downplayed the actual impact of their respective incidents through their public disclosures. Unisys was also charged with violations of disclosure controls and procedures.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s division of enforcement.
This is not the first time the SEC has charged companies for how they handled the state-linked supply chain attack, launched by a threat group called Nobelium, that impacted users of SolarWinds’ Orion platform. The SEC filed fraud charges in 2023 against SolarWinds and the company CISO Tim Brown, alleging it misled investors about the true nature of its cyber risk.
Most of the case was thrown out, however the core of the case was allowed to continue.
For the SEC, at issue is how the companies described their risk or exposure.
Unisys, in particular, described its cyber risk as hypothetical, even though company executives knew the threat actor had exfiltrated gigabytes of data, according to the SEC order. Unisys disclosed the settlement, which included a $4 million civil penalty, in a filing with the SEC and said it is neither an admission nor denial of guilt.
Avaya disclosed the hackers gained access to a limited number of emails, even though the hackers accessed 145 files in its cloud file-sharing environment, according to the SEC order.
Avaya, which was charged a $1 million civil penalty, said it was pleased to have resolved the matter, noting the SEC took into account its voluntary cooperation. It has taken steps to enhance its cyber controls, the company said via email.
Check Point Software described the intrusions in generic terms despite knowing their true nature, according to the order. Check Point Software, which previously disclosed the investigation, said a settlement was in the best interest of the company. It agreed to pay a $995,000 civil penalty.
The company reiterated that it investigated the SolarWinds incident and did not find any evidence customer data, code or other sensitive information was accessed, in an emailed statement.
Mimecast knew about the attack, but failed to disclose the nature of the code stolen by the hackers and the quantity of encrypted credentials that were stolen, according to the order. The company agreed to pay a $990,000 civil penalty.
Mimecast, which is no longer publicly traded, said when it learned of the incident in January 2021 it made extensive disclosures and engaged with customers and partners.
“We believed that we complied with our disclosure obligations based on the regulatory requirements at that time,” the company said in an emailed statement.