The U.S. Securities and Exchange Commission (SEC) announced on Tuesday that it has penalized four major companies a combined $7 million for providing misleading information regarding their involvement in the 2019 SolarWinds espionage campaign.
The Companies Involved and Penalties
The enforcement action targets both cybersecurity firms and technology providers that failed to accurately report the scope of the breaches they suffered. The breakdown of civil penalties is as follows:
- Unisys: $4 million
- Avaya: $1 million
- Check Point: $995,000
- Mimecast: $990,000
According to the SEC, these organizations negligently minimized the severity of the cyberattacks, effectively obscuring the truth from their shareholders and the investing public.
Failure to Disclose the Full Scope
The regulatory investigation revealed that each company employed different tactics to downplay the impact of the SolarWinds hack:
Avaya reported that hackers accessed a limited number of email accounts, failing to disclose that unauthorized parties had also breached at least 145 files within its cloud environment.
Check Point was cited for describing the cyber intrusions and associated risks in vague, generic terms, despite having knowledge of the specific nature of the breach.
Mimecast failed to disclose the specific code compromised and the total volume of encrypted credentials stolen by the attackers, leading the SEC to conclude that the company minimized the incident.
Unisys characterized its cybersecurity risks as purely hypothetical, even though the company had been impacted by two distinct incidents related to the SolarWinds compromise.
Regulatory Stance and Company Responses
Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, emphasized that public companies have a duty to remain transparent during security crises. “The SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents,” Wadhwa stated.
While all four firms have agreed to pay the penalties and cease future violations, they have done so without admitting or denying the SEC’s findings. Representatives for the companies offered varying responses:
Avaya noted that the SEC recognized its voluntary cooperation and efforts to enhance cybersecurity controls. Check Point maintained that it found no evidence of sensitive customer data access but settled to avoid prolonged dispute. Mimecast insisted it had complied with regulatory requirements at the time, while Unisys declined to comment beyond its official 8-K filing.
Increasing Scrutiny on Cyber Disclosures
This enforcement action marks a significant step in the SEC’s recent push to enforce stricter obligations on publicly traded companies. Regulators are increasingly demanding higher levels of transparency regarding how data breaches affect business operations, customers, and overall financial health.