The Securities and Exchange Commission (SEC) this week charged four companies with making 'materially misleading disclosures' regarding cybersecurity risks and intrusions.
These companies included: Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited. The SEC alleges the four companies each downplayed the actual impact of their respective incidents through their public disclosures. Unisys was also charged with violations of disclosure controls and procedures.
The companies agreed to pay the following civil penalties to settle the SEC’s charges:
- Unisys will pay a $4 million civil penalty;
- Avaya will pay a $1 million civil penalty;
- Check Point will pay a $995,000 civil penalty; and
- Mimecast will pay a $990,000 civil penalty.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
The official SEC press release also stated "According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures." The SEC found that all four companies violated provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and several other rules.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
