The Register: Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures

Source URL: https://www.theregister.com/2024/10/22/sec_fines_four_tech_firms/
Source: The Register
Title: Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures

Feedly Summary: Unisys, Avaya, Check Point, and Mimecast settled with the agency without admitting or denying wrongdoing
Four high-profile tech companies reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for misleading investors about their exposure to the 2020 SolarWinds hack.…

AI Summary and Description: Yes

**Summary:** Four tech companies, including Avaya, Check Point, Mimecast, and Unisys, have settled with the SEC over misleading disclosures related to the 2020 SolarWinds cyberattack, facing penalties totaling millions. The incident highlights critical compliance and communication lessons in cybersecurity for organizations, emphasizing the importance of transparent reporting on cybersecurity incidents.

**Detailed Description:**

– **Background on the Incident:**
– Tech firms Avaya, Check Point, Mimecast, and Unisys reached penalties for underreporting and misrepresenting their exposure to the SolarWinds hack that took place in 2020.
– The SEC identified that these firms made materially misleading disclosures regarding cybersecurity risks, which led to significant fines.

– **Penalties Imposed:**
– Avaya: $1 million
– Check Point: $995,000
– Mimecast: $990,000
– Unisys: $4 million (also cited for disclosure control and procedures violations)

– **Key Findings from the SEC:**
– Companies had knowledge of cybersecurity incidents but provided overly optimistic or superficial public disclosures.
– Avaya claimed only a few stolen emails while data from 145 files were accessed.
– Mimecast failed to adequately disclose the nature and scope of the stolen code and credentials.
– Check Point communicated details only in vague terms, despite knowing about the intrusion.
– Unisys portrayed its cybersecurity risks as hypothetical despite significant data exfiltration incidents.

– **Company Reactions:**
– Avaya expressed satisfaction with the settlement and emphasized ongoing improvements in cybersecurity practices.
– Check Point asserted it found no evidence of compromised customer data but acknowledged that settling was in its best interest.
– Unisys hinted at its decision to settle protecting its interests and shareholders.
– Mimecast, despite being defunct as a publicly-traded entity, indicated cooperation with the SEC and sought to enhance overall resilience.

– **Practical Implications:**
– The case emphasizes the importance of transparent and accurate reporting of cybersecurity incidents to maintain investor confidence.
– Companies must prioritize rigorous internal processes for identifying and disclosing incidents to avoid regulatory repercussions.
– It serves as a warning to publicly-held companies regarding the long-term consequences of underreporting cybersecurity events and the potential for regulatory scrutiny.

– **Key Takeaway:**
– Organizations should reinforce their cybersecurity disclosure policies and strengthen their incident management practices to comply with legal and ethical standards and protect their reputations in the marketplace. This case illustrates the potential fallout from misleading disclosures, reinforcing the need for a proactive and transparent approach to cybersecurity governance and compliance.