SEC Charges Four Companies for Minimizing SolarWinds Breach Impact

The Securities and Exchange Commission (SEC) has charged four companies for their attempt to downplay the impact of the 2020 SolarWinds breach on their systems. Unisys received the largest civil penalty of $4 million for its misleading disclosure practices and control violations. The SEC found that Unisys failed to accurately report the exfiltration of data during two SolarWinds-related intrusions.

Avaya Holdings Corp. agreed to pay $1 million for understating the extent of the breach, and Check Point was fined $995,000 for vague disclosures. Mimecast received the lightest penalty of $990,000 for failing to disclose the nature of the exfiltrated code and accessed encrypted credentials.

The SEC’s goal with these charges and fines is to deter companies from minimizing the impact of cybersecurity breaches through vague or misleading disclosures. Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, emphasized the importance of accurate and precise disclosures in such cases.

According to cybersecurity attorney Beth Burgin Waller, companies can no longer rely on generalizations or hypotheticals when reporting breaches. She highlights the need for closer collaboration between chief information security officers and legal teams to ensure that disclosures are technically precise and comply with regulatory requirements.

This enforcement action by the SEC serves as a warning to companies to be transparent and forthcoming in their reporting of cybersecurity incidents to avoid facing similar penalties in the future. It underscores the importance of maintaining strong cybersecurity controls and proactive risk management strategies in the face of evolving cyber threats.