Concise unpacking of topics that matter to legal leaders.

Was this content forwarded to you? Sign up here.

SEC settles charges with 4 firms it says downplayed SolarWinds hack exposure

Return to Feed

SEC Charges Four Companies for Misleading Disclosures on SolarWinds Hack Exposure.

The Securities and Exchange Commission (SEC) has settled charges with four companies - Unisys, Avaya Holdings, Check Point Software Technologies, and Mimecast - for allegedly downplaying the impact of the 2020 SolarWinds hack on their systems. The SEC claims that these companies made misleading disclosures about the extent of their cyber risks and the actual impact of the incidents.

Unisys faced additional charges for violations of disclosure controls and procedures. The company allegedly described its cyber risk as hypothetical, despite executives knowing that the threat actor had exfiltrated gigabytes of data. Unisys agreed to pay a $4 million civil penalty.

Avaya was charged a $1 million civil penalty for understating the extent of the hackers' access to their systems. Check Point Software agreed to pay $995,000 for describing the intrusions in generic terms, while Mimecast will pay $990,000 for failing to disclose the nature and quantity of stolen data.

The SEC emphasized the importance of providing accurate disclosures about cybersecurity incidents to protect shareholders and investors. This action follows previous charges filed by the SEC against SolarWinds and its CISO in 2023 related to the same supply chain attack.

Report by Cybersecurity Dive

Thanks for reading!
Please email thoughts and suggestions to hello@legalleadersmemo.com