The SEC might not catch inadequate cybersecurity disclosures in the moment, but recent events show that they are actively pursuing the issue and will get to violations eventually. We are now almost five years out from the SolarWinds hack, but four companies will soon be paying substantial penalties for potentially misleading investors about the extent of damage in the early days.
Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited will each pay settlement amounts ranging from about $1 million to $4 million for discrepancies or “overly broad language” in their SolarWinds hack cybersecurity disclosures. The SEC seems to be taking particular issue with being too general and vague in describing potential impact, but in some cases the companies also failed to disclose data that had been stolen.
Consequences from SolarWinds hack continue to roll in
The SolarWinds hack continues to be an issue in a number of different ways; as the SEC demonstrates with these settlements, it might also present continuing regulatory challenges for some organizations.
Since late 2023, the SEC has had new rules in place that require public companies to issue cybersecurity disclosures if an incident is expected to have a material impact. For all but smaller businesses, these disclosures must come within four business days.
The SolarWinds hack consisted of a malware campaign that unfolded over months, and about 18,000 of the company’s Orion customers are thought to have installed the tainted updates. However, the Russian hacking team behind the exploit likely only exploited several hundred of these compromised parties. Those organizations saw substantial damages from the incident, averaging a loss of about 10% of their annual revenue.
SolarWinds has already seen a District Court judge reverse prior decisions about its own cybersecurity disclosures. But that has not stopped the agency from continuing to investigate the statements made by victims to their shareholders, even though two of its commissioners objected to fining these companies as an outcome.
Public companies must consider investors when crafting cybersecurity disclosures
The largest penalty went to Unisys, which was accused of additional violations. The company paid $4 million for concealing the fact that over 20 GB of files were stolen and for framing the potential damages as hypothetical. The other cybersecurity disclosures each drew penalties of $990,000 to $1 million. Check Point was also accused of using terms that were too hypothetical and general, Avaya did not disclose that some cloud storage files had been accessed by the hackers, and Mimecast did not disclose that encrypted credentials were stolen nor the type of code that the attackers accessed.
Collectively the SolarWinds hack cybersecurity disclosures were accused of violating provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The agency noted that all of the involved companies were cooperative throughout the process, volunteering materials and to make needed cybersecurity improvements.