Four tech companies settle with SEC over SolarWinds disclosures • The Register

Four high-profile tech companies have reached an agreement with the Securities and Exchange Commission to pay millions of dollars in fines for misleading investors about their exposure to the 2020 SolarWinds hack.

Communications technology company Avaya, Israeli cybersecurity retailer Check Point and email security company Mimecast have agreed to pay more than $1 million, $995,000 and $990,000, respectively, for “making materially misleading disclosures about cybersecurity risks and intrusions,” the SEC said today.

A fourth company, IT services company Unisys, was also accused and settled with the SEC; Unisys was also accused of disclosure control and breach of procedures, bringing the fine to $4 million.

“It is incumbent on (companies) not to further victimize their shareholders or other members of the investing public by making misleading disclosures about the cybersecurity incidents they have experienced,” said Sanjay Wadhwa, acting director of SEC Enforcement .

With the exception of Mimecast, which did not realize it was involved in the incident until 2021, the other companies knew that the Russian threat actor who had sneaked a backdoor into SolarWinds’ Orion network monitoring software managed to compromise their networks in 2020. the same year as the attack. Despite this knowledge, “each negligently minimized its cybersecurity incident in its public disclosures,” the SEC said.

Avaya reportedly (neither company admitted or denied the allegations in their settlements) told shareholders that the compromise only resulted in a few emails being stolen, even though they knew that “at least 145 files in the cloud environment for file sharing” were also opened. while Mimecast has apparently failed to disclose the nature of the stolen code or the number of encrypted credentials stolen from the company.

Check Point probably knew what had happened, but only described the matter “in general terms.” Meanwhile, Unisys “described the risks of cybersecurity events as hypothetical, despite knowing that it had experienced two SolarWinds-related intrusions that wiped out gigabytes of data,” the SEC alleged.

The companies are responding

“We are pleased that we have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency has acknowledged Avaya’s voluntary cooperation and that we have taken certain steps to strengthen the company’s cybersecurity controls improve,” an Avaya spokesperson said. The Registerwhere a conciliatory tone was taken. “Avaya continues to focus on strengthening its cybersecurity program, both in the design and delivery of our products and services to our valued customers, and in our internal operations.”

Check Point was not so willing to admit that it needed to do better.

“As stated in the SEC’s decision, Check Point investigated the SolarWinds incident and found no evidence that customer data, code or other sensitive information was accessed,” the security firm told us. “Nevertheless, Check Point has determined that cooperating and resolving the dispute with the SEC is in its best interest and allows the company to continue to focus on helping its customers defend against cyber attacks around the world.”

While the SEC order (PDF) (orders for the other three companies are also available from SEC) on Check Point does not indicate that customer data was stolen, it does claim that two of the company’s servers were compromised, leading to two company accounts. access is gained, “unauthorized activity on affected computers and their networks,” notification from a third-party vendor about access to the Check Point environment, and other signs of compromise.

The SEC said Check Point sent it reports that were “substantially unchanged from the same disclosures in Check Point’s prior public filings” despite knowledge of the SolarWinds compromise, hence the fine that has nothing to do with stealing consumer information .

Unisys pointed us to a new SEC filing it filed today stating that it has decided to pay the fine in the best interests of the company and shareholders, but declined to make any additional statement.

Mimecast told us that while it is no longer a publicly traded company and does not believe it has done anything wrong, it was still fully cooperating with the SEC and “took the opportunity to increase our resilience,” according to a spokesperson.

The SEC declined to comment on the press release.

In the meantime, let this be a reminder to any publicly traded company considering underreporting a cybersecurity incident: Someone may come and check your report, even years later, so don’t leave anything out. ®