Pierluigi Paganini October 23, 2024

The SEC fined Unisys, Avaya, Check Point, and Mimecast for misleading disclosures about the impact of the SolarWinds Orion hack.

The US Securities and Exchange Commission (SEC) charged four companies, Unisys, Avaya, Check Point, and Mimecast for misleading public disclosures related to the supply chain attack on SolarWinds.

The SEC fined the four companies for having downplayed the impact of the attack.

The SEC charged Unisys with additional violations and fined Unisys $4M, Avaya $1M, Check Point $995K, and Mimecast $990K in civil penalties to settle the charges.

The charges result from an investigation conducted by the US government into public companies potentially impacted by the supply chain attack on SolarWinds’ Orion software.

“According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” reads the press release published by SEC. “The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. “

Unisys hid two security breaches, Avaya downplayed file access, CheckPoint used vague language while describing the impact of the incident, and Mimecast minimized the nature of stolen data.

The four companies agreed to stop future violations, pay penalties, and improve cybersecurity controls without admitting guilt. SEC confirmed that the organizations provided their support to the investigation.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.  The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SEC)