SEC fines cybersecurity giants for downplaying effects of SolarWinds attack

News
By
published

Several companies downplayed the impact of the SolarWinds attack on their systems

Data breach
(Image credit: Shutterstock)

Four top security companies have been charged for downplaying the impact the SolarWinds Orion compromise had on their systems, an action which violated certain provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, among other related rules.

The US Securities and Exchange Commission charged and fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited for “making materially misleading disclosures regarding cybersecurity risks and intrusions.”

All companies have received civil penalties, with Unisys expected to pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.

Misleading disclosures

The 2020 attack on SolarWinds’ Orion infrastructure management software saw threat actors push updates to the Orion software that were loaded with malware, infecting other organizations downstream in the supply chain that used the Orion software.

The attack impacted thousands of businesses and several branches of the US government, including the US Department of Homeland Security, the US Treasury Department, and the US Department of Commerce.

Among the businesses impacted by the attack were the four charged by the SEC, which in its press release stated Unisys, “described its risks from cybersecurity events as hypothetical” despite the company having knowingly experienced two attacks as a result of the SolarWinds attack that resulted in large amounts of data being exfiltrated.

The charge against Avaya states the company attempted to downplay the impact of the SolarWinds attack, stating attackers had accessed a “limited number of [the] Company’s email messages.” In actuality, Avaya was already aware the threat actors had broken into the companies cloud file sharing system and gained access to at least 145 files.

Check Point and Mimecast were also found to have downplayed the impact of the attack on their systems.

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said, “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.