The Securities and Exchange Commission has imposed fines on Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies, and Mimecast Limited for providing misleading information regarding the 2020 SolarWinds Orion software breach. This regulatory action highlights the importance of transparency in cybersecurity disclosures. The settlements address the failure of these companies to accurately report the extent of the data compromises linked to the SolarWinds incident.
Historical reports have shown varying degrees of disclosure accuracy among the affected companies. Unlike earlier assurances, recent findings reveal that the extent of the breaches was significantly understated. This discrepancy has led to increased scrutiny from regulators to ensure that companies adhere to truthful reporting standards.
Did the Companies Understate the Breach Impact?
Yes, the SEC found that the companies minimized the severity of the breaches in their public statements.
How Were the Fine Amounts Determined?
The fines were based on the extent of the misleading disclosures, with Unisys fined $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.
What Steps Are Companies Taking Post-Settlement?
The companies have agreed to pay the fines without admitting wrongdoing and are implementing enhanced cybersecurity measures.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,”
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,”
Sanjoy Wadhwa, acting director of the SEC’s Division of Enforcement, emphasized the importance of accurate disclosures to protect investors.
“Mimecast believes it complied with disclosure and regulatory obligations and made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,”
“Mimecast believes it complied with disclosure and regulatory obligations and made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,”
Mimecast’s spokesperson Tarrah Ledoux stated regarding the company’s efforts post-breach.
“Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world,”
“Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world,”
Check Point spokesperson Gil Messing explained the rationale behind the settlement decision.
The settlements underscore the SEC’s commitment to enforcing transparency in cybersecurity incidents. Companies are now more vigilant in accurately reporting breaches to avoid regulatory penalties and maintain investor trust. This development serves as a reminder of the critical role that truthful disclosures play in the integrity of financial markets.
