4 tech companies settle with SEC over SolarWinds disclosures • The Register

Four prominent technology companies have reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for misleading investors about their exposure to the 2020 SolarWinds hack.

Communications technology company Avaya, Israeli cybersecurity boutique Check Point and email security company Mimecast have agreed to pay more than $1 million, $995,000 and $990,000, respectively, for “making disclosures” materially misleading regarding cybersecurity risks and intrusions,” the SEC said today.

A fourth company, computer services company Unisys, was also charged and settled with the SEC; Unisys also faced charges of violating disclosure controls and procedures, bringing the penalty to $4 million.

“It is incumbent on (companies) not to further victimize their shareholders or other members of the investing public by providing misleading information about cybersecurity incidents they have faced,” said Sanjay Wadhwa, acting director of the enforcement at the SEC.

With the exception of Mimecast, which did not realize it had been involved in the incident until 2021, the other companies knew that the Russian threat actor who slipped a backdoor into the network monitoring software SolarWinds’ Orion had successfully compromised their networks in 2020, the same year as the attack. Despite this knowledge, “each negligently downplayed their cybersecurity incident in their public disclosures,” the SEC said.

Avaya reportedly (neither of the companies admitted or denied the allegations in their settlements) told shareholders that the compromise only led to the theft of a few emails, despite knowing that “at least 145 files in its cloud file sharing environment” had also been accessed, while Mimecast appears not to have disclosed the nature of the stolen code or the number of encrypted credentials stolen from the company.

Check Point was supposed to know what happened, but only described the matter “in generic terms.” Meanwhile, Unisys “described its risks from cybersecurity events as hypothetical, even though it knew it had suffered two SolarWinds-related intrusions involving the exfiltration of gigabytes of data,” the SEC alleged.

Companies respond

“We are pleased to have resolved this disclosure matter with the SEC related to historical cybersecurity issues dating back to late 2020, and that the agency has recognized Avaya’s voluntary cooperation and that we have taken certain steps to improve the “the company’s cybersecurity controls,” an Avaya spokesperson said. The registertaking a conciliatory tone. “Avaya continues to focus on strengthening its cybersecurity program, both in the design and delivery of our products and services to our valued customers, as well as in our internal operations.

Check Point wasn’t as willing to admit that it needed to do better.

“As mentioned in the SEC’s order, Check Point investigated the SolarWinds incident and found no evidence that customer data, codes or other sensitive information was accessed,” the company told us. security company. “Nevertheless, Check Point decided that cooperating and resolving the dispute with the SEC was in its best interest and allowed the company to remain focused on helping its customers defend against cyberattacks around the world.”

Although the SEC order (PDF) (orders for the other three companies are also available from the SEC) on Check Point does not indicate that customer data was stolen, it claims that two of Check Point’s servers the company were compromised, leading to two company accounts. access, “unauthorized activities on affected computers and their networks”, notice from a third-party access provider in the Check Point environment and other signs of compromise.

The SEC said Check Point sent it reports that were “substantially unchanged from the same disclosures in Check Point’s prior public filings” despite knowledge of the SolarWinds compromise, hence the fine that had nothing to do with it. do with the theft of consumer information.

Unisys directed us to a new SEC filing it made today that indicates it decided to pay the fine in the best interests of the company and shareholders, but declined to make a additional declaration.

Mimecast told us that while it is no longer a publicly traded company and does not believe it did anything wrong, it nevertheless cooperated fully with the SEC and “used the opportunity to strengthen our resilience.” , said a spokesperson.

The SEC declined to comment beyond its press release.

In the meantime, let’s remind any public company considering underreporting this cybersecurity incident: someone could come and verify your report, even years later, so don’t leave anything out. ®