Four public corporations, both current and defunct, have been charged by the U.S. Securities and Exchange Commission (SEC) for making “materially misleading disclosures” about the massive cyberattack that resulted from the 2020 SolarWinds hack.
The Securities Act of 1933, the Securities Exchange Act of 1934, and associated regulations were violated by Avaya, Check Point, Mimecast, and Unisys, according to the SEC, because of their handling of the disclosure process following the SolarWinds Orion software supply chain incident and their downplaying of the severity of the breach.
In order to resolve the charges, Avaya will pay a $1 million fine, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million. Unisys has also been accused by the SEC of violating disclosure controls and procedures.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
The SEC claims that despite learning that the Russian threat actors responsible for the SolarWinds Orion attack had gained unauthorized access to their systems, all four businesses decided to downplay the severity of the event in their public statements.
The independent federal agency claimed that Unisys opted to characterize the risks associated with the intrusion as “hypothetical,” even though it was aware that the cybersecurity incidents resulted in the exfiltration of over 33 GB of data twice.
According to the study, Avaya also claimed that the threat actor had viewed a “limited number” of the company’s emails, but in fact, it knew that the attackers had accessed at least 145 files in its cloud environment.
The SEC criticized Check Point and Mimecast for their general portrayal of the breach’s risks, as well as for not disclosing the type of code the threat actor stole or the quantity of encrypted credentials they were able to access.
“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned-of risks had already materialized,” Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, said. “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
