Introduction to the SEC’s Recent Cybersecurity Charges
The Securities and Exchange Commission (SEC) recently announced charges against four major corporations: Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited. These companies were accused of making materially misleading disclosures regarding cybersecurity risks and incidents. Additionally, Unisys faced charges related to inadequate disclosure controls and procedures. The SEC’s enforcement actions resulted in significant civil penalties for each of the companies involved.
Civil Penalties Imposed on Companies for Cybersecurity Misconduct
The SEC’s enforcement has led to substantial financial penalties for the accused companies. The breakdown of the fines is as follows:
– Unisys Corp.: $4 million civil penalty
– Avaya Holdings Corp.: $1 million civil penalty
– Check Point Software Technologies Ltd: $995,000 civil penalty
– Mimecast Limited: $990,000 civil penalty
The investigation centered around cybersecurity incidents, particularly those linked to the compromise of SolarWinds’ Orion software. The SEC emphasized the importance of transparency in disclosing cybersecurity risks to shareholders and the investing public.
SEC’s Stance on Cybersecurity Disclosures and Investor Protection
The SEC’s recent actions underscore the critical nature of transparent and accurate cybersecurity disclosures by public companies. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, the enforcement aims to prevent companies from providing misleading information about the cybersecurity incidents they encounter. Wadhwa emphasized that when companies fail to accurately disclose the true scope of a cybersecurity incident, they leave investors uninformed and at risk.
Unisys Corp.: Misleading Cybersecurity Disclosures and Deficient Controls
Unisys Corp. was found to have misrepresented its cybersecurity risks in public disclosures. According to the SEC’s findings, Unisys described the risks as hypothetical, even though the company had already experienced two significant data breaches related to the SolarWinds Orion software. These breaches involved the unauthorized exfiltration of gigabytes of sensitive data. The SEC also determined that Unisys’ misleading disclosures resulted from inadequate disclosure controls, further contributing to the violations.
Avaya Holdings Corp.: Downplaying the Cybersecurity Breach
Avaya Holdings Corp. was charged for mischaracterizing the scope of the data breach it experienced. The SEC found that Avaya disclosed only a “limited” impact on the company’s email messages, despite knowing that the threat actor had accessed at least 145 files in its cloud file-sharing environment. The misleading description not only understated the breach but also failed to provide investors with the full extent of the cybersecurity risks that had already materialized.
Check Point Software Technologies Ltd: Generic Disclosures of Cybersecurity Risks
Check Point Software Technologies Ltd was also found guilty of making generic and incomplete disclosures about its cybersecurity risks. Although the company was aware of the unauthorized intrusion, it failed to offer specific details about the incident in its public communications. The SEC identified this behavior as negligent, as it did not fully inform shareholders of the real and ongoing cybersecurity threats.
Mimecast Limited: Failing to Disclose Specific Cybersecurity Risks
Mimecast Limited was found to have minimized the impact of the cybersecurity breach in its disclosures. The SEC found that Mimecast failed to reveal the nature of the exfiltrated code and the number of encrypted credentials accessed by the threat actor. By omitting these crucial details, Mimecast misled its investors regarding the actual scope of the cybersecurity risks it faced.
Importance of Transparent Cybersecurity Disclosures for Public Companies
The SEC’s enforcement action highlights the essential role of transparent disclosures in cybersecurity risk management. Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, noted that framing cybersecurity risk factors as hypothetical or generic is misleading, especially when the companies know that the warned risks have already occurred. The SEC emphasized that federal securities laws prohibit misleading statements, including half-truths in risk-factor disclosures.
SEC’s Findings: Violations of Federal Securities Laws
The SEC concluded that each of the companies violated specific provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules. The companies neither admitted nor denied the findings but agreed to cease and desist from further violations. Additionally, they cooperated with the investigation, offering analyses and taking steps to improve their cybersecurity controls.
Public Companies and the Obligation to Protect Investors
The charges against Unisys, Avaya, Check Point, and Mimecast serve as a reminder that public companies must prioritize accurate disclosures to maintain investor trust. As the SEC continues to enforce cybersecurity regulations, companies are urged to enhance their transparency and adopt robust disclosure controls to prevent similar penalties and reputational damage.
Sallah Astarita & Cox, LLC - Securities Litigation Attorneys - former SEC Staff Attorneys and Brokerage Firm Counsel representing issuers, advisors and investors nationwide in securities investigations, disputes, and arbitrations, nationwide. Call 212-509-6544.
