Four US companies, Avaya, Unisys, Mimecast and Check Point Software Technologies Ltd were each charged by the SEC for downplaying the extent to which their data had been compromised in the massive 2020-2021 SolarWinds “Sunburst” hack.
In September 2019, Russian state-affiliated hackers launched an attack on Orion, a network management product developed by Texas-based IT management company SolarWinds.
After compromising Orion’s supply chain that year, the hackers were able to insert malicious code into the software that allowed them to extricate sensitive customer data over a two-year period.
Massive data breach
SolarWinds customers saw an average annual revenue loss of 11% resulting from the massive data breach. Those customers included a multitude of government agencies and major private companies, raising alarms about the increasing activity of state-sponsored hacking professionals and software supply chain vulnerability.
Subsequently SolarWinds became the target of an SEC lawsuit for allegedly misleading investors about the robustness of its cybersecurity protocols, which failed just one year after its IPO.
The SEC’s action was unusual because SolarWinds was the victim of state-sponsored crime. It was even more unusual because the agency individually sued the company’s chief information security officer, a role generally uninvolved in the production of financial statements.
According to that complaint, SolarWinds referred investors to potential risks but never addressed vulnerabilities and deficiencies in its software that were incongruous with its internal assessments.
Investors’ ire makes sense: the SolarWinds’s stock price now sits at half of what it was before the hack was disclosed.
But the company won a significant victory against the SEC in July. A New York federal court dismissed most of the agency’s fraud claims for being based on “hindsight and speculation” and characterized SolarWinds’s statements as “non-actionable corporate puffery.”
SEC charges for failures to report
Now, some of SolarWinds’s corporate customers that lost data to the breaches are also being accused by the SEC of failing to publicly disclose the enormity of the damage after the fact.
The companies will pay a total of almost $7m in civil penalties to settle the charges:
- Unisys: $4m;
- Avaya Holdings Corp: $1m;
- Check Point $995,000; and
- Mimecast: $990,000.
In essence, two of the companies – Avaya Holdings Corp. and Mimecast Limited – disclosed information about the cyberattack. But the SEC said that the disclosures omitted certain material information.
The other two companies – Check Point Software Technologies Ltd. and Unisys Corporation – did not update an existing risk factor in response to the cyberattack. The SEC said those risk factors became materially misleading without disclosure that the Orion software in the companies’ respective network had been compromised.
The severity of the individual penalties is commensurate with the degree to which the companies made materially misleading statements about the significance of the data breach in their reports to the SEC.
“[W]hile public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”
Sanjay Wadhwa, acting director, SEC Division of Enforcement
Unysis is facing the bulk of the fines for producing the least descriptive account of damage it incurred from the hack in its form 10-Ks in 2020 and 2021. The company described its risk as purely hypothetical, when it knew as a matter of fact that the hackers had absconded with 33 gigabytes of data.
The SEC also charged Unisys for lacking an effective protocol for disclosing cybersecurity breaches, which arose from reporting failures connected to a 2022 extortion attempt by a separate hacking group.
Array of omissions
Avaya, Check Point and Mimecast got off easier for more mild nondisclosures.
Avaya noted its February 2021 form 10-Q that there was “no current evidence of unauthorized access to our other internal systems” outside of a “limited number of… email messages,” when it had 145 shared files lost to the hackers.
Check Point neglected to report on its annual Forms 20-F (equivalent to forms 10-K) known evidence that hackers had installed malicious software on its corporate network, instead rehashing nonspecific language from its previous reports.
Mimecast disclosed the data breach in its form 8-Ks from January and March of 2021, but failed to note that the hackers had accessed “approximately ten percent of its customers and compromised five customers’ cloud platforms.”
Mimecast also did not accurately describe the type of source code lost to the hackers, the SEC stated.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” Said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
For the inaccurate reporting, the companies each were charged with violating:
- Sections 17(a)(2) and 17(a)(3) of the Securities Act (recordkeeping requirements) and;
- Section 13(a) of the Exchange Act and Rules 12b-20 (requiring additional material information) and 13a-1 (mandating annual reports) thereunder.
Unysis was additionally charged with violating 13a-15(a) of the Exchange Act, which covers mandatory controls and procedures designed to ensure that information required to be disclosed in SEC reports.
Dissents
Commissioners Hester Peirce and Mark Uyeda dissented in the SEC’s determinations in these cases, arguing that a common theme across the four proceedings is the SEC “playing Monday morning quarterback.”
“Rather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engages in a hindsight review to second-guess the disclosure and cites immaterial, undisclosed details to support its charges,” Peirce and Uyeda said.
Of course the SEC must protect investors by ensuring that companies disclose material incident, but insisting that immaterial information be disclosed doesn’t protect investors and actually does the opposite, they said.