This week, the Securities and Exchange Commission (SEC) charged four public companies for alleged deceptive cyber disclosures: Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited. The companies agreed to pay civil penalties to settle the SEC’s charges as follows:

• Unisys, $4 million
• Avaya, $1 million
• Check Point, $995,000
• Mimecast, $990,000

These penalties and settlements come after an SEC investigation into public companies that were potentially affected by the SolarWinds’ Orion software compromise. The SEC alleged that while the companies learned about the unauthorized access to their systems as a result of the

SolarWinds Orion attack, they each negligently minimized the effects of the cybersecurity incident in their public disclosures. Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said, “As [these] enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

The SEC’s orders found that each company violated some provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules.

A few key takeaways from these settlements:

• Cybersecurity is still an SEC enforcement priority;
• Disclosure and escalation procedures are vital;
• The SEC will be aggressive on its charges for negligence-based fraud charges related to cyber attacks; and
• Be prepared -have an incident response procedure and disclosure policy.