On October 22, 2024, the Securities and Exchange Commission (“SEC”) charged four public companies with making materially misleading disclosures about cybersecurity risks and intrusions. The four companies charged by the SEC are Unisys Corporation (“Unisys”), Avaya Holdings Corporation (“Avaya”), Check Point Software Technologies Ltd (“Check Point”) and Mimecast Limited (“Mimecast”). In addition to the charges related to misleading disclosures, the SEC also charged Unisys with disclosure controls and procedures violations. 

The charges against the four companies stem from the SEC’s investigation into public companies potentially impacted by the SUNBURST security issue involving SolarWinds Corporation (“SolarWinds”). In 2023, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer (“CISO”) alleging that they made materially misleading statements about the company’s cybersecurity practices and the SUNBURST issue. In July 2024, a U.S. District Judge dismissed most of the SEC’s claims against SolarWinds and the company’s CISO, allowing the agency to move forward with only a subset of its initial charges.

According to the SEC, the four companies learned in 2020 and 2021 that the threat actor thought to be behind the SUNBURST issue had gained access to their systems. The SEC’s charges claim that, despite the four companies’ awareness of the issue, each of them negligently minimized the incident in its public disclosures. Specifically, the SEC found that:

• Unisys described its cybersecurity event-related risks as hypothetical, despite the company’s awareness that a threat actor had accessed its systems and exfiltrated gigabytes of data. The order also finds that the materially misleading disclosures made by Unisys resulted at least in part from the company’s inadequate disclosure controls. Unisys agreed to pay the SEC a $4 million civil penalty.
• Avaya stated that the threat actor was able to access a “limited number” of email messages from the company’s systems, although Avaya knew that the threat actor had also accessed at least 145 in the company’s cloud file sharing environment. Avaya agreed to pay the SEC a $1 million civil penalty.
• Check Point described cyber risks resulting from the threat actor’s intrusion in generic terms. Check Point agreed to pay the SEC a $995,000 civil penalty.
• Mimecast failed to disclose the nature of the code exfiltrated, as well as the quantity of the encrypted credentials accessed by the threat actor. Mimecast agreed to pay the SEC a $990,000 civil penalty.

The SEC’s orders are based on alleged violations of the Securities Act of 1933, the Securities Exchange Act of 1934, as well as certain related rules. In addition to agreeing to pay the SEC’s fines, each company agreed to cease and desist from future violations of the charged provisions. The SEC noted that each company cooperated with the agency’s investigation.