4 Companies Indicted by SEC for Misleading Investors After SolarWinds Breach

The US Securities and Exchange Commission (SEC) has charged four companies after they misled investors by downplaying the severity of the 2020 SolarWinds cyberattack.

The SolarWinds Orion hack (SolarWinds hack) was a supply chain attack that affected public and private organizations using the SolarWinds Orion network management system.

More than 30,000 organizations, including local, state and federal government agencies, use Orion software to manage their IT systems.

Threat actors gained access by inserting malicious code into a legitimate Orion update. When the update was deployed, customers who installed it also activated the malware, giving threat actors access to the backdoor.

The incident quickly escalated into a supply chain attack that quickly spread, with threat actors gaining access to Orion’s customer networks, where they then gained access to Orion’s partners and customers. customers, etc.

The threat actors were suspected nation-state hackers, whom Microsoft identified as the Russian Nobelium hackers. The attack is widely considered to be one of the largest cyberattacks of all time.

Now, the SEC has said that Avaya Holdings, Check Point Software, Mimecast and Unisys Corp allegedly downplayed the impact that the SolarWinds Orion cyberattack had on their systems.

“The Securities and Exchange Commission today charged four current and former public companies (Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited) with making materially misleading disclosures about cybersecurity risks and intrusions” , the SEC said. in a press release.

According to the SEC, Avaya Holdings claimed at the time of the incident that the threat actor accessed a “limited number of (the) company’s email messages” despite knowing that the threat actor The threat had also accessed 145 files stored in its cloud sharing environment.

Similarly, Check Point Software described the breach in “generic terms,” ​​according to the SEC, despite being aware of the breach.

Mimecast has been charged with failing to disclose the nature of the code stolen by the hackers and how many encrypted credentials the threat actors accessed.

Finally, despite knowing about the data breach and that gigabytes of data had been exfiltrated, Unisys described the risks of cybersecurity events as “hypothetical,” according to the SEC, which added that minimizing the incident was partly a product of “Unisys”. “poor disclosure controls.”

“Downplaying the scope of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, acting head of the SEC’s cryptoassets and cyber unit.

“In two of these cases, the relevant cyber security risk factors were framed hypothetically or generically when the companies knew that the warned risks had already materialized. Federal securities laws prohibit half-truths and there is no exception for statements in risk factor disclosures.”

The SEC found that the four companies violated the provisions of the Securities Act of 1933the Securities Exchange Act of 1934and several other rules.

Unisys will pay the largest penalty of the four organizations, having been charged with a $4 million civil penalty.

Avaya has collected $1 million, Check Point $995,000, and Mimecast $990,000.

While none of the companies confirmed or denied the SEC’s findings, all agreed to pay the penalties and stop violating the provisions charged in the future. They also cooperated with the SEC throughout its investigation.

“As today’s enforcement actions reflect, while public companies may become targets of cyber attacks, it is incumbent upon them not to further victimize their shareholders or other members of the investing public by providing misleading disclosures about cyber incidents. cybersecurity they’ve found,” he said. Sanjay Wadhwa, acting director of the SEC’s enforcement division.

“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true extent of the incidents.”

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding and experience writing in the technology space. After studying at Macquarie University, he joined Momentum Media in 2022, writing for a number of publications including Australian Aviation, Cyber ​​Security Connect and Defense Connect. Outside of writing, Daniel has a keen interest in music and spends his time playing in bands around Sydney.