The SEC said Tuesday that it had charged and settled with four companies for deceptive disclosure related to the 2019 SolarWinds data breach.
Charged among the four companies involved are cybersecurity firms Check Point, where it will pay a civil penalty of $995,000, and Mimecast at $990,000; and the tech companies Unisys, to be paid $4 million, and Avaya at $1 million.
These companies, therefore, are victims of the hack that hit SolarWinds as it affected several other companies and government agencies using the software. As held by the SEC, each company commits a different violation in regards to negligence that "negligently" downplayed and minimized the damage of breaches.
"While public companies may become victims of cyberattacks, it is incumbent upon them not to further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of the SEC's Division of Enforcement. It found the orders of the SEC, "Here, the SEC's orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."
The SEC said that different violations were committed by each company. Avaya stated hackers accessed a "limited number" of companies' emails but did not comment on the fact that hackers also accessed "at least 145 files in its cloud file-sharing environment." But aware of the breach, Check Point "described cyber intrusions and risks" in "generic terms." Mimecast "downplayed the attack by failing to disclose" what code and the amount of company encrypted credentials the hackers stole. Even though it was the victim of two SolarWinds-related breaches, Unisys "described its risks from cybersecurity events as hypothetical."
The companies said in statements filed with the SEC that all cooperated with the agency's investigation and agreed to pay the penalties and "to cease and desist from future violations of the charged provisions," but also did not "admit or deny" the findings by the SEC.
An Avaya spokesperson, Julianne Embry, said, according to TechCrunch, in a statement that the SEC "recognized Avaya's voluntary cooperation and that we took certain steps to enhance the company's cybersecurity controls.".
According to TechCrunch, Check Point spokesperson Gil Messing responded by saying, "Check Point investigated the SolarWinds incident and found no evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point deemed cooperating and settling the dispute with the SEC in its best interest."
According to Mimecast spokesperson Timothy Hamilton, regarding the SolarWinds hack, "we made full disclosures and engaged our customers and partners proactively and transparently even with those who were not affected."
"We believed we had fulfilled our disclosure obligations at the time, considering what was available then," said Hamilton.
TechCrunch asked a Unisys spokesperson, Jamie Baid, for comment and declined, pointing to the company's 8-K filing from Tuesday, taken in light of the resolution that has settled the probe by the regulator into the company.
The SEC has made several new requirements in recent years regarding the publicly traded companies reporting data breaches and how it directly affects the company and customers and users alike.