4 Companies Charged by SEC for Misleading Investors After SolarWinds Breach

4 Companies Charged by SEC for Misleading Investors After SolarWinds Breach

The U.S. Securities and Exchange Commission (SEC) has charged four companies after misleading investors by downplaying the severity of the 2020 SolarWinds cyberattack.

The SolarWinds Orion hack (SolarWinds hack) was a supply chain attack that affected public and private organizations using the SolarWinds Orion network management system.

More than 30,000 organizations, including government agencies at the local, state and federal levels, use Orion software to manage their IT systems.

Malicious actors gained access by inserting malicious code into a legitimate Orion update. When the update was rolled out, customers who installed it also activated the malware, granting malicious actors backdoor access.

The incident quickly escalated into a fast-spreading supply chain attack, with malicious actors gaining access to Orion’s customer networks, where they then accessed customers’ partners, customers, and more.

The threat actors were suspected nation-state hackers, which Microsoft identified as Russian Nobelium hackers. This attack is widely considered one of the largest cyberattacks of all time.

The SEC said Avaya Holdings, Check Point Software, Mimecast and Unisys Corp all allegedly downplayed the impact of the SolarWinds Orion cyberattack on their systems.

“The Securities and Exchange Commission today charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited – with making materially misleading disclosures regarding risks and intrusions regarding cybersecurity,” the SEC said. in a press release.

According to the SEC, Avaya Holdings claimed at the time of the incident that the threat actor had accessed a “limited number of [the] company emails,” even though he knew the threat actor had also accessed 145 files stored in his cloud sharing environment.

Similarly, Check Point Software described the violation in “generic terms,” according to the SEC, despite being aware of it.

Mimecast was accused of failing to disclose the nature of the code stolen by the hackers or how many encrypted credentials the malicious actors accessed.

Finally, although it was aware of the data breach and that gigabytes of data had been exfiltrated, Unisys characterized the risks of cybersecurity events as “hypothetical,” according to the SEC, which added that the downplaying the incident was partly the product of Unisys’ “poor disclosure controls.”

“Downplaying the magnitude of a significant cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, acting head of the SEC’s Crypto Assets and Cybersecurity Unit.

“In two of these cases, the relevant cybersecurity risk factors were formulated in a hypothetical or generic way when the companies knew that the announced risks had already materialized. The federal securities laws prohibit half-truths, and there are no exceptions for statements contained in risk factor disclosures.

The SEC found that the four companies violated the provisions of the Securities Act of 1933THE Stock Exchange Act of 1934and several other rules.

Unisys will pay the heaviest penalty of the four organizations, with a $4 million civil penalty.

Avaya was charged $1 million, Check Point $995,000, and Mimecast $990,000.

Although none of the companies confirmed or denied the SEC’s findings, they all agreed to pay the penalties and stop violating the provisions in question in the future. They also cooperated with the SEC throughout its investigation.

“As today’s enforcement actions demonstrate, while public companies may become targets of cyberattacks, they have a responsibility not to further victimize their shareholders or other members of the investing public by providing misleading information about cybersecurity incidents they encountered,” said Sanjay Wadhwa, acting director of the SEC’s enforcement division.

“Here, the SEC’s orders conclude that these companies provided misleading information about the incidents in question, leaving investors in the dark as to the true extent of the incidents.”

Are the proposed cyber laws a “turning point”?

Are the proposed cyber laws a “turning point”?

Threads is the cool new meeting place for brands

Threads is the cool new meeting place for brands

Leave a Reply

Your email address will not be published. Required fields are marked *