On October 22, 2024, the Securities and Exchange Commission (“SEC”) announced that four technology companies—Unisys Corporation, Avaya Holdings Corporation, Check Point Software Technologies Ltd., and Mimecast Ltd.—had settled charges regarding alleged materially misleading disclosures related to cybersecurity incidents stemming from the 2019-2020 SolarWinds cyberattack. While neither admitting nor denying the SEC’s findings, the companies agreed to pay nearly $7 million in civil penalties for failing to disclose the full scope of the breaches and their associated risks to investors.
The SEC’s investigation focused on the companies' disclosures following the breach, finding that each of the four companies downplayed the severity of the attack and failed to disclose material information regarding the nature and impact of the cyber incidents on their operations.
SEC Findings
- Unisys Corporation ($4 million civil penalty): The SEC's order against Unisys reveals that the company disclosed its cybersecurity incidents as mere hypotheticals, even though it was already aware of two breaches that had led to the exfiltration of at least 34 cloud-based accounts and 33 gigabytes of data. The SEC referenced an excerpt from Unisys’ Form 10-K disclosure wherein Unisys stated that cyberattacks “could” result in loss “if” their systems were accessed without authorization, while making no mention of the known breaches. In its findings, the SEC also noted that Unisys lacked sufficient disclosure controls, evidenced by the employees’ failure to properly escalate the breach to senior management.
- Avaya Holdings Corporation ($1 million civil penalty): The order against Avaya found the company downplayed a breach in its 2021 Form 10-Q. In it, the company stated only that “a limited number” of emails were accessed in a breach when, in fact, the threat actor had accessed 145 of Avaya’s shared files as well as a mailbox for one of Avaya’s cybersecurity incident response employees. Further, the SEC noted Avaya did not make any later public statement or disclosure correcting its misstatements and omissions. Ultimately, the SEC found Avaya's reporting, “minimized the compromise and omitted material facts known to [its] personnel regarding the scope and potential impact of the incident.”
- Check Point Software Technologies Ltd. ($995,000 civil penalty): The SEC found the cybersecurity language in Check Point’s 2020 and 2021 Form 20-F was too “generic” when the language remained “virtually unchanged” from prior years, despite the company’s knowledge that it experienced a prolonged cybersecurity compromise where at least two of its corporate accounts had been hacked. The SEC found its rinse-and-repeat disclosure language did not reflect the material risks that arose from the attack.
- Mimecast Ltd. ($990,000 civil penalty): The SEC’s order against Mimecast found that its 2021 Form 8-K filings misrepresented the scope and severity of a breach when the form disclosed some aspects of it, but failed to include several pertinent details, including both the nature and quantity of the company’s compromised source code, and that the breach affected a large quantity of its customers’ encrypted credentials.
Key Takeaways for Public Companies
These settlement actions reflect the SEC's growing emphasis on cybersecurity disclosures and its commitment to ensuring that public companies provide accurate information to investors. Since 2018, the SEC has regularly taken enforcement action against companies that it viewed as having failed to reasonably safeguard customer information or disclose intrusions. However, the SEC’s cybersecurity-related requirements continue to evolve. The most recent rule updates were effective in December 2023, when the SEC began requiring companies to disclose material cybersecurity incidents within four business days and to report annually on their cybersecurity governance and risk management. Moving forward, public companies should carefully evaluate their cybersecurity practices and ensure that their disclosure procedures are capable of handling the challenges posed by increasing cyber threats.
On the Horizon
As enforcement actions and the political landscape continue to evolve, it’s important to note that there is ongoing debate within the SEC itself. Notably, the SEC’s orders were accompanied by a strong dissent from Republican commissioners Hester Peirce and Mark Uyeda, arguing that the SEC’s orders were overly expansive and focused on immaterial details. They urge the SEC to treat companies affected by cyberattacks as victims of a crime, rather than penalizing them for minor disclosure lapses. With the election now behind us, there may be a shift in the SEC’s enforcement approach toward taking a narrower view of materiality and affording companies with greater leniency than in recent actions.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
