SEC Fines Four Companies $7 Million for Misleading Disclosures in SolarWinds Hack

• The Securities and Exchange Commission announced fines for misleading disclosures on the SolarWinds hack.
• The sanctions target four companies that were all victims of the cyberattack.
• Check Point, Mimecast, Unisys, and Avaya will have to pay fines totaling $7 million.

The Securities and Exchange Commission (SEC) announced fines totaling $7 million against four companies for misleading disclosures related to the 2019 SolarWinds cyberattack. The companies involved—Check Point, Mimecast, Unisys, and Avaya—were all victims of the hack that had widespread repercussions across both private and public sectors.

Acting Director of the SEC’s Division of Enforcement, Sanjay Wadhwa, emphasized that while cyberattacks are unavoidable risks for public companies, misleading disclosures only compound the harm by leaving investors uninformed about the true impact of such incidents.

Check Point was fined $995,000 as the SEC criticized its use of generic terms to describe cyber risks without acknowledging the incident's specific impacts. Mimecast faces a $990,000 penalty for failing to disclose the extent of the breach, particularly the compromised code and stolen encrypted credentials.

Unisys was the most heavily fined at $4 million, as it described cybersecurity risks as hypothetical despite being compromised, and Avaya will pay $1 million for misrepresenting the extent of the breach, particularly the access to files in its cloud sharing environment.

This regulatory action highlights the imperative for companies to provide accurate, thorough disclosures about the nature and scope of cybersecurity incidents. The SEC's decision signals an increased regulatory focus on ensuring companies maintain transparency in their reporting obligations, reflecting the critical importance of trust and accuracy in investor communications.

While the involved companies have settled with the SEC without admitting or denying the findings, they have committed to enhancing their cybersecurity controls and maintaining compliance with disclosure obligations.

The SEC’s enforcement actions underscore the growing emphasis on corporate transparency regarding cybersecurity breaches and their implications. 

Recently, the SEC announced significant fraud charges against three companies and nine individuals accused of manipulating crypto markets, who allegedly collaborated with a few entities to create a false appearance of active trading.