The US Securities and Exchange Commission (SEC) has charged four companies after they misled investors by downplaying the severity of the 2020 SolarWinds cyberattack.
The SolarWinds Orion hack was a supply chain attack that affected public and private organizations using the SolarWinds Orion network management system.
More than 30,000 organizations, including government agencies at the local, state, and federal levels, use Orion software to manage their IT systems.
Threat actors gained access by inserting malicious code into a legitimate Orion update. When the update was deployed, customers who installed it also activated the malware, giving threat actors backdoor access.
The incident quickly evolved into a rapidly spreading supply chain attack, in which the threat actors gained access to Orion’s customer networks, from where they then accessed the customers’ partners and customers, etc
The threat actors were suspected nation-state hackers, whom Microsoft identified as the Russian Nobelium hackers. The attack is widely considered one of the largest cyberattacks of all time.
Now, the SEC has said that Avaya Holdings, Check Point Software, Mimecast and Unisys Corp allegedly downplayed the impact the SolarWinds Orion cyberattack had on their systems.
“The Securities and Exchange Commission today charged four current and former public companies (Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited) with making materially misleading disclosures about cybersecurity risks and intrusions,” it said. the SEC. in a press release.
According to the SEC, Avaya Holdings claimed at the time of the incident that the threat actor accessed a “limited number of [the] company emails” despite knowing that the threat actor had also accessed 145 files stored in their shared cloud environment.
Similarly, Check Point Software described the breach in “generic terms,” according to the SEC, despite having knowledge of it.
Mimecast has been accused of failing to disclose the nature of the code stolen by the hackers and how many encrypted credentials the threat actors accessed.
Finally, despite knowing about the data breach and that gigabytes of data had been exfiltrated, Unisys described the risks of the cybersecurity events as “hypothetical,” according to the SEC, which added that downplaying the incident was partly a product of “Unisys ‘poor disclosure controls.’
“Downplaying the scope of a major cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, acting head of the SEC’s cyber and crypto assets unit.
“In two of these cases, the relevant cybersecurity risk factors were formulated in a hypothetical or generic way when the companies knew that the warned risks had already materialized. “Federal securities laws prohibit half-truths and there is no exception for statements in risk factor disclosures.”
The SEC found that the four companies violated the provisions of the Securities Act of 1933he Stock Exchange Act of 1934and various other rules.
Unisys will pay the largest fine of the four organizations, as it was assessed a $4 million civil penalty.
Avaya has been charged $1 million, Check Point $995,000, and Mimecast $990,000.
While none of the companies confirmed or denied the SEC’s findings, all agreed to pay the penalties and cease and desist from violating the charged provisions in the future. They also cooperated with the SEC throughout its investigation.
“As today’s enforcement actions reflect, while public companies can become targets of cyber attacks, it is incumbent upon them not to further victimize their shareholders or other members of the investing public by providing misleading disclosures about cybersecurity incidents they have found,” said Sanjay Wadhwa, acting director of the SEC’s enforcement division.
“In this case, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true extent of the incidents.”