October 23, 2024
Enforcement: SEC Targets Cyber Disclosures
Yesterday, the SEC announced charges against four current and former public companies for allegedly making materially misleading disclosures regarding cybersecurity risks and intrusions — all arising from the SEC’s investigation of public companies that were potentially impacted by the compromise of SolarWinds’ Orion software. The companies agreed to pay civil penalties ranging from $990,000 to $4 million. One company was also charged with disclosure controls and procedures violations. Here’s more from the announcement:
According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.
The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
Quotes from the SEC staff emphasized the importance of not downplaying the extent of a cybersecurity breach and that corporate victims of cyberattacks must not “further victimize their shareholders or other members of the investing public by providing misleading disclosures.”
The enforcement announcements are clearly still rolling in — in the new fiscal year! — so you won’t want to miss our upcoming webcast “SEC Enforcement: Priorities and Trends” at 2 pm ET on Wednesday, November 13, featuring Hunton’s Scott Kimpel, Locke Lord’s Allison O’Neil and Quinn Emanuel’s Kurt Wolfe. They’ll discuss the following topics, among others:
– SEC Enforcement Activities in 2024 and Priorities for 2025
– Implications of Jarkesy for SEC’s Enforcement Program
– Monetary and Non-Monetary Penalties
– Accounting and Disclosure Actions
– Actions Targeting “Internal Controls”
– Self-Reporting and Cooperation Credit
– Coordination with DOJ Investigations
– Meredith Ervine