On October 22, 2024, the Securities and Exchange Commission charged four companies with making materially misleading disclosures about their cybersecurity risks. Each of the companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—agreed to pay hefty monetary penalties to settle the SEC’s charges.
The fines follow a lengthy investigation by the SEC into public companies affected by the 2020 SolarWinds breach, one of the most widespread cyberattacks to date. The attack, largely believed to have been carried out by Russian government hackers, compromised thousands of SolarWinds customers. The hackers gained access to several government agencies and major tech companies, including Unisys, Avaya, Check Point, and Mimecast. While all four companies were victimized by the SolarWinds breach, the SEC asserted that each company committed different violations that “negligently” downplayed the impact of the breach to their investors.
As noted in our prior publication, in December 2023, the SEC implemented a new cybersecurity disclosure rule that requires public companies to disclose in a Form 8-K filing details about material cybersecurity incidents, such as the nature, scope, and timing of the incident as well as any impact to the company’s financial condition. Relatedly, the SEC also rolled out requirements that companies include in their Annual Reports on Form 10-K information about their procedures for assessing, identifying, and managing risks of cybersecurity threats.
The SEC stated that Unisys, Avaya, and Check Point all learned in 2020 and Mimecast discovered in 2021 that their systems had been compromised in connection with the SolarWinds breach. The SEC’s order against Unisys alleges that despite knowing its data had been accessed, Unisys described its risks as merely “hypothetical.” Similarly, Check Point acknowledged the cyber intrusion but allegedly described its impact in “generic terms.” The SEC also noted that Avaya significantly understated the extent to which its information had been compromised—telling its investors that the hackers stole only a “limited number” of company emails despite an internal probe revealing that at least 145 files had been taken. Finally, the SEC found that Mimecast minimized the attack by failing to disclose the type of code and the number of log-in credentials that the hackers obtained. As a result of the SEC’s order, Unisys must pay a $4 million civil penalty, Avaya must pay a $1 million civil penalty, Check Point must pay a $995,000 civil penalty, and Mimecast must pay a $990,000 civil penalty.
The SEC’s decision to levy these penalties underscores its commitment to aggressively enforce its cybersecurity disclosure requirements. And in the wake of this latest order, the Acting Director of the SEC’s Enforcement Division, Sanjay Wadhwa, emphasized the obligation of public companies to “not further victimize their shareholders or other members of the investing public by providing misleading disclosures about cybersecurity incidents they have encountered.” To that end, companies should remain vigilant and maintain robust internal processes to identify, address, and disclose any material risks from cybersecurity threats.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2024 Keating Muething & Klekamp PLL. All Rights Reserved
- Partner
Mark Reuter advocates for business clients in transactions, proceedings and conflicts regulated by federal and state securities laws and stock exchange rules. A partner in the firm’s Business Representation & Transactions ...
- Partner
As a partner in the firm’s Business Representation & Transactions Group, Allie Westfall’s insight and proven analytical skills help translate the complexities of the often-challenging securities laws. Allie’s counsel ...
- Associate
Olivia King practices in the firm’s Business Representation & Transactions Group, where she assists private and publicly held companies with a wide variety of corporate transactions.
Olivia earned her law degree from the ...
Topics/Tags
Select- SEC
- Cybersecurity and Privacy Law
- Securities Law
- Cybersecurity Regulation
- Securities Regulation
- Corporate Transparency Act
- IRS
- Corporate Law
- Tax Planning
- Coronavirus
- Nasdaq
- Clawback Rules
- SEC Enforcement
- Taxation
- Dodd-Frank
- Mergers & Acquisitions
- Paycheck Protection Program
- JOBS Act
- Corporate Tax
- Economic Sanctions
- Ohio LLC Act
- FAST Act
- Corporate Governance
- Consumer Protection Act
- Proxy Access Rules
- Securities Litigation
- Crowdfunding
- Conflict Minerals
- Cryptocurrency
- Hedging
- Real Estate Law
- Emerging Growth Companies
- Investors
- Pay Ratio Disclosure
- Whistleblower
- Private Offerings
- Intellectual Property
- Technology
- LIBOR
- Opportunity Zone
- Accredited Investors
- Executive Compensation
- Health Care Act
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- Wall Street Reform
- IPO
- Registration Statement
- Annual Reports
- Ohio Foreclosure Reform
- Director Compensation
- Family-Controlled Entities
- Gift and Estate Transfers
- Board of Directors
- Director Independence
- Cyber Insurance
- Data Breach
- Regulation A
- Regulation D
- Total Shareholder Return
- Lenders
- Receivership Statute
- CDEs
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- Compensation Committee Certification
- Government Shutdown
- New Markets Tax Credit
- NMTC
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Marketing
- Benefits
- Healthcare Reform
- Litigation
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
Recent Posts
- SEC Fines Four Companies $7M for Violating Cyber Disclosure Rules
- FinCEN Issues Additional Guidance for Reporting Companies on Dissolved Entities
- Division of Corporation Finance Director Statement: The State of Disclosure Review
- FinCEN Issues Additional Guidance for HOAs and Trusts under the Corporate Transparency Act
- SEC Wins ‘Shadow Insider Trading’ Trial
- SEC Voluntarily Stays Climate Rules
- New SEC Climate Disclosure Rules – Temporarily Stayed
- Corporate Transparency Act Ruled Unconstitutional
- SEC Climate Rule Vote Scheduled for March 6, 2024
- Limited Partners’ Tax Savings from Self-Employment Taxes are under Scrutiny