KMK Law Corporate & Securities Blog

On October 22, 2024, the Securities and Exchange Commission charged four companies with making materially misleading disclosures about their cybersecurity risks. Each of the companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—agreed to pay hefty monetary penalties to settle the SEC’s charges.

The fines follow a lengthy investigation by the SEC into public companies affected by the 2020 SolarWinds breach, one of the most widespread cyberattacks to date. The attack, largely believed to have been carried out by Russian government hackers, compromised thousands of SolarWinds customers. The hackers gained access to several government agencies and major tech companies, including Unisys, Avaya, Check Point, and Mimecast. While all four companies were victimized by the SolarWinds breach, the SEC asserted that each company committed different violations that “negligently” downplayed the impact of the breach to their investors.

As noted in our prior publication, in December 2023, the SEC implemented a new cybersecurity disclosure rule that requires public companies to disclose in a Form 8-K filing details about material cybersecurity incidents, such as the nature, scope, and timing of the incident as well as any impact to the company’s financial condition. Relatedly, the SEC also rolled out requirements that companies include in their Annual Reports on Form 10-K information about their procedures for assessing, identifying, and managing risks of cybersecurity threats.

The SEC stated that Unisys, Avaya, and Check Point all learned in 2020 and Mimecast discovered in 2021 that their systems had been compromised in connection with the SolarWinds breach. The SEC’s order against Unisys alleges that despite knowing its data had been accessed, Unisys described its risks as merely “hypothetical.” Similarly, Check Point acknowledged the cyber intrusion but allegedly described its impact in “generic terms.” The SEC also noted that Avaya significantly understated the extent to which its information had been compromised—telling its investors that the hackers stole only a “limited number” of company emails despite an internal probe revealing that at least 145 files had been taken. Finally, the SEC found that Mimecast minimized the attack by failing to disclose the type of code and the number of log-in credentials that the hackers obtained. As a result of the SEC’s order, Unisys must pay a $4 million civil penalty, Avaya must pay a $1 million civil penalty, Check Point must pay a $995,000 civil penalty, and Mimecast must pay a $990,000 civil penalty.

The SEC’s decision to levy these penalties underscores its commitment to aggressively enforce its cybersecurity disclosure requirements. And in the wake of this latest order, the Acting Director of the SEC’s Enforcement Division, Sanjay Wadhwa, emphasized the obligation of public companies to “not further victimize their shareholders or other members of the investing public by providing misleading disclosures about cybersecurity incidents they have encountered.” To that end, companies should remain vigilant and maintain robust internal processes to identify, address, and disclose any material risks from cybersecurity threats.