SEC fines cybersecurity giants for downplaying effects of SolarWinds attack

Several companies downplayed the impact of the SolarWinds attack on their systems

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Four top security companies have been charged for downplaying the impact theSolarWinds Orion compromisehad on their systems, an action which violated certain provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, among other related rules.

The US Securities and Exchange Commission charged and fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited for “making materially misleading disclosures regarding cybersecurity risks and intrusions.”

All companies have received civil penalties, with Unisys expected to pay $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.

Misleading disclosures

Misleading disclosures

The 2020 attack on SolarWinds’ Orion infrastructure management software saw threat actors push updates to the Orion software that were loaded withmalware, infecting other organizations downstream in the supply chain that used the Orion software.

The attack impacted thousands of businesses and several branches of the US government, including the US Department of Homeland Security, the US Treasury Department, and the US Department of Commerce.

Among the businesses impacted by the attack were the four charged by the SEC, which in itspress releasestated Unisys, “described its risks from cybersecurity events as hypothetical” despite the company having knowingly experienced two attacks as a result of the SolarWinds attack that resulted in large amounts of data being exfiltrated.

The charge against Avaya states the company attempted to downplay the impact of the SolarWinds attack, stating attackers had accessed a “limited number of [the] Company’s email messages.” In actuality, Avaya was already aware the threat actors had broken into the companies cloud file sharing system and gained access to at least 145 files.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Check Point and Mimecast were also found to have downplayed the impact of the attack on their systems.

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said, “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

A new form of macOS malware is being used by devious North Korean hackers

Ulefone Armor 27T Pro rugged phone review

We might have our first look at the long-rumored Samsung tri-fold