The Securities and Exchange Commission (SEC) has taken action against four companies, imposing penalties for making misleading disclosures related to the 2019 SolarWinds cybersecurity incident.
The four corporations facing charges are cybersecurity firms Test Level, liable for a potential civil penalty of $995,000, Mimecast, which may face a fine of $990,000; and technology companies Unisys, subject to a potential fine of $4 million, and Avaya, which could be penalized $1 million.
The majority of these corporations had fallen prey to the SolarWinds Orion hack, a cyberattack that also targeted numerous other organizations and government agencies reliant on the compromised software. According to the SEC, each firm committed distinct violations by “recklessly” downplaying and minimizing the severity of the breaches, rather than acknowledging their negligent actions.
“Publicly traded corporations are particularly vulnerable to cyberattacks and must be transparent about these incidents, failing which they will perpetuate harm on their shareholders and investors by concealing critical information.” “The SEC’s findings reveal that these companies provided misleading information about the incidents in question, leaving investors in the dark about the true extent of the incidents.”
In compliance with SEC regulations, each firm disclosed distinct regulatory infractions. Hackers breached Avaya’s system, accessing a “restricted quantity” of emails, but the company didn’t disclose they also compromised at least 145 files in its cloud storage. Despite being aware of the breach, Test Level described cyber intrusions and dangers in vague terms. Mimecast, meanwhile, downplayed the attack by refusing to reveal the type of code and number of firm credentials stolen that allowed hackers access. Despite being struck by two SolarWinds-related breaches, Unisys downplayed the risks from cybersecurity incidents, describing them as hypothetical threats.
two SolarWinds-related breaches.
The Securities and Exchange Commission reported that all participating corporations cooperated fully with its inquiry, acknowledging the penalties and committing to refrain from further infractions of the relevant regulations, while simultaneously neither confirming nor disputing the agency’s conclusions.
After a thorough review of the original text, I have improved it as follows:
Avaya’s spokesperson, Julianne Embry, told TechCrunch that the Securities and Exchange Commission acknowledged our company’s voluntary cooperation, noting that we proactively took measures to strengthen Avaya’s cybersecurity controls.
According to Test Level spokesperson Gil Messing, who spoke with TechCrunch, an investigation into the SolarWinds incident by Test Level revealed no evidence of unauthorized access to sensitive data such as buyer information, code, or other confidential information. Despite this, Test Level ultimately decided that resolving the dispute with the SEC was in its best interest.
Timothy Hamilton, a spokesperson for Mimecast, told TechCrunch that the company made in-depth disclosures regarding the SolarWinds hack, actively engaging with customers and partners who were affected, as well as those who weren’t impacted, in a proactive and transparent manner.
Hamilton explained that the company had relied primarily on existing regulatory requirements to ensure compliance with its disclosure obligations.
A Unisys spokesperson, Jamie Baid, politely sidestepped comment from TechCrunch, instead pointing to the company’s statements released earlier that day. Unisys disclosed a settlement with the Securities and Exchange Commission (SEC), effectively resolving the agency’s probe into the company.
Over the past few years, the Securities and Exchange Commission (SEC) has strictly enforced disclosure requirements on publicly traded companies following information breaches, with far-reaching consequences for the affected corporation, its stakeholders, and ultimately, its customers.
